Cato Networks Philippines – MEC Networks Corporation

Cato: 5 ZTNA Challenges and How to Overcome Them

MEC Updates — Fri, 10 Jun 2022 02:27:14 +0000

Comparing virtual private networks (VPNs) and older solutions, zero-trust network access (ZTNA) is a superior remote access option. However, many companies continue to depend on unsafe and ineffective solutions rather than switching to ZTNA.

Often, businesses have probable reasons for not embracing ZTNA. We will look deeper into some of the most typical concerns now.

5 Common ZTNA Challenges

1. A VPN is adequate.

One of the most fundamental reasons why a company would not want to switch its VPN to ZTNA is because they have constantly used a VPN, and it has benefitted them. If distant users can connect to the resources they require, making a convincing argument for a transition may be challenging. But even if the VPN infrastructure of a company is operating effectively, security still has to be taken into account.

A VPN is intended to enable unlimited, private access to the business network to a distant user. As a result, VPNs lack application-level access restrictions as well as integrated security. As a result, fraudsters frequently target VPNs since a single leaked set of credentials may offer all of the access required for a data breach, ransomware infection, or other assaults.

ZTNA, on the other hand, grants access on a case-by-case basis depending on user and application-level access rules. If an attacker gains access to a user’s account, their ability to cause damage is restricted by the user’s permissions.

2. ZTNA is challenging to deploy.

While installing ZTNA as a standalone solution might be difficult, doing it as part of a Secure Access Service Edge (SASE) solution can make the process easier. Deploying a managed SASE solution is as simple as directing infrastructure to the nearest SASE point of presence (PoP) and installing the necessary access restrictions.

3. We need VPNs for compliance.

Numerous data protection and industry rules restrict most organizations. These requirements frequently require that a business implement specific security measures and may prescribe particular solutions.

However, rules are continuously changing, and VPN restrictions are widely recognized. As authorities begin to seek and mandate a zero-trust approach to security within businesses, technologies such as VPNs that are not intended for zero trust will be phased out of regulatory guidelines.

4. We have already invested in our VPN system.

When the pandemic prompted a shift to remote work, many firms chose to extend their current VPN infrastructure rather than study alternatives. As a result, many businesses have invested in a solution that, to some extent, fits their remote work requirements.

However, the practical difference between a VPN and a ZTNA solution might greatly surpass these expenditures. ZTNA offers comprehensive access management, which helps lower the cost of a data breach and simplifies an organization’s regulatory compliance plan. A ZTNA solution effectively prevents a data breach by preventing unauthorized access to sensitive data, so it was as if it had paid for itself.

5. Our security team is overburdened with our current solutions.

Nowadays, many firms’ security departments are having difficulty keeping up. Companies have difficulty hiring and maintaining trained individuals due to the cybersecurity skills gap. A vast array of security solutions that generates unmanageable alerts and the need to configure, monitor, and administer numerous independent solutions also cause this phenomenon. As a result, the prospect of implementing, configuring, and learning yet another solution may be unappealing.

One of the primary benefits of ZTNA is that it simplifies security monitoring and administration, more so when used in conjunction with a SASE solution. SASE removes duplicates by combining different security tasks into a single network-level solution, allowing a single console to manage security monitoring and administration. SASE decreases the load on security teams by lowering the number of dashboards and alerts that analysts must manage, allowing them to better keep up with an increasing threat landscape and expanding corporate IT infrastructure.

ZTNA is the Future of Remote Access

On paper, many businesses have solutions that provide the capabilities and functionality required to enable a remote workforce and secure access to corporate applications. Legacy technologies, such as VPNs, lack essential access controls and security capabilities, making a business open to attack.

Organizations will seek solutions that suit their security demands and regulatory requirements as the zero-trust security paradigm gains traction and is implemented by legislation. ZTNA fits these requirements, particularly as part of a SASE solution.

The post Cato: 5 ZTNA Challenges and How to Overcome Them appeared first on MEC Networks Corporation.

Cato Cloud Access Security Broker (CASB)

MEC Digital — Mon, 07 Mar 2022 05:03:35 +0000

Protect your enterprise from cloud-born risks

The shift to cloud and adoption of Software as a Service (SaaS) services, has enabled enterprises to offload the burden of managing and delivering them by themselves. It has also, however, exposed a new and particularly risky attack surface. Cloud Access Security Broker (CASB) solutions play a pivotal role in helping enterprises cope with these risks and fortifying their security posture.

Cato CASB Solution helps organizations cope with the perils of Shadow IT

Visibility

Assessment

Enforcement

Protection

Stand-alone CASB solutions vs. Cato's SASE Cloud

	Stand Alone CASB	Cato CASB
Onboarding	Long and complicated	Fast and simple
Inspection context breadth	Partial	Complete
Application coverage	Limited	Wide
Inline enforcement granularity	Low	High

Cato’s CASB solution is an integral service of the Cato SASE Cloud. This means enterprises using Cato can enable CASB with a mere flip of a switch. Since the enterprise network traffic is already processed by Cato’s SASE Cloud, adding the CASB functionality doesn’t require any client installations or network changes.

