Startup Cato Networks, which offers WAN and security services, has announced a new SD-WAN offering for small and medium enterprises.
Cato aims to differentiate itself from a multitude of competitors by integrating SD-WAN capabilities with its own WAN backbone and a portfolio of cloud-based security services.
How It Works
As with other SD-WAN offerings, Cato provides customers with a branch hardware device it calls a Socket. Customers can mix and match last-mile links to this Socket, including MPLS, broadband, and 4G LTE.
Based on customer-defined policies, the Socket directs branch traffic over specific links; for instance, voice traffic and key business applications on MPLS, and low-priority applications on broadband.
The Socket can also shift traffic among various links if performance on one link suffers, or the connection goes down. Cato says if a primary link degrades, it will redirect traffic to the secondary link on a packet-by-packet basis.
Cato says it can identify applications using deep packet inspection. In the case of TLS, it has to act as a man in the middle to decrypt traffic to identify the application and apply policy, and then re-encrypt.
Note that breaking and reforging the crypto is common among SD-WAN vendors, but I have yet to speak to an SD-WAN company that likes to talk about it or provide sufficient detail as to how they accomplish it.
The company says it can identify 150 applications, with more being added.
A Little Different
The capabilities described above are table stakes for SD-WAN. What sets Cato apart is the backbone the company has developed. This backbone is built across 25 global Points of Presence (PoPs) in Equinix and Amazon facilities. The backbone uses connections from multiple carriers. Customer traffic that traverses the Cato backbone is encrypted.
Cato says it has optimized this backbone with a proprietary routing algorithm, and uses techniques such as Forward Error Correction to improve performance. Cato touts its backbone as an MPLS replacement.
SD-WAN traffic on broadband or 4G last-mile links is sent from Socket devices at the branch, via an encrypted tunnel, to the nearest physical Cato PoP, where it’s put onto the Cato backbone and routed to the PoP nearest to the traffic’s destination.
As mentioned, customers can also have MPLS connections at the branch, and the Socket can send traffic on an MPLS link based on customer policy. However, traffic sent via the MPLS link will not use the Cato backbone.
Cato also offers a set of security services at its PoPs, including a next-gen firewall, secure Web gateway, and malware detection. The company touts this convergence of WAN networking and security as a compelling differentiator in part because it reduces the need for a stack of other security devices at each branch location, and provides a more unified management and policy domain.
Note that if a customer sends branch traffic via an MPLS link, that traffic won’t hit a Cato PoP and therefore won’t be able to take advantage of the security services that Cato offers. This is why Cato hopes to encourage customers to shift from MPLS to its own backbone.
One competitor, VeloCloud, also offers cloud-based security gateways, and many other SD-WAN vendors have virtualized security functions available in their branch devices.
The upside of a crowded SD-WAN market is the range of choice for customers. While the concepts are the same across the category, differences in implementation and areas of focus mean that diligent customers are likely to find a box or a service that meets their specific needs.
The downside, of course, is the effort required to sift through competing claims and high-level promises to find the right one.
Cato wants you to take away three main ideas about its offering: a dead-simple branch appliance that lets you mix and match connectivity options, an emphasis on cloud-based security services integrated with the WAN, and the opportunity to replace MPLS circuits with Cato’s backbone.
As for Cato, while its backbone does set it apart from much of the SD-WAN pack, it also requires customers to buy into the whole concept to get maximum value. Is it possible for a startup to build out a business-class virtual private network? It’s up to Cato to prove to customers that it has.