Cato SDP: Cloud-Scale and Global Remote Access Solution Review

2020-04-30T10:59:00
ID THN:8BB5A24529DD935A86C5880E55B7417A
Type thn
Reporter The Hacker News
Modified 2020-04-30T10:59:37

Description

cybersecurity software

The Scouts acknowledged the necessity to "Be Prepared" over 100 years (!) ago; the industry should have, as well.

Yet COVID-19 took businesses – more like the entire world – by surprise. Very few were prepared for the explosion of remote access, and the challenge of instantly shifting an entire organization to work from anywhere.

Cato Networks shared its increase in remote access usage post coronavirus outbreak. The trend is clear.

Remote access has become an essential pillar for ensuring business continuity; nevertheless, the requirements to enable this, especially at a time of crisis, can be overwhelming.

The industry is undergoing a paradigm shift. In the past, most works were performed from the office, and only a subset of the business operated remotely. Today, most (if not all) users require secure and optimized access to applications from remote.

network security

Legacy VPN isn't suited to support this shift. It was designed for sporadic access by a subset of the userbase. If you think that scaling legacy VPN is simple, think again. It's complex, expensive, and takes too long to be considered an instant solution for an urgent need.

What's needed is a remote access solution that evolved to fit the new reality, supporting an entire business globally, at scale, and delivering strong authentication.

This is where Software-defined Perimeter (SDP), also referred to as Zero Trust Network Access (ZTNA), comes in. SDP is a new approach for delivering secure remote access to applications, whether on-premises or in the cloud. And, it certainly presents a viable alternative for legacy VPN.

Cato SDP with Instant Access

We decided to take a look at what Cato Networks has to offer. The company recently announced the first Secure Access Service Edge (SASE) based clientless access service. It enables enterprises to deliver instant work-from-everywhere, at scale. SASE is a new global cloud-native architecture built to provide cloud-scale secure and optimized access to users in offices, on the road, and at home from any device.

Cato offers both a client and clientless solution. Client-based is ideal for corporate devices that need access to all applications, and clientless is ideal for BYOD and 3rd party access to internal web-based applications.

Cato Networks Software Defined Perimeter (SDP)

Both solutions are designed to co-exist and benefit from Cato's built-in enterprise security and optimization capabilities. Take a look at Cato's detailed client vs. clientless comparison table.

Cato's solution is called Cato SDP with Instant Access. Let's see if it stands up to its name.

What Was On Our Checklist

We identified four fundamental requirements for supporting work-from-everywhere in a zero-trust environment: scalability, availability, performance, and security.

And these were the exact capabilities we checked in Cato SDP.

  • Scalability — Cato's SASE platform delivers a cloud-native, globally distributed architecture. This enables unlimited scalability while supporting any number of users working from anywhere across the globe.
  • Availability — Cato SDP includes high availability by design, which guarantees that all users and applications have a secured connection with the nearest SASE Point of Presence (PoP). Since SASE is a global service, available PoPs are automatically identified, eliminating the need for high availability configuration and redundancy planning.
  • Performance — Application performance can't be guaranteed over the unpredictable public Internet. Instead, connecting to Cato's SASE platform – with its a private global backbone and built-in WAN optimization – delivered continuous optimal performance.
  • Security — Finally, Cato provides a fully integrated security stack, including:
    • Secure authentication: Multi-Factor Authentication (MFA) and Single Sign-On (SSO).
    • Advanced security: Application-aware Next-Generation Firewall (NGFW) and threat prevention such as Intrusion Prevention System (IPS) and Next Generation Anti Malware (NGAM).

Service Walkthrough

We wanted a complete picture of the product and set forth to test Cato SDP, from the initial steps of configuring a new user and connecting the client, to enforcing security and optimizing performance.

New remote user configuration:

We found the process of configuring a new user to be remarkedly straightforward. You can either import users from the Active Directory or configure them manually by simply entering the user's name and email.

Cato Networks Software Defined Perimeter (SDP)

Users immediately receive an activation email, which directs them to a portal.

Cato Networks Software Defined Perimeter (SDP)

From the portal, users can download the client for any available operating system; and also download the Cato profile for quick on-boarding.

Cato Networks Software Defined Perimeter (SDP)

Client setup and connectivity:

To install the client and connect for the first time, users can select Use Corporate Identity, which takes them to an SSO portal; or Use Cato Login, which uses the profile file just downloaded, eliminating the need to enter details. Configuring a user took literally less than a minute.

Cato Networks Software Defined Perimeter (SDP)

All that's left to do is click the Connect button. The client finds the nearest available PoP and connects the user to the network.

Cato Networks Software Defined Perimeter (SDP)

You can see the demo user "Work From Home" we connected in real-time, and by clicking on the user, you'll get additional information such as operating system, the user's ISP, the PoP to which it's connected, etc.

Cato Networks Software Defined Perimeter (SDP)

Security enforcement:

Once connected, the user is automatically protected by the corporate security stack. We verified this by browsing to the 888 websites, which is denied access according to corporate policy.

Cato Networks Software Defined Perimeter (SDP)

All activity is tracked and can be inspected via the Analytics option. What grabbed our attention most was the Event Discovery option, where you can gain instant insights on events for further investigation.

Drilling down into our "event," you'll see that our attempt to access 888 was blocked. You can view further details such as the site category, operating system, and even the destination country hosting the web application.

Cato Networks Software Defined Perimeter (SDP)

We also checked what happens when we disconnected from the client and then tried to browse to the same denied website. Well, without Cato's security the 888 site was easily accessed.

Performance optimization:

Finally, in order to assess Cato's built-in WAN optimization, we performed a file transfer test between a VPN user and a remote server using a 3rd party app called LAN Speed Test. Comparing the results with Cato's WAN optimization (image on the left) and without (image on the right); resulted in a whopping 5x faster file transfer! Huge improvement in user experience.

Cato Networks Software Defined Perimeter (SDP)

Clientless Access

Cato also enables accessing corporate applications via a web-based portal. We found this to be very convenient. All that's needed is to authenticate yourself once through SSO, and that connects you to the authorized applications – all under the same enterprise-wide security policy.

Clientless access eliminates the need to install any additional software, and this is especially convenient for 3rd party users.

Cato Networks Software Defined Perimeter (SDP)

Currently, Cato's clientless access provides support for web applications only. To access legacy non-web applications, you can simply install the client (described above).

Cato SDP is provided as part of SASE, acting as the new enterprise WAN. This eliminates the need to install any agents on the application servers. Instead, all that's needed is to connect the relevant networks, with their respective applications, to Cato's SASE platform. Then, configure the clientless access option, which is instantly available from anywhere.

Key Takeaways

Cato promised instant remote access at scale. And that's exactly what we experienced. Cato SDP received excellent scores on all our checklist criteria (scalability, availability, performance, security), which is very impressive.

Who wouldn't be impressed, and even encouraged, with a SASE service that is ready to deploy today.

Cato's tagline is The Network for Whatever's Next. Just like the Scouts, who are always prepared, this SDP Instant Access use case demonstrates that Cato is delivering on its tagline's promise.

Kudos Cato!