Browse Cato Networks Solutions

The post Cato Cloud Access Security Broker (CASB) appeared first on MEC Networks Corporation.

Cato MDR

MEC Digital — Mon, 17 Jan 2022 02:18:00 +0000

Managed Threat Detection and Response

Cato Managed Detection and Response (MDR) is an advanced security service that offers continuous threat detection and guidance on how to respond to malicious events, quickly, and effectively. Cato MDR leverages AI and ML, combined with human threat verification, to hunt, investigate, alert, reduce risk of breach, and improve security posture.

Cato MDR is built-in into Cato’s SASE platform. This means Cato MDR monitor all site, VPN, and cloud environments connected to CATO SASE Cloud, enabling users to benefit instantly from the service without having to install additional HW/SW.

Key Benefits:

1. Immediate service activation, no additional HW/SW needed

2. Dwell time reduce from 200+ days to 1-2 days!

3. Real-time alerts for confirmed threats, no false positives

4. Network-level containment and guided remediation for effective response

5. Designated security experts alongside security assessments

Key Features:

Automated threat hunting

Machine learning algorithms look for anomalies across billions of flows in Cato’s data warehouse and correlate them with threat intelligence sources and complex heuristics.

Expert threat verification

Cato security researchers review flagged endpoints and assess the validity and severity of the risk, only alerting on actual threats.

Threat containment

Verified live threats can be contained automatically by blocking C&C domains and IP addresses, or disconnecting compromised machines or users from the network.

Guided remediation

The Cato SOC advises on the risk’s threat level, recommended remediation, and follows up until the threat is eliminated.

Browse Cato Networks Solutions

The post Cato MDR appeared first on MEC Networks Corporation.

Why Cato SPACE Matters in Unleashing SASE’s Full Potential

MEC Updates — Fri, 07 Jan 2022 06:14:47 +0000

In 2019, Gartner presented the Secure Access Service Edge (SASE). This took the industry by surprise. Unlike numerous advancements in technology, SASE was not a novel networking capability. It was also not a response to an unsolved security enigma. Instead, it dealt with an everyday yet business-critical question: how can IT help the business with the expected security, performance, and speed in an age marked by multiple complexities?

Gartner has replied to this question by delineating a SASE architecture as the convergence of many WAN edge and network security capabilities. It is deployed via a global cloud service that enforces a standard policy on every business edge: users, sites, and applications.

This new infrastructure represented a sizable ordeal for the current vendors who led the IT networking and security enterprise with a lot of disconnected point solutions. It was their infrastructures and designs that were chiefly liable for the pervasive complexity clients had to deal with over the past 20 years. Why was the SASE infrastructure such a challenge for them? Because following Gartner’s structure needed a tremendous re-architecture of legacy products that were in no way constructed to support a converged, global cloud service.

This is precisely the scenario in which Cato Networks creates a fresh opportunity for clients by launching the Cato Single Pass Cloud Engine (SPACE). Cato SPACE is the essential element of the Cato SASE infrastructure and was made from the ground up to command a global, scalable, and flexible SASE cloud service. Thousands of Cato SPACEs empower the Cato SASE Cloud to give a complete set of networking and security capabilities. It is meant for any user or operation, anywhere in the world and it is a cloud-scale service that can mend and manage itself.

Why Convergence and Cloud-Native Software are Critical to Authentic SASE Architecture

SASE was created as a cure to the complexity enigma. It goes against the approaches that drive complexity into the IT lifecycle. Such approaches only exhibit many points of failure and delay in decoding, examining, and re-encrypting packets within every point solution.

Convergence is the foremost step in reducing complexity by substituting the multiple capabilities of numerous point solutions with a single software stack. The single stack is easier to manage, facilitates more efficient processing, simplifies management through a single pane of glass, and more. Convergence, though, has strategic benefits, not just functional ones.

A converged stack can disseminate context and execute rich policies to make more intelligent decisions on optimizing and safeguarding traffic. This is not the case with point solutions that often have restricted visibility because of how they process traffic (e.g., proxy) and the information needed for the specific function they provide.

Cloud-native is adding to the significance of convergence by allowing the scaling and distribution of the converged software stack. The converged stack caters to many enterprises and the traffic flowing from their users, locations, and applications to any point on the WAN or Internet. The orchestration layer oversees the globalization, scalability, and resiliency of the service. This is not a mere retrofit of legacy product-based architecture, but an outcome of a novel service-based architecture.

Cato SPACE: The Secret Ingredient to Strengthening the Cato SASE Architecture

The Cato SASE Cloud is a worldwide cloud service that supports Cato’s customers. Each business organization is represented within the Cato SASE Cloud as a virtual network robustly assigned to the right traffic processing capacity. This optimizes and secures the client’s traffic from any edge to any destination.

