Netify Solution Comparison – Cato SD WAN Review

What does CATO offer?

CATO is ideally suited to medium and the lower end of large businesses requirements in a DIY or Co-Managed solution deployment. The overall Cato capability spans SASE, standard out of the box policies, WAN & Cloud optimization, Next-Generation Firewall, secure web access, advanced threat protection and mobile security.

Table of Contents

One of the first points you’ll learn about Cato Networks revolves around one of their founders, Shlomo Kramer. The reason for mentioning Shlomo is largely because of his experience as the founder of a not inconsequential company called Check Point. While Cato offers significant capability across all SD WAN features, SASE (Secure Access Service Edge) is perhaps at the core of their SD WAN value. And while there are other important features to highlight, Security is one of the most significant considerations when comparing SD WAN vendors.
Where is Cato positioned within the SD WAN market?

At a high level, the Cato solution is a fit for medium to large businesses requiring DIY or Co-Managed SD WAN solutions. In part, their ability to service standard out of the box configuration policies across all aspects of SD WAN requirements together with an easy to manage GUI interface means their capability is easy to recommend.

The Cato proposition leads their marketing with SASE, essentially positioning the solution as “The World’s First SASE Platform”.  SASE (Secure Access Service Edge) is all about consolidation of network security to enable users to receive their network policy from the Cloud.

The approach offers granularity on a per-user basis to essentially meet the demands of mobility, extranet clients and fast-start office requirements. Security is built into all aspects of the Cato WAN edge and their Global backbone with end to end NGFW (Next Generation Firewall) which includes:

  • Secure Web Gateway (SWG)
  • URL filtering Standard and next-gen Anti-malware
  • Intrusion Protection

The above security features are wrapped into the Cato MDR (Managed Threat Detection and Response).

Alongside SASE, Cato positions their core value at WAN transformation as a result of digital transformation within the Enterprise. Where businesses are moving away from legacy technologies such as MPLS, Cato is the enabler through a SASE led approach with powerful orchestration and zero-touch deployment.

The out of the box capability with security, reporting and application QoS/redundancy is only half of the Cato story. Alongside Cato SD WAN features, the company has provisioned a global private backbone to ensure international traffic receives the best possible performance.

The diagram below shows how a typical customer branch-office would connect into the Cato backbone.

The private backbone offers a transition from the end to end QoS and privacy of MPLS VPN to SD WAN with local Internet access. The Cato backbone spans 50+ PoP (Point of Presence) locations with interconnection supported via tier 1 providers. The private Cato solution is built on their cloud-native software stack; SD WAN route optimization, real-time path selection, security and so forth are all offered on an end to end basis.

Cato Edge SD WAN
Cato Networks SD-WAN Reporting
Cato Networks SD-WAN Reporting

Cato Edge SD WAN will essentially support any local Internet access, think Ethernet leased lines, Broadband and 4G/5G (Note, the Cato solution will also support MPLS). The Cato Socket (their SD WAN edge device) offers zero-touch deployment with operational status achieved in minutes. With two devices, the X1500 and X1700, the proposition is easy to understand and adopt into your organization.

Once a Socket is on-site and deployed, the SD WAN capability offers:

SD WAN link aggregation – load-balanced traffic across multiple circuit types including Internet leased lines, MPLS, VPLS, Broadband, 4G and 5G.

App identification – automatic identification of apps (using deep packet inspection) in order to quickly establish reporting and analysis.

Bandwidth management – SD WAN QoS which ensures each application receives access to the upstream and downstream bandwidth.

Packet loss mitigation – when packet loss is discovered, traffic is switched to an alternative link with duplicated packets to maintain application performance.

Routing protocol support – existing routing infrastructures can be maintained by Cato, leveraging BGP.

High Availability – secondary Cato PoP locations, sockets will connect to their most appropriate PoP location as required.

What are the use cases for Cato SD WAN?

Cato Security
Cato Security

Making a move from MPLS to an Internet-based SD WAN – cost reduction, restrictive service provider lock-in and public cloud access are all reasons why businesses are moving away to SD WAN services over the Internet.

Global SD WAN – businesses with International requirements benefit significantly from SD WAN vendors with global backbone capability.

Securing branch Internet access – all traffic is protected, including both Internet and WAN.

Cloud application acceleration – achieved by routing traffic to the closest Cato PoP with the required cloud-based access provider, i.e. Microsoft Azure, AWS (Amazon Web Services) and Google Cloud.

Security for mobile users and home workers – whether the user connects from phone, tablet or PC, Cato Security and application ‘performance sensing’ ensures a consistent experience.

The Cato dashboard and analytics
Topology

Cato end to end management is provided by their GUI dashboard, which offers the ability to make changes and view network topology data together with analytics.

Once your IT team enter the Cato dashboard, the topology is detailed as connected sites/devices with X denoting unconnected Sockets. In order to look at direct statistics, the user simply clicks the site name to view information about the Socket as follows:

  • Average distance (average latency)
  • Current distance (actual latency)
  • Connectivity (Wired or Wireless)
  • Current throughput (Kbps or Mbps)
  • Current packet loss
  • Average packet loss
  • Software version
Routing table

Cato deployments are automatically routed over BGP. The ability to view each site and the corresponding routing table is displayed in an easy to understand list. When installing sites, Cato sockets will automatically see other networks resulting in super-fast SD WAN orchestration.

Configuration

The configuration section of the Cato portal is divided into sections as follows:

Sites – all sites are displayed with their configuration, which includes connected networks, hosts, local routing, DNS, port forwarding, bandwidth management and LAN monitoring. The site’s view provides the ability to change the Cato PoP rather than using the automatic default approach.

All sockets (when plugged in) will automatically appear on the dashboard regardless of whether there is a static or dynamic IP address, the Cato device simply requires Internet connectivity. All IP addresses are translated into a socket making deployment much easier if a static IP is not available (think fast start requirements).

The sites section will also display the LAN ports on each device, with X1500 (4 port LAN) below 500Mbps and X1700 (with 8 port LAN).

Remote users are easily created, the Enterprise is able to deploy en masse using services such as Microsoft Intune or via a self-service option where Cato will send an email with a self-service wizard. The user authenticates, builds the MFA with Azure Active Directory – essentially building their own profile across all devices. This is all achieved by the Cato VPN, software which is available across all devices (Mac, PC, tablet, phone and so on).

With Cato, Azure appears as another device on the network to avoid any scalability issues with everything built on Cloud infrastructure. I.e. virtual and not appliance-based.

Within sites, Cato offers the ability to group different active users across locations or remote home-based workers. The group feature helps to easily apply policies based on a category of user across application control and security.

Alerts are available which provides network administrators with the ability to flag bandwidth or performance issues.

Networking

Cato offers multiple different bandwidth QoS options which can be templated or configured on an ongoing basis. Alongside QoS, Cato applies several different techniques to enhance the last mile traffic to mitigate packet loss using packet duplication, load balancing, link aggregation. The Cato SLA is offered across their core backbone but not the local VPN loop. In this sense, it remains important to select the best possible connectivity per site across Ethernet, Broadband and 4G/5G.

Cato is known to vastly improve Cloud service performance, a Cato assigned IP will allow users to ensure they connect to the local PoP which makes sense vs Cloud resource, i.e. Azure, AWS or Google. In some cases, users report significant performance increases.

Access

Cato allows IT teams to build policies which enable extranet clients to access application resources. The access is provided via secure Internet, in the future RDP will be supported.

Security

Next-Generation Firewall (NGFW) support is available out of the box, providing policy control between sites. The Internet-based Firewall offers per-user control of applications and traffic routing by category or individual policies. Cato offer signature-based anti-malware using the Sentinel One 0 day malware detection engine to look at file behavior. In addition, Cato provides IPS as a service across the entire environment. Identification of malware exists across the network from VPN to data center or a remote location to a data center. Although DIY IPS is often complicated, Cato bases their configuration on the experience of customer traffic enabling an out of the box experience.

Analytics

Statistics across data reporting is easily accessible via the Sites dashboard, which offers an at-a-glance data-set. Within analytics, bandwidth, packet loss and downtime are monitored together with usage across applications. This traffic is real-time which means IT teams are able to respond to issues and problems quickly. All data is stored for 365 days resulting in excellent trend analysis – the data can be queried at any time using elastic search capability.