Cato Networks adds self-healing SD-WAN for enterprise customers

"SD-WAN, heal thyself." So says Cato Networks in regards to repairing outages or issues across data centers, cloud resources and branch offices.

Cato Networks announced the expansion of its self-healing SD-WAN capabilities for enterprises, as well as an update to its network security rules.

"Cato is unique by putting all of its security functionality in the cloud, and the self-healing POPs (points of presence) are an industry first," said industry veteran Scott Raynovich, chief analyst and founder of Futuriom, in an email to FierceTelecom.

Because it's cloud-based, Cato Networks is able to eliminate edge devices, VNFs and standalone services that would normally hamper high-availability configurations in networks. Cato is solving high-availability issues with its distributed cloud-scale packet engine.

Cato is beefing up those cloud capabilities with its newest appliance, the X1700 Socket, which is a rackable device that comes with redundant power supplies and hot-swappable hard drives. The new socket, which is a big brother to Cato's branch X1500 SD-WAN appliance, comes with the high-availability capabilities at no additional charge.

Cato's security update includes "follow-the-network" rules that allow the security to change dynamically as networks and services change. Typically, IT employees need to manually update policies in firewalls and other security or networking appliances.

Cato's converged self-healing algorithms tie the security rules to the network by using enhanced BGP to detect new IP ranges. Once those are detected, it automatically updates the relevant policies without using manual processes.

"Basically, we took the interface part of the protocols and tried to simplify their usage by outsmarting the way that they work," said Cato Networks co-founder and CTO Gur Shatz in an interview with FierceTelecom. "We take the essence of what BGP would do on the interface side, and then we simplify it and then bend it to the rules of SD-WAN."

RELATED: Cato Networks blends in identity-aware routing to its SD-WAN service

In July, Cato announced its identity-aware routing engine for its SD-WAN service, which was designed to simplify IT operations while also optimizing business processes. Instead of just looking at an application, identity awareness can create business routing policies based on a user's identity or group affiliation.

"That allows you to detach yourself from the basic core components of the network and the mundane IP addresses and make routing decisions that are more intelligent, and are based on what you really intended to achieve," Shatz said. "Once you try to marry some very diverse concepts, like security and networking, there is always a question of how do I really define rules around IP addresses and ranges? The things that I get dynamically out of BGP, or out of other routing protocols? How do I reconcile these two layers that don't really speak together very well?

"What we came up with was sort of a translation algorithm in which you can incorporate the knowledge around your identity object, and the other things that you get out of protocol and routing layers. It really makes security decisions, as well as routing decisions, that are based on this higher level logic."

Going forward, Shatz said Cato Networks' goal was to be within 5 milliseconds of most of the users around the world. To that end, Cato will continue to add points of presence while it expands into new territories.

"We want to improve our local connectivity within each domain," he said. "There are many elements of networking that are in existence today that can improve last-mile connectivity to customers. So we're both expanding the network and going deeper into the local networking of each region that we're already in."