The Cato SASE Cloud is constructed on a global network of Cato SASE Points of Presence (PoPs). Each point has a considerable number of compute nodes with numerous processing cores. Then each core processes a copy of the Cato Single Pass Cloud Engine, Cato SPACE, the converged software stack that optimizes and protects all traffic according to customer policy.

These are the 6 primary features of the Cato SPACE:

Consolidated software stack, single-pass processing: The Cato SPACE comprehensively handles global route optimization, WAN and cloud access acceleration, and security. It is also a service with a next-level firewall, safe web gateway, next-gen anti-malware, and IPS. Cato is constantly developing the software stack with more capabilities but is consistently minding the same SASE architectural framework.
Every client, edge, and flow: The Cato SPACE is not limited to any particular customer network or edge. Through a procedure of active flow orchestration, a certain edge tunnel is assigned to the least busy Cato SPACE within the Cato SASE PoP closest to the client edge. The Cato SPACE can thus manage any number of tunnels from any number of clients and edges. This creates an intrinsically load-balanced and rapid environment.
On-time contextual policy implementation: Once assigned to a Cato SPACE, the flow’s context is drawn, the relevant policy is dynamically pulled and associated with the flow, and traffic processing is executed according to this context and policy.
Cloud-scale: Each Cato SPACE can take on up to 2GBPS of encrypted traffic from one or additional edge tunnels with all security engines enabled. Edge tunnels are flawlessly disseminated within the Cato SASE Cloud and across Cato SPACEs to acclimate to changes in the whole load. Capacity can also be expanded by adding compute nodes to the PoPs as the Cato SPACEs are fully proportional and can be staged into the service at any time.
Independent mending: Cato SPACE can take over any tunnel operated by any other Cato SPACE. The orchestration layer moves the tunnels across Cato SPACEs if failure ever happens. If a Cato PoP becomes unavailable, edge tunnels can relocate. This is possible within the same region or across regions according to customer policy. Clients no longer must develop failover strategies for their regional hubs.
Independent management: Cato DevOps, Engineering, and Security units are in charge of maintaining all aspects of the Cato SASE Cloud. Software innovations and improvements are applied behind the scenes across all Cato PoPs and Cato SPACEs. New IPS regulations are designed, tested, and executed by Cato SOC to address arising threats. Cato DevOps and NOC units perform all-day monitoring to ensure top-notch performance. Clients can, thus, concentrate on policy configuration analytics using Cato’s management platform that delivers a single-pane-of-glass for the whole service.

Your Choice of SASE Architecture Matters

SASE was called transformative technology by Gartner for a reason. It alters the way IT supplies the whole networking and security capability to the enterprise. SASE functional capabilities will keep increasing over time with all vendors. But, without the apt fundamental architecture, businesses will not discover the transformational power of SASE.

Cato is the trailblazer of the SASE category. They built the only architecture purposely designed to showcase the value of SASE. You can rest assured and be ready for whatever comes next with this solution from Cato.

The post Why Cato SPACE Matters in Unleashing SASE’s Full Potential appeared first on MEC Networks Corporation.

Cato Networks Software Defined Perimeter (SDP)

MEC Digital — Fri, 26 Nov 2021 08:33:00 +0000

Optimized and Secure Remote Access for Everyone and Everywhere

Enterprises are seeing a growing need for employees to work remotely. In particular, during times of crisis, the ability to work securely and productively from home is a critical pillar of business continuity planning. Cato SDP enables remote users, through a client or clientless browser access, to access all business applications, via the secure and optimized connection.

Why choose CATO SDP?

Cloud-native SDP delivers secure remote access as an integral part of a company’s global network and security infrastructure. A global, cloud-scale platform supports any number of remote users within their geographical regions. Performance improves with end-to-end optimized access to any application using a global private backbone. Risk is minimized before and after users access the network through strong authentication and continuous traffic inspection for threat prevention. Cloud-native SDP makes mobile access easy — easy to deploy, easy to use, and easy to secure.

Easy deployment, instant secure access

Multi-factor Authentication & Single-Sign-On

Flexible Client-based or Clientless Access Options

Continuous Security Inspection for All Remote Access Traffic

Access Performance Optimization to All Applications

Cloud-scale Remote Access for Everyone, Anytime and Anywhere

Browse Cato Networks Solutions

The post Cato Networks Software Defined Perimeter (SDP) appeared first on MEC Networks Corporation.

Cato: Cybersecurity Threat Insights

MEC Updates — Tue, 02 Nov 2021 02:09:15 +0000

In the first quarter of 2021, 190 billion traffic flows passed through the SASE Network of Cato.

With this in mind, the organization set out to dissect and identify new pitfalls and critical trends related to cybersecurity. They have just published their findings in the SASE Threat Research Report, and now, we present the five crucial highlights that will help you gauge the strength of your network security.

