cato corporate overview 0916

CatoNetworksNetworkSecurityasaService

CATONETWORKS©2016

Team

CoreCompetency:Buildinganddeliveringmissioncritical,globalscalenetworkingandsecurityplatforms

SHLOMOKRAMER,CEOFounder:CheckPoint(CHKP),Imperva(IMPV)Investor:PaloAltoNetworks(PANW),Trusteer,…

GURSHATZ,CTOVPR&D,PM:Imperva(IMPV)Founder:Incapsula(Impervacompany)

GLENN ESPOSITO,VPSALES(AMERICAS)VPSales(Americas),Barracuda(CUDA)

YISHAYYOVEL,VPMARKETINGVPMarketing:TrusteerSr.Director,ProductMarketing:Imperva(IMPV)

AVIRAMKATZENSTEIN,VPOPERATIONSSr.Director,R&DOperations:Imperva(IMPV)

CATONETWORKS©2016

DissolvingNetworkPerimeter

CloudApps(SaaS)

MobileUsers

CloudDataCenter(IaaS)

Users

DataCenter

Locations

3

NetworkingandSecurityareIncompatiblewiththeShapeoftheBusiness

Madeforthis

Notforthis

ClearNetworkPerimeter

Users

DataCenter

Locations

NetworkSecurityAppliance

WideAreaNetwork(WAN)

CATONETWORKS©2016

EnterprisesPaythePriceofIncompatibility

MobileUsers

CloudDataCenters(IaaS)

HQ / DataCenter RemoteBranchRemoteBranch

ExpensiveMPLSBackhaul

NoDirectInternetAccess

CloudApps(SaaS)andPublicInternet(WWW)

ApplianceSprawl

HighLatencyMesh

PointSolutions,SplitPolicy

BypassNetworkSecurity

4

CATONETWORKS©2016 5

TheWANisIncompatibleCost,Speed,Cloud&Mobility

ExpensiveConnectivityMPLScostpremiumshrinksasInternetqualityimproves

CloudandMobileareNeglectedWANslowtoevolvebeyond“branches”

LongTimetoDeployPainfullylongMPLSrollouttonewlocations

InternetTrafficisExplodingBackhaulingiswastefulandimpactsuserexperience

InsecurebyDesignBolt-onsecurityneededforDirectInternetAccess

NetworkSecurityAppliancesareIncompatibleBudgets,Resources,ThreatLandscape

CostlyApplianceLifeCycleBuy,Install,Configure,Repair,Upgrade,Renew,Retire

SlowtoEvolveandAdaptPainfulpatchesandupgrades,fallsbehindthethreatlandscape

CapacityConstrainedToobigortoosmall,youpayforItall

LocationBoundandRigidPartialcoverageforlocationsanddataaccesspaths

DependentonSkilledStaffScarceexpertiseandstaffoverload

Catopresents:NetworkSecurityasaService

CATONETWORKS©2016

NetworkingandSecuritymustmovetotheCloud

Cato’sVision

Becausetheyaretoocostlytoownandtooriskyandcomplexto

manage

7

CatoTakesStuffOffYourPlate

CATONETWORKS©2016

NetworkSecurityisSimpleAgain

CloudInfrastructure

HQDatacenter

MobileUsers

Branches

CatoSecurityServices

SecurityPolicy

CatoCloudNetwork

OneSecurity: Builtintothenetwork

OnePolicy:Allusers,locations,resources

OneNetwork:CarryingWAN&Internettraffic

8

CATONETWORKS©2016

Routing Reliability Optimization Encryption

OneNetwork

Global,SLA-backed,lowlatency,WANbackboneofphysicalCatoPoPs

SecureTunnelsOverlay:FWIPSEC,CatoSocket(Branch),CatovSocket(Cloud),CatoClient(MobileVPN)

SecureandOptimizedSD-WANaugmentsMPLSlinks,eliminatesinternetbackhaulw/secure,directinternetaccess

CatoCloud

Network

Security

9

MPLS

CatoClientCatoSocket CatovSocket

MobileUsersHQ/Data Center CloudDataCenterBranch

CATONETWORKS©2016

OneSecurity

Enterprisegradesecurityavailableeverywhere(LOCALsecureInternetexit)

