Cato s Security as a Service
SHLOMO KRAMER, CEO Founder: Check Point (CHKP), Imperva (IMPV) Investor: Palo Alto s (PANW), Trusteer, GUR SHATZ, CTO VP R&D, PM: Imperva (IMPV) Founder: Incapsula (Imperva company) GLENN ESPOSITO, VP SALES (AMERICAS) VP Sales (Americas), Barracuda (CUDA) YISHAY YOVEL, VP MARKETING VP Marketing: Trusteer Sr. Director, Product Marketing: Imperva (IMPV) AVIRAM KATZENSTEIN, VP OPERATIONS Sr. Director, R&D Operations: Imperva (IMPV) Team Core Competency: Building and delivering mission critical, global scale networking and security platforms
ing and Security are Incompatible with the Shape of the Business Security Appliance Wide Area (WAN) Cloud Data Center (IaaS) Locations Users Locations Users Cloud Apps (SaaS) Data Center Made for this Not for this Data Center Mobile Users Clear Perimeter Dissolving Perimeter 3
Enterprises Pay the Price of Incompatibility Cloud Data Centers (IaaS) Cloud Apps (SaaS) and Public Internet (WWW) Point Solutions, Split Policy Bypass Security Mobile Users Appliance Sprawl High Latency Mesh Expensive MPLS Backhaul No Direct Internet Access Remote HQ / Data Center Remote 4
The WAN is Incompatible Cost, Speed, Cloud & Mobility Expensive Connectivity MPLS cost premium shrinks as Internet quality improves Security Appliances are Incompatible Budgets, Resources, Threat Landscape Costly Appliance Life Cycle Buy, Install, Configure, Repair, Upgrade, Renew, Retire Long Time to Deploy Painfully long MPLS rollout to new locations Capacity Constrained Too big or too small, you pay for It all Internet Traffic is Exploding Backhauling is wasteful and impacts user experience Location Bound and Rigid Partial coverage for locations and data access paths Insecure by Design Bolt-on security needed for Direct Internet Access Dependent on Skilled Staff Scarce expertise and staff overload Cloud and Mobile are Neglected WAN slow to evolve beyond branches Slow to Evolve and Adapt Painful patches and upgrades, falls behind the threat landscape 5
Cato presents: Security as a Service
Cato s Vision ing and Security must move to the Cloud Because they are too costly to own and too risky and complex to manage Cato Takes Stuff Off Your Plate 7
Security is Simple Again Cato Cloud Cato Security Services Security Policy One : Carrying WAN & Internet traffic One Security: Built into the network One Policy: All users, locations, resources HQ Datacenter es Cloud Infrastructure Mobile Users 8
One Cato Cloud Security Routing Reliability Optimization Encryption Global, SLA-backed, low latency, WAN backbone of physical Cato PoPs Secure Tunnels Overlay: FW IPSEC, Cato Socket (), Cato vsocket (Cloud), Cato Client (Mobile VPN) Cato Socket Cato vsocket Cato Client Secure and Optimized SD-WAN augments MPLS links, eliminates internet backhaul w/ secure, direct internet access MPLS HQ / Data Center Cloud Data Center Mobile Users 9
One Security Cato Cloud NG Firewall App Control URL Filtering Security Cloud Access Control Forensics Infection Prevention Routing Reliability Optimization Encryption Extrusion Prevention Enterprise grade security available everywhere (LOCAL secure Internet exit) Elastic and Agile: scale up, seamlessly updated Cloud traffic visibility accelerates defense adaptation Cato Socket Cato vsocket Cato Client HQ / Data Center Cloud Data Center Mobile Users 10
One Policy Cato Cloud NG Firewall App Control URL Filtering Security Cloud Access Control Forensics Infection Prevention Routing Reliability Optimization Encryption Extrusion Prevention Unified policy across all users, locations and access to both internal and Cloud apps/data Managed service by Cato and Partners with Full Enterprise IT supervision Cato Socket Cato vsocket Cato Client HQ / Data Center Cloud Data Center Mobile Users Cato NOC/SOC, MSP Partners, Enterprise IT 11
Customer Case Study Firewall Elimination & Direct Internet Access Before Cato Manufacturing, 4 locations, National Firewall Data Center UTM FWs, Site-to-Site Mesh Mobile VPN Drivers Firewall Firewall Mobile user UTMs refresh, subscription renewal Firewall Distributed UTM management complexity Cato Solution Phase 1: Split Internet traffic to Cato Sockets (side by side with UTMs) Security Phase 2: Replace UTMs with Cato Sockets (take over WAN) Data Center Mobile user 12
Customer Case Study Firewall Elimination, Low-latency WAN, Cloud DC Integration Before Cato (30) IPSEC Tunnel FW Appliance Global Manufacturer, 36 locations, FW at each site Backhaul to SAP ERP in Datacenter Driver Migrate to SAP Hana Enterprise Cloud (HEC) WAN backhaul no longer viable Cato provides global WAN with full mesh for SAP HEC Connect all locations to Cato with Firewall IPSEC tunnels IPSEC from FW (Azure Edition) Connect 3 Clouds datacenters (AWS, Azure, SAP) Provide low-latency global connectivity across all elements 4 sites replaced FW appliances with Cato Sockets Next: continuous firewall elimination (4) Cato Socket (FW replacement) IPSEC Tunnels To SAP HEC Cato vsocket (Gateway for AWS-to-SAP Traffic) 13