Crucial Insights from the SASE Research Report of Cato Networks

1. Top 5 Threat Types in 2021

Using machine literacy to identify high-risk dangers and authenticated security incidents, Cato capably identified and observed the most common types of attacks. These include:

Network Scanning – CATO detected the attacker testing different ports to see which services are running and are most vulnerable.
Reputation – There were inbound or outbound messages pointing to known-bad domains or IP addresses.
Vulnerability Scan – The attacker uses a vulnerability scanner that runs against the systems of a company.
Malware – This was seen proliferating within the network traffic.
Web Operation Attack – The bad actor tried to take advantage of a web application vulnerability, similar to cross-site scripting (XSS) or SQL injection.

The threat types above prove that cyberattackers accomplish espionage operations on a company’s systems. They can also successfully gain original access (as demonstrated by the quantity of inbound and outbound suspicious business flows).

2. Regional Bans Produce a False Sense of Security

The latest news attributes the top cybercrime and other online vicious acts to a small set of countries only.

It might seem logical that having firewall rules to block businesses to and from these countries would enhance security. Still, these domestic bans produce a false sense of security. The immense quantity of vicious attempts originates in the US, which counts for more than the four largest sources (namely, Venezuela, China, Germany, and Japan) put together. Regional restrictions have little to no impact because top malware sources and command and control servers are in the US.

3. Cyberattackers Prey upon Remote Administration Tools

Remote access and administration tools like TeamViewer grew significantly prevalent during the pandemic. These tools empowered businesses to continue performing their tasks despite an unforeseen and mandatory transition to remote work.

But keep in mind, these tools are desirable for cyberattackers as well. These malicious actors will try to phish credentials for these services. Then, they will use them to gain direct access to the resources of a company. RDP is now a common delivery vector for ransomware. An inadequately secured TeamViewer allowed the Oldsmar water treatment hack to be possible.

4. Legacy Software and PHP are Constant Targets

By breaking down the Common Vulnerabilities and Exposures (CVEs) most targeted by cyberattackers, intriguing trends are revealed. The first is that vulnerabilities related to the programming language, PHP, are extremely notorious. This substantially permits an attacker to succeed in remote code execution (RCE).

Another significant takeaway is that cyberattackers are targeting age-old dangers lurking on company networks. Cyberattackers are generally surveying for unsubstantiated and defenseless systems that are greater than twenty times old.

5. Business Traffic Flows Are Not Always Predictable

Dissecting the business network traffic flows demonstrates that Microsoft Office and Google operations are the two most typically used cloud apps in company networks.

Nevertheless, that is not to say that they are the only frequent network flows on enterprise networks. The average organization has additional traffic on TikTok than Gmail, LinkedIn, or Spotify. These TikTok flows put enterprise security in danger. Bad actors take advantage of consumer operations to distribute malware or phishing content, and the use of unsanctioned apps creates fresh weaknesses and implicit attack vectors within the network of a company.

Enhance Your Network Visibility and Cybersecurity with Cato

The latest SASE Threat Research Report from Cato demonstrated the significance of deep network visibility and understanding for enterprise security. While some trends (similar to the exploitation of remote access issues) may have been expected, others were much less.

Cato was qualified to accomplish this report grounded on the deep visibility given by its SASE network. Choosing to partner with Cato to achieve this standard of visibility is necessary for your company’s protection and so that you can pinpoint the pitfalls within your network.

The post Cato: Cybersecurity Threat Insights appeared first on MEC Networks Corporation.

CATO Networks: Optimized Remote Access with a Secure Access Service Edge (SASE)

MEC Updates — Mon, 20 Apr 2020 19:48:08 +0000

Secure Remote and Mobile Access:

The Challenges

1. Optimizing access for the remote workforce, which needs to conduct business from anywhere

2. Controlling and securing access to business applications in physical or cloud datacenters, or to public cloud applications, such as Office 365.

Use Case 1: Remote Access to Physical Datacenters

Remote users need regional or global access to applications hosted in data centers. Traditionally, they accessed applications by running VPN clients on their remote devices and connected to VPN concentrators or datacenter firewalls.

When remote users entered the network through remote locations, they would have to traverse the MPLS or Internet VPN to the servers in the datacenter. Since VPN access is done entirely over the public Internet, users are exposed to erratic Internet routing with its significant latency and packet loss.

These factors can severely degrade the application experience, frustrating users and hampering their productivity. Furthermore, once authenticated, traditional VPN solutions enable users to access a whole network. This means that hackers may be one password away from getting an unrestricted foothold on the network.

Use Case 2: Remote Access to Cloud Datacenters

While similar in concept to physical datacenters, cloud datacenters pose new networking and security challenges for fixed and mobile users. Legacy WAN architectures that backhauled traffic to a physical datacenter, need to incorporate the datacenter’s split into physical and cloud datacenter(s), sometimes hundreds of miles apart. None of the obvious solutions are sufficient.