ElasticandAgile:scaleup,seamlesslyupdated

Cloudtrafficvisibilityacceleratesdefenseadaptation


URLFiltering

AppControl

NGFirewall

CatoCloud

CatoSocket CatovSocket CatoClient


InfectionPrevention

CloudAccessControl

ExtrusionPrevention

NetworkForensics

Network

Security

10

CATONETWORKS©2016

OnePolicy

CatoNOC/SOC,MSPPartners,EnterpriseIT

Unifiedpolicyacrossallusers,locationsandaccesstobothinternalandCloudapps/data

ManagedservicebyCatoandPartnerswithFullEnterpriseITsupervision


URLFiltering

AppControl

NGFirewall

CatoCloud



InfectionPrevention

CloudAccessControl

ExtrusionPrevention

NetworkForensics

Network

Security

11

CATONETWORKS©2016

BeforeCato

Manufacturing,4locations,National

UTMFWs,Site-to-SiteMesh

MobileVPNDrivers

UTMsrefresh,subscriptionrenewal

DistributedUTMmanagementcomplexityCatoSolution

Phase1:SplitInternettraffictoCatoSockets(sidebysidewithUTMs)

Phase2:ReplaceUTMswithCatoSockets(takeoverWAN)

CustomerCaseStudyFirewallElimination&DirectInternetAccess

12

DataCenter

Firewall

Branch MobileuserBranchBranchDataCenter

SecurityNetwork

Mobileuser

BranchFirewall

BranchFirewall

BranchFirewall

CATONETWORKS©2016

CustomerCaseStudyFirewallElimination,Low-latencyWAN,CloudDCIntegration

13

BeforeCato

GlobalManufacturer,36locations,FWateachsite

BackhaultoSAPERPinDatacenter

Driver

MigratetoSAPHanaEnterpriseCloud(HEC)

WANbackhaulnolongerviable

CatoprovidesglobalWANwithfullmeshforSAPHEC

ConnectalllocationstoCatowithFirewallIPSECtunnels

Connect3Cloudsdatacenters(AWS,Azure,SAP)

Providelow-latencyglobalconnectivityacrossallelements

4sitesreplacedFWapplianceswithCatoSockets

Next:continuousfirewalleliminationIPSECTunnelsToSAPHEC

CatovSocket(GatewayforAWS-to-SAPTraffic)

IPSECfromFW(AzureEdition)

(4)CatoSocket(FWreplacement)

(30)IPSECTunnelFWAppliance

CATONETWORKS©2016

WhereDoYouWantToStart?

14


URLFiltering

AppControl

NGFirewall

CatoCloud



InfectionPrevention

CloudAccessControl

ExtrusionPrevention

NetworkForensics

Network

Security

PolicyManagement

CatoUseCases

ApplianceElimination(Firewall,UTM,…)

DirectInternetAccess,NoAppliances

Low-LatencyGlobalWAN

SecureSD-WAN

HybridCloudNetworkIntegration

MobileWorkforce,SecureCloudAccess

Summary

CATONETWORKS©2016

Appliancesprawlinbranchofficestoocostlyandcomplextomaintainandmanage?

CatosecuresWANandInternettrafficfromBranchOffices

EliminatesUTM,NGFWandWANoptimization

appliances

Centralizedpolicyenforcement

FullMeshintheCloud,nopoint-to-pointVPN

tunnelsconfigurations

#1:ApplianceEliminationStopApplianceSprawl

15

HQ/Data Center Branch


SecurityNetwork

CATONETWORKS©2016

MPLSbackhauloverloadedbyInternettraffic?

BackhaulingOffice365,Box,CloudERP/CRMtraffic

overexpensiveMPLScapacity

BranchInternetaccessisn'tsecure

CatoprovidessecuredirectInternetaccessforbranches

OffloadInternet-trafficfromMPLSlinks

Cloud-basedsecuritystack,eliminatestheneedto

deployUTM/NGFWappliancesintheoffice

#2:DirectInternetAccessEliminatebackhaulandsecurelyaccesstheInternetdirectlyfromtheBranch

16


MPLS/InternetSplitMPLS


MPLS

SecurityNetwork CatoSecure

Internet

CATONETWORKS©2016

BeforeCato

Manufacturing,3Offices,USSouthwest

MPLSbackhaulingtoanon-premiseERP

Driver

MigrationtoCloud-basedERP

CatoenablesDirectInternetAccesstoAllLocations

CatoSockettunnelsInternettraffictoCatoCloud

CatoCloudprovidesvisibilityandcontrolforCloud-basedERPandPublicInternetAccess

CustomerCaseStudyDirectInternetAccess

17

ERPBackhaul

DataCenterwithOn-premiseERP

Branch Branch

ERPDirectInternetAccess

DataCenterBranch Branch

SecurityNetwork

CloudERP

MPLS

MPLS MPLS

MPLS

CATONETWORKS©2016

CatoLow-LatencyWAN

NeedmorebandwidthforbranchesbutcantaffordtopayforMPLSupgrades?

