As organizations modernize their IT infrastructure, securing access to private applications becomes critical. Traditional network-based approaches are no longer sufficient in a world where users, devices, and applications are distributed across locations and increasingly exposed to vulnerabilities in legacy security solutions.
The Cato SASE Cloud offers a Zero Trust approach to private application access, ensuring that only authorized users can connect to specific applications, without exposing the internal network. This article provides a high-level overview of the Cato Broker-Connector architecture and how it enables secure, scalable, and policy-driven access to internal applications.
The following diagram shows an example of a user connecting to a private application:
Cato offers multiple methods for users to access private applications. While this article focuses on remote access using managed or unmanaged devices, the same principles apply to Cato’s Universal ZTNA (UZTNA) approach for users connecting from behind a site.
For remote users, Cato supports several access options tailored to the device type and management status: Cato Client, Browser Extension, and Clientless access. Regardless of the method, the core Zero Trust principles and policy enforcement remain consistent across all access scenarios.
-
The client initiates a secure connection to the Cato ZTNA Broker and undergoes authentication using methods such as SSO or multi-factor authentication (MFA).
-
By default, no applications are visible or accessible. Once authenticated, the user and device are evaluated against access authorization policies that consider identity, role, device posture, location, behavior, and risk level.
-
Post authentication and authorization, the user’s device posture, behavior, and risk are continuously evaluated.
Cato offers multiple deployment models for the App Connector, tailored to different customer environments and requirements. Each model supports distinct use cases, but all apply to both physical and cloud data centers.
Cato offers three form factors for the App Connectors: the Cato Socket (appliance), the Cato virtual Socket (vSocket), and the Cato Client (software agent). The Sockets and vSockets can be deployed in an HA model to ensure application access resiliency.
The App Connectors initiate an outbound DTLS tunnel to the Cato ZTNA Broker. Once connected, the applications behind the App Connector can only be accessed through authorized, policy-driven requests.
This diagram shows the App Connector deployment modes for physical or cloud-based data centers:
These are the ways to configure the App Connector:
-
App Connector to All Applications
In this deployment model, all access to data center applications is routed through a Socket or vSocket. The key advantage is that the Socket or vSocket functions as an SD-WAN device, providing secure connectivity while managing the last-mile network path. In this mode, customers rely on Cato’s “default deny” policy in the Cato ZTNA Broker to restrict application access while benefiting from a streamlined, resilient, and high-performance connection to the data center.
-
App Connector to a Subset of Applications
The Socket or vSocket is deployed within the data center or as an instance in a public cloud environment. It is configured to expose only specific applications in specific IPs or VLANs without access to the full data center network. These applications remain unreachable unless explicitly permitted by the Cato ZTNA policy.
-
App Connector to a Single Application
In this mode, the Client is installed directly on the application host, eliminating the need to deploy a separate App Connector on dedicated infrastructure. This lightweight deployment reduces complexity and can often be performed without direct involvement from the IT team. The Client establishes an outbound connection to the Cato ZTNA Broker, creating a secure boundary between the application and the network. The application remains unreachable unless explicitly permitted by the Cato ZTNA policy.
In all three modes, applications are represented as virtual IPs (NATed), allowing abstraction of the internal data center network design from the users and/or the rest of the network.
The Cato ZTNA Broker (implemented as part of the Cato SASE Cloud) acts as a broker between the user and the application, securely stitching their outbound tunnels based on policy. By default, all application access is blocked, and only explicitly defined ZTNA policies can grant access. Administrators can create granular policies that specify which users or groups can access which applications, supporting both HTTP/S as well as any protocol and port (including TCP/IP and UDP), in either direction. Once access is granted, all application traffic is subject to inspection by all security engines (Threat Prevention, CASB/DLP) and policy enforcement.
0 comments
Article is closed for comments.