Continuing to forward the traffic from the physical data center and then onto the cloud datacenter leaves datacenter-bound and mobile user traffic subject to the erratic routing of the Internet while adding latency due to the “trombone effect.”

Cloud interconnect services, such as DirectConnect for Amazon Web Services (AWS) and ExpressRoute for Microsoft Azure, provide direct connections from physical datacenter to the cloud. But remote users remain subject to Internet performance while site- and user-traffic are subject to tromboning.

Allowing remote users direct access to the cloud is equally ineffective. It eliminates tromboning, but leaves users subject to Internet performance. In addition, direct access bypasses the corporate network security stack, requiring the deployment of new cloud-based security solutions.

Use Case 3: Remote Access to Cloud Applications

Accessing cloud applications (SaaS) introduces even more nuances. Cloud apps are outside of IT control so WAN optimization capabilities cannot be extended into the application provider’s datacenter. Yet users need to access cloud application instances. Take an SFDC instance located within a specific region.

All users, regardless of location, must access that instance and face the same connectivity challenges as they would if accessing the company’s data center. Network security is even harder to implement.

Traditional network security relies on a “line of sight” into the traffic to inspect and secure it. But as with direct mobile access to cloud datacenters, direct mobile-to-cloud access bypasses the corporate network security stack.

Companies again face a tough choice: either force backhauling of mobile Internet traffic to the datacenter, which adds latency and degrades the user experience, or increase costs by deploying a cloud-based security point solution — such as a SWG or CASB — to intercept and inspect all mobile traffic to the cloud.

The Old Way

The New Way

Secure Access Service Edge (SASE) platforms optimize remote access by design

A SASE platform has a multitenant WAN backbone built from globally dispersed points of presence (PoPs) that are fully meshed, creating a private and optimized global overlay. Edge resources — including physical locations, cloud datacenters, and remote users — establish secure tunnels to the nearest PoPs using IPsec or DTLS. Cloud applications are accessed by routing traffic to the closest PoP as measured by latency and loss.

The SASE’s cloud network is a full replacement for traditional VPN solutions. By running a mobile client or with clientless browser access, the mobile device finds and connects to the nearest PoP. The user authenticates using multi-factor authentication. Once connected to the PoP, the user is part of the virtual enterprise WAN and can access any authorized application.

With its global, SLA-backed backbone, the SASE’s cloud network connects remote users to both physical and cloud datacenter resources anywhere in the world without the erraticness of the Internet middle mile. And since the IP ranges of both the physical data center and the cloud datacenters are visible on the WAN
to authorized users, and the optimal direct path can be calculated, avoiding tromboning.

Gone are the chokepoints and backhauling that undermined mobile user performance.

Remote Access as a Business Continuity Strategy

Extreme weather conditions and global health crisis have taught
enterprises that allowing all their employees to work remotely all the time has become a critical pillar of their BCP (business continuity plans). Legacy VPN solutions are designed to enable access for a subset of users over short periods of time. They are not designed for 24×7 access to all users that may be needed in such business continuity scenarios.

A SASE-based remote access solution has the exact characteristics to overcome such limitations. Provided from a globally distributed, highly scalable cloud platform, it enables continuous access to all employees in the office, on the road, or at home.

The costs associated with the scale and redundancy needed to support BCP with traditional VPN solutions are significantly higher compared to a SASE platform. With legacy solutions, appliances will need to be big enough to support all employees and redundant to guarantee availability in case one of them fails or gets disconnected. In comparison, a SASE is able to serve any number of users, anytime, anywhere in the world, and has high-availability built-in, offering BCP at a significantly lower cost.

Summary

Cato’s cloud-native network architecture connects all resources — physical, cloud, and mobile — to a single, virtual enterprise WAN. Result: a deep convergence of multiple capabilities, including WAN optimization, network security, cloud access control, and remote access to the network itself. This remarkably comprehensive design dramatically simplifies enterprise IT and reduces risk and costs.

The post CATO Networks: Optimized Remote Access with a Secure Access Service Edge (SASE) appeared first on MEC Networks Corporation.

Cato Networks: The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers

Ron Esmeralda — Mon, 23 Mar 2020 03:40:13 +0000

It’s a challenge not to consider a spreading health crisis when you’re crushed into a crowded train or bus, clutching a germ-infested pole and dodging a nearby cough. Because the current crisis develops, enterprise business continuity planning and risk management will result in many enterprise users working full time from home. Already we’ve seen the amount of active remote or mobile users of the Cato Cloud rise 75 percent since early January, growing from about 10,000 users to 17,500 users.

In fact, as this Bloomberg article highlights, we’re probably about to start the biggest global work-at-home experiment in history. What does that mean for your business continuity planning and remote work strategy? Consider four categories: connectivity, performance, security, and management. Here’s a summary of each.

