Cato Networks is an interesting mash-up of a cloud-based security service and an SD-WAN play.
Cato has stitched together a global backbone of Internet connectivity from a variety of providers. This backbone links up virtual points of presence (POPs) in Amazon’s cloud. Cato hosts security services in these POPs, including firewalling and URL filtering.
To reach these POPs, customers deploy a physical or virtual appliance at their remote or branch offices. Cato calls these appliances “Sockets.” The physical Socket appliance supports 1Gbps throughput.
As with other SD-WAN appliances, the Socket can support multiple links, and the appliance can split traffic across those links.
However, the startup uses only broadband and 3G connectivity—no MPLS allowed—to connect branch and remote offices to each other, to the Internet, and to corporate headquarters.
“We want MPLS to die,” says Cato co-founder and CTO Gur Shatz. I think MPLS is sort of a conspiracy. [It] should be replaced rather than extended.”
When the traffic from a branch hits the POP, Cato applies security services. At present, these services include Next-Gen Firewall, application control, and URL filtering.
After the traffic runs through these services and the appropriate policies are applied, the traffic is forwarded along the Cato backbone to its final destination. Traffic will exit the backbone at the POP nearest the destination.
Traffic is encrypted between the branch and the POP, as well as between POPs. Cato says it can decrypt traffic to apply security inspection, but companies can set policy around what type of traffic gets decrypted.
Cato also offers a software agent that can run on employees’ mobile devices, so that remote users can also have their traffic sent through the security service for inspection and policy control.
Note that Cato’s network does not cover the last mile between branch and remote offices and a Cato POP—customers can choose their own providers for last-mile connectivity.
While Cato’s approach relies on a variety of SD-WAN elements to construct its network, the company’s value proposition is built around security.
Customers get a unified, logical network that provides visibility into traffic, applications, Web usage, and so on. This single, logical network stands in contrast to typical WAN deployments, which tend to be a complex amalgam of remote sites, cloud segments, and mobile users, all patched together with VPNs, gateways, and appliances.
By running all traffic across its own backbone, Cato contends that organizations can more effectively deploy and enforce security policies.
“We see every connection and flow that goes through the network,” says Shatz. “There’s a single security policy, a single entry and exit point, and a single security stack that operates across the network. This enables us to deliver security as a service.”
As with other startups tackling the WAN, Cato Networks relies on an overlay to move traffic around. In this case, it has developed a proprietary encapsulation protocol based on UDP.
It has also developed its own routing algorithm. “It’s aware of the topology and nodes we have,” says Shatz. “It’s simple graph theory to calculate the best route over the network without the use of normal protocols.”
Shatz says the company differs from SD-WAN companies because of the backbone that it has built on top of service provider links.
“We have our own network, and that network is optimized,” he says. “We can get MPLS-quality lines because we can do smarter routing. We build in error correction, we can monitor for packet loss.”
Relying on proprietary protocols from a startup might give some people pause. As Ivan Pepelnjak noted in a 2015 blog on SD-WAN, there is a tradeoff.
On the one hand, because these startups can start with a clean technology slate, their features are tightly integrated and designed to work together. On the other hand, the blog notes that proprietary protocols result “in a perfect lock-in.”
Shatz says the company will add new security services over time. It also has plans to build its own physical points of presence (that is, not based on Amazon). Shatz says the goal is to have as many as 15 physical POPs around the globe by the end of 2016.
The service is priced by bandwidth, based on aggregate capacity of all office locations, plus the number of people using the mobile connectivity option.
About Cato Networks
Cato’s founders include CEO Shlomo Kramer, who has a long history in enterprise security, including as co-founder of Check Point Software and Imperva. CTO and co-founder Gur Shatz was co-founder and CEO of Incapsula, a security company that focused on Web application security and acceleration. He also held executive positions at Imperva.
The company’s venture backers include Aspect Ventures and U.S. Venture Partners. According to Crunchbase, Cato has raised $20 million in a Series A round.
More Startup Coverage
For more startup coverage, check out the following posts: