If yous always had to fix IPsec tunnels betwixt different firewall brands, alter a firewall dominion together with hope nil breaks, upgrade to the latest software or urgently piece a vulnerability – yous know what I am talking about.
All of these issues direct hold been alongside us basically forever. Recently, the listing of complex tasks extended to getting cloud infrastructure connected to the residual of the network, together with secure access for mobile users.
There seems to live a alter coming to this fundamental constituent of IT, a silvery lining if yous will. We decided to accept a aspect at i solution to this job – the Cato Cloud from Cato Networks.
Founded inwards 2015, Cato Networks provides a software-defined together with cloud-based secure enterprise network that connects all locations, people together with information to the Cato Cloud – a single, global, together with secure network.
Cato promises to simplify networking together with safety past times delivering enterprise-grade network alongside built-in network security, instead of all the appliances together with betoken solutions currently beingness used for that purpose.
We were delighted to let on a fresh approach to the age-old agency of managing networking together with safety that is actually compelling, particularly for short-handed information technology teams.
What We Tested
We laid out to transform a legacy network architecture using the Cato Cloud ("Cato"), together with looked into 4 areas:
- Provisioning: connecting sites together with users to the WAN. Typically, this is a fourth dimension consuming together with error-prone process, particularly when creating a multi-vendor firewall total mesh.
- Administration: define together with alter access together with safety policies. Adding novel policies together with extending them to each location is a fundamental chore that requires careful planning to avoid conflicts together with ensure all sites maintain compliance alongside the corporate safety policy.
- Access: connect to fellowship resources inwards both on-premise together with cloud information centers. Multiple information centers, together with particularly cloud ones, contribute to increased access fragmentation. Typically, users direct hold to connect to each resources directly, hence eliminating this requirement improves the user experience.
- Security: Finally, nosotros volition show safety effectiveness against Internet threats such equally malicious websites together with files. This is expected functionality from secure spider web gateways but alongside the added benefits of null maintenance together with elastic capacity.
Testing Environment
We wanted to copy a typical client environs for our testing, hence we’ve built a hybrid environs that includes a headquarters, remote branch, mobile user, together with cloud information center.
All sites together with users require access to the Internet together with the information centers located inwards the HQ together with the cloud.
For the setup, nosotros used both physical together with virtual machines. Our principal business office simulates the headquarters (HQ), together with I’m using my abode business office to copy the remote branch (Branch).
The HQ connects to the mesh using a symmetrical 50/50 Mbps mesh describe of piece of work together with already has a perimeter firewall. The Branch connects to the Internet over asymmetrical 100 Mbps link together with a small-scale business office firewall.
We also built 2 cloud information centers inwards Amazon AWS together with Microsoft Azure. On both datacenters, nosotros run Windows servers alongside a unproblematic spider web application. The sites together with information centers constitute WAN connectivity over VPN.
 |
| Figure 1: Testing environs earlier Cato |
Provisioning:
We tested Cato’s might to provision novel sites together with users past times using the Cato Management Application (CMA).Our get-go chore was to connect the HQ to Cato. Cato offers connectivity back upward using a criterion IPsec tunnel, hence we’ll leverage our existing firewall to connect to Cato.
The firewall initiates the connectedness together with configures to road all traffic to Cato. The firewall enforces no security; it is only moving the traffic to Cato where WAN connectivity together with traffic inspection volition live accomplished.
Next, nosotros connected the cloud information centers to Cato (AWS together with Azure). Connecting cloud information centers is done via Cato-initiated VPN tunnels to the built-in VPN gateways inwards most cloud platforms.
 |
| Figure 2: Adding novel cloud information centre to Cato |
By connecting multiple cloud information centers to Cato, yous convey separate network resources (across global regions or cloud providers) into a unmarried network. This reduces the complexity (and sometimes overcome provider limitations) on unifying information centre access across all cloud resources.
 |
| Figure 3: Headquarters together with cloud information centers connect to Cato alongside IPsec VPN |
Next, nosotros connected Branch to Cato. In this case, nosotros volition job a Cato-provided networking device called the Cato Socket. The Cato Socket only forwards traffic to the Cato Cloud.