Connectivity and Architecture

IT has been supporting remote and mobile users for years, but a sudden spike in staff working from home full time could be a whole new ballgame. Most won’t be connecting occasionally to check email or do some quick catchup at the airport, between meetings, or after hours at the hotel. They’ll be on the network every workday for hours accessing enterprise applications, files, and data. Your current remote access infrastructure was likely never sized to deal with such a large, constant load, which implies you’ll probably need to add or upgrade remote concentrators. In the best of times, this will take days or weeks, but hundreds or thousands of companies will need similar upgrades.

Aside from the company data center, most enterprise users are accessing infrastructure and applications in cloud data centers, which adds connectivity complexity, as we discuss in this eBook, Mobile Access Optimization and Security for the Cloud Era, and below. For security reasons, most organizations prefer to route cloud traffic through datacenter security infrastructure first, then out to cloud datacenters many miles away, which adds latency to the home user’s cloud user experience.

Datacenter network congestion is also a problem, one that Adroll, a company offering a marketing platform for personalized advertising campaigns, had to grapple with. Not only did backhauling remote user cloud traffic add latency to Adroll’s cloud user experience, but it also saturated the San Francisco Internet connection and created availability problems, because the San Francisco firewall had no geo-redundancy. “It puts plenty of stuff in one basket,” says Adroll’s Global Director of IT, Adrian Dunne. “Once the VPN on our primary firewall rebooted. Suddenly 100 engineers couldn’t work anymore.”

Performance and User Experience

Mobile and home VPN users often complain about remote access performance even when infrastructure is sized appropriately, because of the unpredictability, latency and packet loss inherent within the public Internet core. When accessing the cloud, the mobile experience can get so sluggish that users often abandon the company backhauling solution to access the cloud directly, opening significant security gaps. Many newer users also find themselves struggling with unfamiliar VPN client software, passwords, and connections to multiple cloud services.

To make working at home successful, it will need to find ways to simplify and speed up the user experience so it’s more like working at the office. this could mean considering alternatives to backhauling and running traditional VPNs, which we discuss below.

Security

As more and more users work from home, security risks are guaranteed to increase. More remote users mean more opportunities for threat actors to penetrate security defenses. Unfortunately, traditional VPNs authenticate remote users to the whole enterprise network, allowing them to PING or “see” all network resources. Hackers are known to take advantage of this chance, as they did with the infamous Home Depot and Target breaches of a couple of years ago, which took advantage of stolen VPN credentials. Once inside the network, a hacker is simply one administrator password away from access to sensitive applications and data. That’s a big reason why IT security has been moving away from network-centric security towards software-defined Zero Trust Network Access, which grants users access only to what they need when they need it.

Enforcing security policies for many more remote users also can add latency and cut down performance. The choice is to let mobile users connect directly to the cloud and deploy new cloud-based security solutions, like secure Web gateways or secure access security brokers (CASB), that intercept connections before they reach the cloud. Users will still be contending with public Internet performance, however.

Management

Deploying client VPN software on thousands of latest home users’ systems can take considerable resources and time that organizations might not have during a crisis.

AdRoll found VPN onboarding of the latest users a very cumbersome process, especially for contractors. “Using Mac’s management software to push out VPN configurations to users was a pain,” says Dunne. Dunne also had to send instructions for configuring the VPN client to every user. Once these users are onboard, IT also needs appropriate tools for managing and monitoring all those remote users, much as it does for its branch offices and other sites. Shifting to cloud-based Web gateways and CASB’s has its own overhead as well.

Cato’s SASE Solution Provides Access Needed for Remote Workers

There is a solution that will solve many of these connectivity, security, performance, and management issues: a cloud-native network like the Cato Cloud. Built on the principles of Gartner’s secure access service edge (SASE), Cato connects mobile and remote workers to the same network, secured by the same security policy set, as those within the office.

Rather than connecting to the company data center, then out to cloud applications, home users connect with their nearby cloud-native network point of presence (PoP). From there they become a part of a virtual enterprise WAN that the data center and branch offices access through their local PoPs as well. Cato locates its PoP infrastructure in a number of the same data centers as major cloud providers, including AWS and Microsoft Azure, allowing fast direct connections to cloud services.

Connectivity isn’t a problem. Cato’s cloud architecture is meant for massive scalability to support any number of latest users regardless of session duration or frequency. They will work at home or within the office all day, every day and the Cato architecture will accommodate the load transparently. “Cato’s mobile VPN is my secret BCP in my back pocket,” says Stuart Gall then the infrastructure architect within the network and systems group at Paysafe. “If my global network goes down, I can be like Batman and whip this thing out.” Performance improves by eliminating backhaul and inspecting traffic within the PoP instead of the datacenter. Home and mobile users bypass the unpredictable Internet middle mile and instead use the Cato backbone with its optimized routing and built-in WAN optimization to dramatically reduce latency and improve data throughput.