CatoprovidesMPLSoffloadwithsecurityandoptimizationbenefits

SplitInternetandselectedWANtraffictoCatoCloud

ResilientlastmileconnectivitytoCato:CatoSocketusesdualInternetlinks,4G/LTEfailover,protocoloptimizations

Unique: Low-latencyWANconnectivity:CatoCloudNetworkprovidesoptimalroutingvs.“PublicInternet”

Unique: DirectSecureInternetAccess,withnobackhaul

Unique:ClouddatacenterandMobileUserWANintegration

#3:SecureandOptimizedSD-WANAugment/ReplaceMPLSNetworkswithSecureInternetConnectivity

18

BranchHQ/DataCenter

BranchHQ/DataCenter

CatoDirectInternetAccess

MPLS/InternetSplit

MPLS

SecurityNetwork

MPLS

CATONETWORKS©2016

Highlatencybranch-to-datacenterconnectivityovertheInternet?

ConnectyourLocationsusingCatoCloudNetwork

MPLS-likeLatencyforthelonghaul

LastMileandMiddleMileOptimizations

MultipleTier-1carriers,DynamicPathSelection

ForwardErrorCorrection,TCPProxy

#4:Low-latencyWANConnectyourlocationsusingtheCatoCloudNetwork

19

BranchHQ/DataCenter

BranchHQ/DataCenter

SecurityNetwork

CATONETWORKS©2016

SplitCloudandPhysicalDatacenterSecurityPolicy?

Datacenterfirewallrules

Amazonsecuritygroups

CatoprovidesUnifiedPolicyforAllDatacenters

SecurelyconnectPhysicalandCloudDatacenter

Unifiedpolicyacrosslocations

#5:HybridCloudNetworkIntegrationUnifiedpolicyacrosshybriddatacenters

UnifiedPolicy

20

CloudDataCenterPhysicalDataCenter

CloudDataCenter

SecurityNetwork

PhysicalDataCenter

Admins,Users

Admins,Users

Split Policy

CATONETWORKS©2016

MobileusersunprotectedbygoingdirectlytotheInternet?

Withoutcorporatenetworksecuritystack,usersareatrisk

fromphishingandmalicioussites

Cloudaccesscontrolisnotenforced

Catoprotectsmobileuserseverywhere,enforcescorporatepolicy

ConnectsmobileuserstoOn-premiseandCloudresources

Protectmobileinternetaccesseverywhere

ReduceSaaScredentialtheftimpactwithCatoIPrangerestriction

#6:MobileWorkforceSecureCloudandInternetAccessFullVisibilityandControlforMobileUsersaccessingCloudandInternetsites

21

MobileUsers

MobileUsers

Security

Network

CATONETWORKS©2016

Summary:BenefitsoftheCatoArchitecture

• Eliminatesbranch firewalls,UTMs,WANoptimization,URLfiltering

• DirectInternetAccess,EliminatesbackhaulingofInternettraffic

• MPLS-likelatencyforglobalconnectivity

• SLA-backedCatoCloud,betterthan“publicinternet”VPNtunnels

BranchOfficeSimplification

LowLatency,AffordableNetwork

• ConnectsmobileusersandCloudresourcestotheEnterpriseWAN

• Reducepointsolutionsandsplitpolicies

MobileandCloudSecureNetworkIntegration

22

BackupSlides

CATONETWORKS©2016

CatoNetworksPhasedDeployment(Example)

25

CatoSocketCatovSocket

RemoteBranch

HQ/Datacenter RemoteBranch

MobileUsersCloudDataCenters(IaaS)

MPLSVPN

1

2

3

ConnectremotebranchtotheInternet

• BranchwithFirewall:VPNtunneltoCatoCloud

• BranchwithMPLSBackhaul:UsingCatoSocket

ConnectdatacenterforWANaccess

• BranchwithFirewall:WANaccess,firewallelimination

• BranchwithMPLSBackhaul:CatoSD-WAN

Connectmobileusers,clouddatacenter

• AccessInternetorWANresources

CatoClient

CATONETWORKS©2016

MPLSBackbone

ExpensiveCapacity,SingleProvider

Products&People

OwnandHire

CloudManagedServices

SharedResources

SoftwareAgile,Elastic

InternetBackbone

MassiveCapacity,LowPrices

HardwareCustom,Rigid

OLD

NEW VS.

cato corporate overview 0916

Technology