If you ever had to set up IPsec tunnels between different firewall brands, change a firewall rule and hope nothing breaks, upgrade to the latest software or urgently patch a vulnerability – you know what I am talking about.
All of these issues have been with us basically forever. Recently, the list of complex tasks extended to getting cloud infrastructure connected to the rest of the network, and secure access for mobile users.
There seems to be a change coming to this key part of IT, a silver lining if you will. We decided to take a look at one solution to this problem – the Cato Cloud from Cato Networks.
Founded in 2015, Cato Networks provides a software-defined and cloud-based secure enterprise network that connects all locations, people and data to the Cato Cloud – a single, global, and secure network.
Cato promises to simplify networking and security by delivering enterprise-grade network with built-in network security, instead of all the appliances and point solutions currently being used for that purpose.
We were delighted to find a fresh approach to the age-old way of managing networking and security that is really compelling, especially for short-handed IT teams.
What We Tested
We set out to transform a legacy network architecture using the Cato Cloud ("Cato"), and looked into four areas:
- Provisioning: connecting sites and users to the WAN. Typically, this is a time consuming and error-prone process, especially when creating a multi-vendor firewall full mesh.
- Administration: define and change access and security policies. Adding new policies and extending them to each location is a key task that requires careful planning to avoid conflicts and ensure all sites maintain compliance with the corporate security policy.
- Access: connect to company resources in both on-premise and cloud data centers. Multiple data centers, and especially cloud ones, contribute to increased access fragmentation. Typically, users have to connect to each resource directly, so eliminating this requirement improves the user experience.
- Security: Finally, we will test security effectiveness against Internet threats such as malicious websites and files. This is expected functionality from secure web gateways but with the added benefits of zero maintenance and elastic capacity.
We wanted to simulate a typical customer environment for our testing, so we’ve built a hybrid environment that includes a headquarters, remote branch, mobile user, and cloud data center.
All sites and users require access to the Internet and the data centers located in the HQ and the cloud.
For the setup, we used both physical and virtual machines. Our main office simulates the headquarters (HQ), and I’m using my home office to simulate the remote branch (Branch).
The HQ connects to the internet using a symmetrical 50/50 Mbps internet line and already has a perimeter firewall. The Branch connects to the Internet over asymmetrical 100 Mbps link and a small office firewall.
We also built two cloud data centers in Amazon AWS and Microsoft Azure. On both datacenters, we run Windows servers with a simple web application. The sites and data centers establish WAN connectivity over VPN.
|Figure 1: Testing environment before Cato|
Provisioning:We tested Cato’s ability to provision new sites and users by using the Cato Management Application (CMA).
Our first task was to connect the HQ to Cato. Cato offers connectivity support using a standard IPsec tunnel, so we’ll leverage our existing firewall to connect to Cato.
The firewall initiates the connection and configures to route all traffic to Cato. The firewall enforces no security; it is simply moving the traffic to Cato where WAN connectivity and traffic inspection will be accomplished.
Next, we connected the cloud data centers to Cato (AWS and Azure). Connecting cloud data centers is done via Cato-initiated VPN tunnels to the built-in VPN gateways in most cloud platforms.
|Figure 2: Adding new cloud data center to Cato|
By connecting multiple cloud data centers to Cato, you bring separate network resources (across global regions or cloud providers) into a single network. This reduces the complexity (and sometimes overcome provider limitations) on unifying data center access across all cloud resources.
|Figure 3: Headquarters and cloud data centers connect to Cato with IPsec VPN|
Next, we connected Branch to Cato. In this case, we will use a Cato-provided networking device called the Cato Socket. The Cato Socket simply forwards traffic to the Cato Cloud.
Per Cato, the Cato Socket can handle up to 1 Gbps traffic of any kind, WAN and the Internet, and does not require any manual updates or upgrades since it is self-managed from the cloud. The Cato Socket provisioning process is plug-and-play, and the only action required by on-site stuff is to plug it into power and an Internet connection.
Once connected, the Cato Socket automatically "calls home" and waits for the administrator to name it, in our case we chose "London," and confirm the connection into the network.
The advantage of using a Cato Socket instead of the firewall is that it eliminates the complexity of appliances: installation, updates, upgrades, and that it has no capacity limitation because no security enforcement is done on the device itself.
|Figure: 4: Cato Socket automatic provisioning|
Finally, we connected a mobile user to Cato. To enroll with the Cato service, the admin sends an email invitation using the CMA to the user (user information can be loaded using Active Directory integration or for testing purposes added manually).
|Figure 5: VPN user invitation sent from the Cato Management Application|
The user then receives an email with a link to a Cato self-service portal that would install the Cato Client and automatically configure the user’s credentials and the Cato Cloud configuration.
|Figure 6: The Cato Client installation and provisioning process|
When done, the user can now connect the device to the Cato Cloud and gain access to the network. Resource access is enabled according to the access and security policy, and internet browsing from the device is protected by Cato’s built-in network security services.
|Figure 7: HQ, Branch, Cloud DC and Mobile Users connects to Cato|
Administration:Network and security administrators are required to change network configurations and investigate security incidents on a daily basis. In this part of the product review, we examined the day-to-day operations granularity, simplicity, and efficiency.