The user experience improves in other ways. Users connect to all their applications and resources, whether spread across multiple clouds or within private datacenters, with a single login. Getting users connected is simple. “The cherry on top was Cato’s VPN solution,” says Don Williams, corporate IT director at Innovex Downhole Solutions. It had been the best technology I’ve seen. In less than 10 minutes we were connected through a VPN on the device. Most of the security and network management is handled by the cloud provider, instead of enterprise IT. Cato’s Security as a Service provides a completely managed suite of agile, enterprise-grade network security capabilities, built directly into the Cato Global Private Backbone, including a next-generation firewall/VPN, a Secure Web Gateway, Advanced Threat Prevention, Cloud, and Mobile Access Protection, and Managed Threat Detection and Response (MDR).

Cato simplifies security management in other ways. “With firewall appliances, you install certificates from your firewall, and only then do you realize that when your user goes to a different site, you again need to install another SSL certificate at that appliance,” says the IT manager at a leading EduTech provider, “With Cato, we were ready to install a single certificate globally so we will do SSL decryption and re-encryption.”

Adding new home users to a cloud-native network could be a quick process that doesn’t require expensive, time-consuming appliance upgrades. “With Cato, we just sent a user an invite to install the client,” says Dunne. “It’s pretty much like a consumer application, which makes it easy for users to install.” Adroll’s San Francisco chokepoint was eliminated, and Cato gave Dunne more granular control over permissions for mobile users.

The current crisis will likely require plenty of quick action from IT to urge users to connect and work from home fast and securely. A cloud-native, SASE network can make the work faster and easier while giving all those home-based workers a satisfying user experience.

The post Cato Networks: The 4 Key Considerations for Extending Your Business Continuity Plan (BCP) to Home and Remote Workers appeared first on MEC Networks Corporation.

Cato Networks: SD-WAN Versus Hybrid WAN

Ron Esmeralda — Thu, 27 Feb 2020 02:43:35 +0000

Most enterprise WANs have historically used MPLS, but with the proliferation of cloud resources and mobile users, organizations are realizing the necessity to facilitate more flexible connectivity. They’re faced with many options when making this decision, but one among the primary that has got to be considered is whether or not to travel with a hybrid WAN or SD-WAN.

With a hybrid WAN, two differing types of network services connect locations. Usually, one network service is MPLS while the opposite is usually an online connection. While some enterprises will have a lively MPLS connection with an Internet/VPN connection for failover, hybrid WAN actively uses both connections.

Hybrid WAN – Pros and Cons

Pros of Hybrid WAN

Hybrid WAN configurations leave a simple increase in bandwidth by inserting Internet connections alongside an existing MPLS network. Offloading traffic from MPLS allows for reductions in monthly bandwidth costs and to show up new installations faster by leveraging indigenous Internet access links. Regulatory constraints mandating MPLS can still be met.

Hybrid WAN takes advantage of the reliability, security, and SLA-backed performance of MPLS connections, yet limits the expense of those connections by augmenting connectivity with Internet connections that are cheaper and more versatile. In some cases, these Internet links can help improve performance for traffic that’s not destined for the info center because it can reduce the number of hops that will occur when backhauling through the data center.

Cons of Hybrid WAN

The question is whether or not organizations can ever eliminate MPLS costs with Hybrid WANs. the general public Internet is just too erratic for global deployments requiring the continued use of costly, international MPLS connections. Companies are still left with having to attend months to provision new MPLS circuits. Additionally, maintaining distinctly separate WAN connection transports adds an administrative burden and may create appliance sprawl. Finally, Hybrid WANs aren’t designed with Cloud and mobile communications in mind, requiring additional strategies for securing and integrating these connections into the enterprise.

SD-WAN – Pros and Cons

Pros of SD-WAN

By replacing an MPLS network with SD-WAN, there is often a big cost saving while still maintaining the performance required for today’s applications. Unlike MPLS, with SD-WAN customers can easily add new circuits or increase the bandwidth of existing circuits with little impact on the network configuration. By utilizing multiple low-cost, high-bandwidth circuits, SD-WAN can meet the performance and reliability organizations require. Organizations can select transport types that provide the simplest value for every location and still connect seamlessly to the remainder of the WAN. Additionally, because SD-WAN is compatible with multiple transport types, provisioning of the latest or additional services is far faster than MPLS.

Cons of SD-WAN

Out of the gate, SD-WAN has several challenges that involve security, global locations, and mobile user connectivity. Because public Internet connections are used for SD-WAN, and there’s no use to backhaul to the secured data center, the traffic is no longer secured. For connectivity to some global locations, routing and response times are often unpredictable. However, oftentimes locations that have difficulties getting reliable Internet have ideal MPLS connectivity. for several organizations, connectivity for mobile users and to the cloud may be a drive for change within the WAN infrastructure. But to get access to the cloud with SD-WAN, a separate cloud connection point is required, and mobile users aren’t addressed during a standard SD-WAN solution.