Where Do You Want To Start? Cato Use Cases Cato Cloud Appliance Elimination (Firewall, UTM, ) NG Firewall App Control URL Filtering Security Cloud Access Control Forensics Infection Prevention Extrusion Prevention Direct Internet Access, No Appliances Routing Reliability Optimization Encryption Secure SD-WAN Low-Latency Global WAN Cato Socket Cato vsocket Cato Client Hybrid Cloud Integration HQ / Data Center Cloud Data Center Mobile Users Policy Management Mobile Workforce, Secure Cloud Access Summary 14
#1: Appliance Elimination Stop Appliance Sprawl Appliance sprawl in branch offices too costly and complex to maintain and manage? Cato secures WAN and Internet traffic from Offices Eliminates UTM, NGFW and WAN optimization appliances Centralized policy enforcement HQ / Data Center Full Mesh in the Cloud, no point-to-point VPN Security tunnels configurations HQ / Data Center 15
#2: Direct Internet Access Eliminate backhaul and securely access the Internet directly from the MPLS backhaul overloaded by Internet traffic? Backhauling Office 365, Box, Cloud ERP/CRM traffic over expensive MPLS capacity MPLS Internet access isn't secure HQ / Data Center Cato provides secure direct Internet access for branches Offload Internet-traffic from MPLS links Cloud-based security stack, eliminates the need to deploy UTM/NGFW appliances in the office Security MPLS Cato Secure Internet MPLS/Internet Split HQ / Data Center 16
Customer Case Study Direct Internet Access Before Cato Manufacturing, 3 Offices, US Southwest MPLS backhauling to an on-premise ERP MPLS Data Center with On-premise ERP MPLS Driver ERP Backhaul Migration to Cloud-based ERP Cloud ERP Cato enables Direct Internet Access to All Locations Cato Socket tunnels Internet traffic to Cato Cloud Security Cato Cloud provides visibility and control for Cloud-based ERP and Public Internet Access MPLS MPLS Data Center ERP Direct Internet Access 17
#3: Secure and Optimized SD-WAN Augment/Replace MPLS s with Secure Internet Connectivity Need more bandwidth for branches but cant afford to pay for MPLS upgrades? Cato provides MPLS offload with security and optimization benefits HQ / Data Center MPLS Split Internet and selected WAN traffic to Cato Cloud Resilient last mile connectivity to Cato: Cato Socket uses dual Internet links, 4G/LTE failover, protocol optimizations Unique: Low-latency WAN connectivity: Cato Cloud provides optimal routing vs. Public Internet Unique: Direct Secure Internet Access, with no backhaul Cato Low- Latency WAN Security MPLS Cato Direct Internet Access MPLS/ Internet Split Unique: Cloud datacenter and Mobile User WAN integration HQ / Data Center 18
#4: Low-latency WAN Connect your locations using the Cato Cloud High latency branch-to-datacenter connectivity over the Internet? HQ / Data Center Connect your Locations using Cato Cloud MPLS-like Latency for the long haul Security Last Mile and Middle Mile Optimizations Multiple Tier-1 carriers, Dynamic Path Selection Forward Error Correction, TCP Proxy HQ / Data Center 19
#5: Hybrid Cloud Integration Unified policy across hybrid datacenters Split Cloud and Physical Datacenter Security Policy? Datacenter firewall rules Amazon security groups Physical Data Center Split Policy Admins, Users Cloud Data Center Cato provides Unified Policy for All Datacenters Securely connect Physical and Cloud Datacenter Unified policy across locations Security Unified Policy Physical Data Center Admins, Users Cloud Data Center 20
#6: Mobile Workforce Secure Cloud and Internet Access Full Visibility and Control for Mobile Users accessing Cloud and Internet sites Mobile users unprotected by going directly to the Internet? Without corporate network security stack, users are at risk from phishing and malicious sites Cloud access control is not enforced Mobile Users Cato protects mobile users everywhere, enforces corporate policy Connects mobile users to On-premise and Cloud resources Security Protect mobile internet access everywhere Reduce SaaS credential theft impact with Cato IP range restriction Mobile Users 21
Summary: Benefits of the Cato Architecture Low Latency, Affordable Office Simplification Mobile and Cloud Secure Integration MPLS-like latency for global connectivity SLA-backed Cato Cloud, better than public internet VPN tunnels Eliminates branch firewalls, UTMs, WAN optimization, URL filtering Direct Internet Access, Eliminates backhauling of Internet traffic Connects mobile users and Cloud resources to the Enterprise WAN Reduce point solutions and split policies 22
Backup Slides
Cato s Phased Deployment (Example) 1 Connect remote branch to the Internet with Firewall: VPN tunnel to Cato Cloud with MPLS Backhaul: Using Cato Socket 2 Connect datacenter for WAN access with Firewall: WAN access, firewall elimination with MPLS Backhaul: Cato SD-WAN 3 Connect mobile users, cloud datacenter Access Internet or WAN resources VPN MPLS Cato Socket Cato vsocket Cato Client Remote HQ / Datacenter Remote Cloud Data Centers (IaaS) Mobile Users 25
Expensive Capacity, Single Provider Massive Capacity, Low Prices Agile, Elastic Software Cloud Managed Services Shared Resources MPLS Backbone VS. Hardware OLD NEW Internet Backbone Custom, Rigid Products & People Own and Hire