Cato Networks blends in identity-aware routing to its SD-WAN service

Cato Networks is looking to separate itself from the pack of 50-plus software-defined wide-area networking vendors by adding identity-aware routing to its SD-WAN-as-a-service offering.

By adding what it claims is the first identity-aware routing engine for an SD-WAN service, Cato said it could simplify IT operations while also optimizing business processes. Instead of just looking at an application, identity awareness can create business routing policies based on a user's identity or group affiliation.

"Traditional networking was based on a location for the most part," said Cato Networks' Dave Greenfield, secure networking evangelist, in an interview with FierceTelecom. "It was based on an IP address or on a subnet. It depicted the physical network, if you will. Increasingly, as we've moved towards the world of SD-WAN, we've seen that networking has been abstracted. We recognize that the physical location is no longer a good indicator of the needs from the network.

"Identity-aware routing is something that we've been hearing about from our customers to be able to really reflect business context and business intent within their network. It's difficult to do that when you're just looking at the application. You want to tie it back to the user or group affiliation of that user."

Identity-aware routing gives Cato's customers, which range from medium-sized businesses to large enterprises, the ability to prioritize users and groups. As an example, the sales team's voice traffic could have higher priority than generic voice traffic, Greenfield explained.

"Let me just illustrate with one more example," he said. "What happens in an environment where organizations or teams are sharing their machines or the physical addresses? In a contact center, you've got agents that come in in the morning and log in from a standard desktop or a kiosk and the users are sharing one device. Traditional routing wouldn't be able to reflect those nuances. They would treat them all the same and for that matter so would SD-WAN.

"By understanding identity, I can do things like 'Well, this is an agent devoted to my platinum grade customers, I want to give them better quality than some generic agent who's just dealing with any user off the street,' for example. There are many other instances where being able to tie back to identity gives a finer grade of control over the traffic flow."

Cato correlates Microsoft Active Directory data across distributed AD repositories and real-time AD logins to associate a unique identity to every packet flow. Organizational context, such as groups and business units, is culled from the AD hierarchy.

"Cato has spent a lot of time in developing this Active Directory implementation," Greenfield said. "We're synchronizing with the Active Directory but we're doing more than just that. We have a technology that basically monitors the Active Directory flows. It's agent-less, it does not require any kind of deployment on the Active Directory server and it associates user identity that we extract from the packet flows with the user identity in the Active Directory."

One of the benefits of identity-aware routing is business process quality of service, where prioritization is based not just on the application type but also the specific business process. For example, a file transfer that typically has low priority can be given a higher priority when needed.

"In addition, there's something called policy abstraction," Greenfield said. "By abstracting our policies from the physical policy in the applications, we're better able to reflect the business context and we're able to create these policies that are device independent. They're able to entertain more scenarios. So no longer do I need a policy for a user who might be in the office or out of the office. I can create one policy that covers all of my scenarios. So it just makes the network easier to maintain, easier to manage."

A Cato customer would also be able to see which parts of its business were consuming the most network resources regardless of where a team or user is located, and which device they were using.

"Basically Cato allows you now to create policies that pull together location, application and identity to give you really holistic coverage," Greenfield said. "It also it gives you a pretty fine-grain control of traffic."

Cato vs. Aryaka and everyone else

Tel Aviv, Israel-based Cato Networks has raised $70 million to date with investments from Greylock Partners, Aspect Ventures, Singtel Innov8 and USVP. Cato came to the SD-WAN market with a focus on security, and it has its own private global Cato Cloud network that allows it to partner with ISPs, resellers and distributors.

As far as competitors go, Cato is often lumped in with Aryaka, which also offers SD-WAN-as-a-service across its own global network.

RELATED: Aryaka CMO sees IPO, SD-WAN sector consolidation ahead

In an interview with FierceTelecom, Chief Marketing Officer Gary Sevounts said Aryaka has 30 software-defined POPs, while Greenfield said that Cato has around 41.

Greenfield and Savounts both agreed that while the SD-WAN and network-as-a-service markets were red hot, there would be further consolidation across the vendor sector.

Last year, VMware bought VeloCloud, while Cisco acquired Viptela. In a further twist to the SD-WAN sector, Fortinet, which provides security solutions to SD-WAN vendors, recently launched its own SD-WAN service.

Last month, Futuriom released its 2018 SD-WAN Growth Outlook report, which indicated that interest in the market was accelerating among enterprises and service providers alike, with the SD-WAN tools and network-as-a-service (NaaS) market expected to reach $1.5 billion by 2019 and $2 billion by 2020. With that much revenue at stake, Cato and Aryaka seem well positioned to profit in the managed SD-WAN category, but in addition to each other they also face competition from service providers' SD-WAN offerings.

"I think that's only natural, the market's going to consolidate," Greenfield said. "I think that organizations are looking for SD-WAN solutions that do more than just SD-WAN. We're seeing security vendors making SD-WAN part of their products. I think what we're beginning to see is this trend that SD-WAN becomes a very, very important feature of a much broader solution."