Making the Choice

Some SD-WAN providers have taken the simplest of both worlds by combining the benefits of SD-WAN while overcoming the challenges of a vanilla SD-WAN solution. Meaning the predictability and performance like MPLS while also offering an integrated firewall-as-a-service that creates firewall services available to all or any locations. during this case, the whole WAN is connected to one, logical firewall with an application-aware security policy that permits a unified security policy and a holistic view of the whole WAN. Other challenges like cloud and mobile also are resolved with SD-WAN-as-a-service offerings.

When comparing hybrid WAN to SD-WAN, the choice for many organizations comes right down to whether or not they feel MPLS is often replaced. With the dramatic improvement of Internet performance, unless there are specific locations that have poor Internet connectivity, an enterprise should feel confident that an SD-WAN solution can meet the stress while also providing cost and agility advantages over MPLS or hybrid WAN. If a business features a scenario where they feel MPLS may be a must, then a hybrid WAN solution is often employed.

The post Cato Networks: SD-WAN Versus Hybrid WAN appeared first on MEC Networks Corporation.

Cato Networks: Hands-free Management for SD-WAN Service

MEC Digital — Thu, 22 Aug 2019 07:44:15 +0000

The previous Burger King jingle came to mind when pondering today’s introduction of Cato Hands-free Management for our global managed SD-WAN Service. Hold the pickles or the lettuce — it doesn’t much matter; Burger King gave you the burger the way you like it. And that’s true with how we allow you to manage your network.Unlike a conventional telco, Cato has perpetually let customers run their networks or, if they, preferred to share a number of their networking responsibilities with Cato or its partners. However, with Cato Hands-free Management, customers will outsource all networking and security configuration responsibilities to the expert workers at Cato or its partners.

Cato Hands-free Management is a part of the Cato Managed Services portfolio that includes:

Managed Threat Detection and Response (MDR) continuously monitors the network for compromised, malware-infected endpoints. Cato MDR uses a mix of machine learning algorithms that mine network traffic for indicators of compromise, and human verification of detected anomalies. Cato specialists then guide customers on remediating compromised endpoints.
Intelligent Last-Mile Management provides 24×7, last-mile monitoring. Just in case of an outage or performance degradation, Cato can work with the ISP to resolve the problem, providing all relevant info and keeping the client informed on the progress.
Rapid Site Deployment provides customers with remote help in deploying Cato Sockets, Cato’s zero-touch, SD-WAN device.

Regardless of the management approach, Cato retains responsibility for the underlying Cato Cloud infrastructure, upgrading, patching, or otherwise maintaining Cato software or hardware.

What’s the right approach for you?

Why so many ways to network management? because there’s no right approach, there’s only your approach. Companies, like people, have different needs. In some cases, running the network themselves could be a requirement in different cases, though, the very last thing the IT manager would like to try and do is take responsibility for every move and change. Each method has its strengths. With self-service, enterprises realize unexcelled agility by configuring and troubleshooting the networks themselves, doing in seconds what otherwise needed legacy telcos hours or days. For added help, co-management permits customers to trust current support from Cato or its partners without relinquishing control for overall management. And, of course, with Cato Hands-Free corporations gain the convenience of full management, though, they’ll still build changes themselves, if they want. With Cato, you do get to manage the network your way. And this says nothing regarding Cato’s wide selection of professional and support services.

Management designed for Digital Business

This kind of flexibility is strange for managed network services, which historically only offered full management. Telco-managed networks are too cumbersome, too complex to permit corporations self–service management of the security and network infrastructure. It needs a network designed from the bottom up for the needs of today’s digital business.And historically managed services place restrictions on customers, tying the overlay (SD-WAN or MPLS) to the telco’s underlay (last-mile and backbone services). Requiring use of the telco’s underly left enterprises subject to high costs, restricted geographic reach, and lengthy deployment times. Such an approach is, again, incompatible with a digital business that looks to be leaner and more agile, notably as the network should more and more connect clouds, mobile users, and branch locations situated outside of the telcos in the operation area.

Cato Cloud was unambiguously designed for the needs of the digital business and not simply in how we expect about management. Enterprises bring their last-mile access to Cato or procure last-mile services through Cato partners. They then connect to Cato’s global backbone through any local internet access, releasing them from the lock-in of traditional telco services. As a globally distributed cloud service, Cato seamlessly connects mobile and cloud resources, while not being in chains to specific geographical location or physical infrastructure.With Cato, organizations get the tomatoes and lettuce: the peace of mind of a managed service with the speed and agility of self-service. And, yes, you Wendy’s lovers, there’s lots of beef there also.

Download Free Cato Networks Resource

Get access to authentic content from one of the leading cyber security experts in the world from the Philippines’ premiere technology provider.

The post Cato Networks: Hands-free Management for SD-WAN Service appeared first on MEC Networks Corporation.