Per Cato, the Cato Socket tin john handgrip upward to 1 Gbps traffic of whatever kind, WAN together with the Internet, together with does non require whatever manual updates or upgrades since it is self-managed from the cloud. The Cato Socket provisioning procedure is plug-and-play, together with the alone activeness required past times on-site materials is to plug it into might together with an Internet connection.
Once connected, the Cato Socket automatically "calls home" together with waits for the administrator to refer it, inwards our instance nosotros chose "London," together with confirm the connectedness into the network.
The wages of using a Cato Socket instead of the firewall is that it eliminates the complexity of appliances: installation, updates, upgrades, together with that it has no capacity limitation because no safety enforcement is done on the device itself.
 |
| Figure: 4: Cato Socket automatic provisioning |
Finally, nosotros connected a mobile user to Cato. To enroll alongside the Cato service, the admin sends an electronic mail invitation using the CMA to the user (user information tin john live loaded using Active Directory integration or for testing purposes added manually).
 |
| Figure 5: VPN user invitation sent from the Cato Management Application |
The user together with then receives an electronic mail alongside a link to a Cato self-service portal that would install the Cato Client together with automatically configure the user’s credentials together with the Cato Cloud configuration.
 |
| Figure 6: The Cato Client installation together with provisioning process |
When done, the user tin john at nowadays connect the device to the Cato Cloud together with gain access to the network. Resource access is enabled according to the access together with safety policy, together with mesh browsing from the device is protected past times Cato’s built-in network safety services.
 |
| Figure 7: HQ, Branch, Cloud DC together with Mobile Users connects to Cato |
Administration:
Network together with safety administrators are required to alter network configurations together with investigate safety incidents on a daily basis. In this constituent of the production review, nosotros examined the day-to-day operations granularity, simplicity, together with efficiency.Access Policy Configuration:
Once all sites, cloud datacenters, together with mobile users are connected to Cato, nosotros defined a policy that sets access permissions. In Cato, the access policy is divided into 2 parts: Access to WAN resources together with Access to the Internet.1. The WAN firewall controls access to concern resources on physical together with cloud information centers.
 |
| Figure 8: WAN firewall dominion that enables users together with sites access to information centers |
2. The Internet Firewall controls all access from the sites together with from mobile devices to the internet. This is an application-aware policy at layer 7.
 |
| Figure 9: Internet access dominion that blocks access to file sharing, together with remote access applications |
The approach Cato took inwards their access policy is actually interesting. Access rules consolidate the resources that should live protected, together with a direction arrow defines the allowed catamenia of traffic.
This way, instead of creating multiple rules, a unmarried i tin john live used. In addition, the gild of the rules isn't critical (unlike alongside traditional firewalls). This makes it simpler to add together a novel dominion to the policy.
Security Policy Configuration:
Cato offers a built-in total network safety stack inwards the cloud. The safety stack includes URL Filtering together with Anti-malware alongside TLS support. All WAN together with mesh traffic that road via Cato is inspected.The Cato URL Filtering has a recommended out-of-the-box policy. URLs are organized inwards categories, together with each category tin john live laid to allow, block, monitor, together with prompt.
For example, the admin tin john define all suspected phishing websites to block.
 |
| Figure 10: URL Filtering policy |
The built-in Anti-malware scans both the mesh together with WAN traffic together with tin john live laid to block or monitor for incidents.
 |
| Figure 11: The Anti-malware scans both the mesh together with WAN traffic |
What's unique virtually the Cato solution is that capacity together with sizing is non a consideration for the customer. Unlike appliance-based security, at that spot is no demand to upgrade appliances when traffic volume, traffic mix or required safety functions change.