Access Policy Configuration:Once all sites, cloud datacenters, and mobile users are connected to Cato, we defined a policy that sets access permissions. In Cato, the access policy is divided into two parts: Access to WAN resources and Access to the Internet.
1. The WAN firewall controls access to business resources on physical and cloud data centers.
|Figure 8: WAN firewall rule that enables users and sites access to data centers|
2. The Internet Firewall controls all access from the sites and from mobile devices to the internet. This is an application-aware policy at layer 7.
|Figure 9: Internet access rule that blocks access to file sharing, and remote access applications|
The approach Cato took in their access policy is really interesting. Access rules consolidate the resources that should be protected, and a direction arrow defines the allowed flow of traffic.
This way, instead of creating multiple rules, a single one can be used. In addition, the order of the rules isn't critical (unlike with traditional firewalls). This makes it simpler to add a new rule to the policy.
Security Policy Configuration:Cato offers a built-in full network security stack in the cloud. The security stack includes URL Filtering and Anti-malware with TLS support. All WAN and internet traffic that route via Cato is inspected.
The Cato URL Filtering has a recommended out-of-the-box policy. URLs are organized in categories, and each category can be set to allow, block, monitor, and prompt.
For example, the admin can define all suspected phishing websites to block.
|Figure 10: URL Filtering policy|
The built-in Anti-malware scans both the internet and WAN traffic and can be set to block or monitor for incidents.
|Figure 11: The Anti-malware scans both the internet and WAN traffic|
What's unique about the Cato solution is that capacity and sizing is not a consideration for the customer. Unlike appliance-based security, there is no need to upgrade appliances when traffic volume, traffic mix or required security functions change.
With Cato, all traffic inspection is done in the cloud and scales to meet customer needs seamlessly. For example, because TLS inspection has a big impact on appliance performance, admins tend to be very careful when using it. With Cato we just enabled it, and it worked.
Connectivity:Before using Cato, our HQ, Branch and cloud resources connected over VPN with a dedicated tunnel created for each resource. A mobile user also needed VPN to the datacenters, so they were required to connect and disconnect from the platforms’ dedicated VPN gateway each time they wanted to connect to a different datacenter.
With Cato, the sites, data center, and mobile users are connected to one cloud network, so all resources are accessible with a single VPN connection. Branch tunnels into the Cato Cloud using the Cato Socket, and mobile devices tunnel using the Cato Client.
|Figure 12: Cato client for iOS connects the user to all resources with a single VPN connection|
We wanted to test the network traffic analytics tools Cato provides with the system. Good visibility into network activities, performance, and usage is an important piece of any networking platform.
The CMA provides full visibility into connected networks and hosts. The administrator can view the usage of each network resource, and can focus on specific network events. Throughput, packet loss, latency and usage by an application are clearly shown to the administrator.
|Figure 13: Network traffic analytics|
Security:Since the Cato Cloud replaces the firewall functionality we used and moved it to the cloud, we wanted to check its effectiveness and the visibility it offers for security incidents.
We decided to download a malicious file from the internet over SSL for our testing.
We browsed to malwr.com and searched for a real Ransomware:
|Figure 14: Ransomware sample from malwr.com|
We then clicked the "download" button on one of the files to download it to a computer located at Branch, behind the Cato Cloud. Cato indeed detected the attempt and blocked the download.
On the CMA we could see this security event.
|Figure 15: Cato Anti-malware event on the malicious file download attempt|
The Cato event directs us for more information on VirusTotal.
|Figure: 16: Our Ransomware on VirusTotal|
VirusTotal recognized this file as a BitcoinBlackmailer.exe which is a Ransomware file. The Cato security stack works in the cloud and inspects both internet and WAN traffic so even a malware file downloaded from one of our data centers would have been blocked.
Let's now look at Cato's application level policies and URL Filtering effectiveness. On the CMA we setup a rule to block usage of BitTorrent and Tor from Branch.
|Figure 17: Application-aware Firewall policy to block Bittorrent and Tor|
We installed the Tor browser and tried to connect to the Tor network. Cato’s firewall blocked the connection.
|Figure 18: Cato blocks Tor|
For the URL filtering test, we defined a rule to block Gambling websites.
|Figure 19: URL Filtering Policy to block Gambling websites|
When we tried to browse to a gambling site (from Chrome we browsed to www.888.com), Cato blocked it and redirected us to an error page.
|Figure 20: Cato blocks browsing to gambling website|
Conclusion:Cato Networks promised to simplify networking and security management by moving it to the cloud. We were really impressed by the simplicity and speed of migrating an on-premise network and security infrastructure to the Cato Cloud.
The administration is easy and intuitive, and we found the end user experience to be simple for both setup and ongoing management of connectivity and security. But probably the most compelling feature is the relief Cato provides by eliminating the need to run distributed security appliances.
Cato takes care of the infrastructure for you. That is a huge benefit for busy and understaffed IT professionals.
How often does a vendor take away work, rather than layer extra work on top?
Nice work, Cato Networks.