You might wonder why, if logical networking is such a great idea as I’ve suggested it is, SD-WAN vendors haven’t been flocking to it. They still aren’t, but there’s at least movement in that direction. Cato Networks has announced an “identity-aware routing” feature for its SD-WAN product, and I think it demonstrates that logical networking is coming—perhaps even faster than I’d thought it might.
As I noted in an earlier blog for which I provided a FIGURE, logical networking is based on a “what” versus “where” model of routing, which means that it has to work on logical identity rather than on IP addresses that indicate a network connection point rather than what’s connected there. Cato’s term of “identity-aware” routing is certainly evocative of that capability, so it’s worth looking at a bit of the details they’ve provided.
If you refer to the figure, logical networking has the same “bottom” layer as any SD-WAN, which is the ability to encapsulate packets and route them over an SD-WAN VPN based on a set of useful routing rules and network policies. The rest of the layers depend on the ability of the SD-WAN to recognize not just addresses but some logical identity set. This ability is derived from the outer, “registration” layer, where a given connection is associated with a logical identity.
Cato gets their logical identity information from a directory source (Microsoft’s Active Directory or LDAP), which are frequently used tools for identifying users and services. The information on their site isn’t highly detailed, which leaves some questions on exactly what can be done. To make matters more complicated, there are two different “Active Directories”, one based on Windows Server (the original one) and one designed for Microsoft Azure and the cloud. The latter, obviously, has features that address things like RESTful services, microservices, SaaS, and so forth, that the former does not. The Cato material references Active Directory rather than Azure Active Directory, which I presume means they support the original Windows Server model.
The description of AD-driven registration in the Cato reference I’ve provided here isn’t definitive with respect to just what can be registered. The key sentence is “Identity-awareness completes the evolution of routing by steering and prioritizing traffic based on organizational entities — team, department, and individual users.” To me, this means that identity routing means user identities, not application, service, or process identities. In a later sentence, Cato says it supports “Business process QoS where prioritization is based not just on application type but the specific business process.” This seems to suggest there is some application/process identity registration. The examples Cato provides for directory integration seem explicit to user identity, though.
This doesn’t mean that Cato doesn’t recognize applications, even if they don’t get that data from a directory registration process. Cato’s basic SD-WAN capability includes the ability to “detect and classify hundreds of SaaS and datacenter applications regardless of port, protocol, or evasive technique and without SSL inspection”. Obviously “hundreds” doesn’t mean “all”, and since the information doesn’t come from a formal directory, it likely doesn’t include the logical-name hierarchy that lets applications be divided into groups and dissected into components/services.
Taking an explicit directory-integrated approach to identity is smart; there are many directory resources used for access control, application component registration, and so forth. Even single-sign-on systems have directories. A directory system is easy to explain to users, and it doesn’t raise the prospect of maintaining a new list of stuff. Best of all, it wouldn’t be rocket science to grab more information from a directory you’d already integrated with, or to access different ones. Directory systems also typically include information useful in setting priorities and even in barring connections.
Whatever Cato currently provides in terms of directory-based registration of application objects/entities, there’s no question this is an advance in the direction of logical networking. Very few SD-WAN products have any support for user/process identity today, but there are more developments in the space in the current product pipeline. I’m glad to see Cato take a step in the right direction, even if it turns out that their capability is limited to the registration of user identities rather than full process/service/application registration. I think they’ll end up in the right place—full registration and logical routing—eventually.
It would be easier to cast this as an avalanche of logical-network awareness if Cato followed the standard model for SD-WAN. Instead, Cato offers what they call “SD-WAN-as-a-Service” or “Cato Cloud”, which means that rather than being an arbitrary over-the-Internet connection for the SD-WAN VPN, Cato uses a subnetwork of Cato Cloud points of presence, and routes by hop between them to make end-to-end connections. Policy controls let users pick the routes they want, based on performance and application priority. This is why the Cato model is an as-a-service approach; the Cato Cloud is the logical foundation for all users’ SD-WAN VPNs.
Another point of variation from the SD-WAN norm in the Cato approach is a more explicit MPLS-replacement direction. Obviously the savings a user could achieve by completely eliminating MPLS would be larger than could be obtained simply by connecting thin-location sites another way. Also obviously, the commitment a user makes to Cato is much more significant if a complete MPLS replacement is the target, and my enterprise surveys suggest that the biggest prospective SD-WAN users aren’t particularly eager to take this kind of risk.
The as-a-service position might also impact the sales channels accessible to Cato. Enterprises would obviously be targets for direct sale, but today most SD-WAN is sold either by managed service providers (MSPs) or communications service providers (CSPs, meaning network operators like the telcos and cable companies). MSPs might find the Cato approach better than the average all-in-the-Internet model, but they might also (rightfully) see Cato as a competitor. CSPs might also see Cato more competitive to their core business services than other SD-WAN offerings. With most new SD-WAN sales coming from the MSP/CSP channel, this could limit Cato’s success.
I like Cato’s identity direction, but it’s hard to say what impact the Cato story will have on the market in general because of the differences in their overall SD-WAN approach. I don’t have any survey or model data on SD-WAN that could shed light on whether the broad Cato SD-WAN-as-a-Service approach is the right one for the market. Given that, I can’t assess whether Cato’s directory-and-identity routing approach would have a direct competitive impact on the feature directions other SD-WAN vendors take. However, I do think that Cato’s step demonstrates that the market forces driving the evolution of SD-WAN features in general are leading toward what I’ve called logical networking. That means that other SD-WAN vendors are very likely to see the same market forces and make the same logical-networking decisions as future development priorities.
It would be nice to have more of the details on Cato’s approach here. I told Cato about our briefing policy and asked for an analyst deck before the announcement, but no deck was provided (I was told one was in the works) and I don’t schedule briefings without an explicit document to support claims. I’d suggest that anyone interested in the details of the Cato implementation check to see if they’ve posted more complete documentation or ask for the details. If Cato does provide me better documentation, in the form of a website link, I’ll add it as a comment to my posting of this blog on LinkedIn.