With Cato, all traffic inspection is done inwards the cloud together with scales to consider client needs seamlessly. For example, because TLS inspection has a big touching on appliance performance, admins tend to live real careful when using it. With Cato nosotros exactly enabled it, together with it worked.
Connectivity:
Before using Cato, our HQ, Branch together with cloud resources connected over VPN alongside a dedicated tunnel created for each resource. H5N1 mobile user also needed VPN to the datacenters, hence they were required to connect together with disconnect from the platforms’ dedicated VPN gateway each fourth dimension they wanted to connect to a different datacenter.With Cato, the sites, information center, together with mobile users are connected to i cloud network, hence all resources are accessible alongside a unmarried VPN connection. Branch tunnels into the Cato Cloud using the Cato Socket, together with mobile devices tunnel using the Cato Client.
 |
| Figure 12: Cato client for iOS connects the user to all resources alongside a unmarried VPN connection |
We wanted to show the network traffic analytics tools Cato provides alongside the system. Good visibility into network activities, performance, together with usage is an of import slice of whatever networking platform.
The CMA provides total visibility into connected networks together with hosts. The administrator tin john stance the usage of each network resource, together with tin john focus on specific network events. Throughput, package loss, latency together with usage past times an application are clearly shown to the administrator.
 |
| Figure 13: Network traffic analytics |
Security:
Since the Cato Cloud replaces the firewall functionality nosotros used together with moved it to the cloud, nosotros wanted to cheque its effectiveness together with the visibility it offers for safety incidents.We decided to download a malicious file from the mesh over SSL for our testing.
We browsed to malwr.com together with searched for a existent Ransomware:
 |
| Figure 14: Ransomware sample from malwr.com |
We together with then clicked the "download" push on i of the files to download it to a estimator located at Branch, behind the Cato Cloud. Cato indeed detected the elbow grease together with blocked the download.
On the CMA nosotros could consider this safety event.
 |
| Figure 15: Cato Anti-malware lawsuit on the malicious file download attempt |
The Cato lawsuit directs us for to a greater extent than information on VirusTotal.
 |
| Figure: 16: Our Ransomware on VirusTotal |
VirusTotal recognized this file equally a BitcoinBlackmailer.exe which is a Ransomware file. The Cato safety stack plant inwards the cloud together with inspects both mesh together with WAN traffic hence fifty-fifty a malware file downloaded from i of our information centers would direct hold been blocked.
Let's at nowadays aspect at Cato's application bird policies together with URL Filtering effectiveness. On the CMA nosotros setup a dominion to block usage of BitTorrent together with Tor from Branch.
 |
| Figure 17: Application-aware Firewall policy to block Bittorrent together with Tor |
We installed the Tor browser together with tried to connect to the Tor network. Cato’s firewall blocked the connection.
 |
| Figure 18: Cato blocks Tor |
For the URL filtering test, nosotros defined a dominion to block Gambling websites.
 |
| Figure 19: URL Filtering Policy to block Gambling websites |
When nosotros tried to browse to a gambling site (from Chrome nosotros browsed to www.888.com), Cato blocked it together with redirected us to an fault page.
 |
| Figure 20: Cato blocks browsing to gambling website |
Conclusion:
Cato Networks promised to simplify networking together with safety direction past times moving it to the cloud. We were actually impressed past times the simplicity together with speed of migrating an on-premise network together with safety infrastructure to the Cato Cloud.The management is tardily together with intuitive, together with nosotros found the terminate user sense to live unproblematic for both setup together with ongoing direction of connectivity together with security. But likely the most compelling characteristic is the relief Cato provides past times eliminating the demand to run distributed safety appliances.
Cato takes tending of the infrastructure for you. That is a huge practise goodness for busy together with understaffed information technology professionals.
How oftentimes does a vendor accept away work, rather than layer extra piece of work on top?
Nice work, Cato Networks.
Share This :
comment 0 Comments
more_vert