fbpx

Network-Engineering, Security | 9 min read

A sassy new approach to networking and security

May 2021
written by Maciej Filipczak
Senior Network / Security Engineer

Are you ready for the flight into the clouds? Join us in short intro to SASE with Palo Alto Prisma Access..

Changing work

What have we learned during the Coronavirus pandemic over the last one and a half years? One may say we have learnt to be more assertive. After all, remote working sometimes calls for radical change. We learned sometimes it is okay to lock yourself in your room to stop pets or children from ruining an important online meeting!

Whatever the lessons you have learned, personally for me, it is a confirmation that the world has made a giant leap toward our approach on how we work and manage business continuity in times of crisis. Reliance on an office or on-premises infrastructure is no longer mandatory.

I think the emerging work-from-anywhere model is a win-win for the environment, families, employees and companies. It is a modern trend that improves efficiency and is likely to continue after the impact of the pandemic subsides.

Changing technology landscape

The change to remote working would not be possible without technology. Our current situation reminds me of the visionary cartoon set in the future, “The Jetsons,” which I used to watch on television as a child. Created 50 years ago, the main character George Jetson made a living pressing keyboard buttons to remote control devices from bedrooms in his home adjusted to serve as an office. Just like many of us do now!

If the current pandemic happened 25 years ago, imagine the impact on working then? Probably many more businesses than now would have been unable to continue and closed for good. These days, thanks to the Internet and cloud computing, businesses can shift quickly from office to remote presence and continue operating.

One of the new concepts that emerged as a result of ongoing changes is called SASE. Pronounced “sassy”, it is a service model intended to address current hot topics including:

  • remote working
  • adoption of clouds
  • diminishing network perimeter
  • reduction of costs
  • reduction of complexity
  • use of IoT devices
  • Zero Trust Network Access
  • DNS security

A 2020 Gartner publication stated that by “2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018”.

How can we then convert these buzz words into realistic objectives? For example:

  • How can we deliver uninterrupted, fast, flexible, and secure access to the growing number of remote workers?
  • How can we secure data that is becoming more decentralized than ever?
  • How can this be done without increasing complexity, applying point solutions, or band-aids?

If adjusting all of these moving parts sounds like a recipe for disaster and you wonder about a better way to modernize your approach to networking and security to address these questions, ngworx.ag has a suggestion that may interest you!

Case

I recently participated in a Proof of Concept (PoC) demonstration of Palo Alto Prisma Access. One of our customers with headquarters in Zurich requested us to provide a solution for the following requirements:

  • deploy a cloud firewall
  • connect branch offices in Lisbon and Singapore with headquarters using fast, reliable and secure connections
  • enable integration with cloud applications, central authentication
  • simplify infrastructure management, the customer already uses on premise and cloud solutions from 2 providers and was looking at consolidation
  • standardize security
  • enable Network Access Control (NAC) using Cisco Identity Service Engine (ISE) located in Zurich
  • ensure the solution is cost-effective

Challenge

One of the main challenges in the current network was the latency. Cisco ISE and other NAC solutions are latency sensitive. Usually, the maximum tolerable Round Trip Time (RTT) should be less than 200ms. The WAN link connecting Singapore to Zurich operated with a 500ms RTT – too slow.

In turn, the deployment of ISE was not possible and instead local Network Access Control systems would have to be installed. Such designs are neither simple nor cheap to deploy and operate.

To address the requirements from both network and security worlds, we suggested to test a solution that can cover all tasks in a single package – Prisma Access.

In this article, I would like to share spme lessons learned from the implementation and highlight Prisma Access features that allowed the customer to achieve the goals.

High level view of the topology:

A sassy new approach to networking and security

In this case, the customer already had access to Google Cloud Platform (GCP), therefore deployment of Prisma Access was simple and limited to logical configuration and deployment of Virtual Machines. Two 10G leased lines connect to GCP making the “last mile” fast.

Deployment is well-documented in a step-bystep form. Client connects the site to the Prisma Access with a Service Connection. Prisma Access is based on Google Cloud Platform (GCP) and Amazon Web Services (AWS). Over 100 data centers in 76 countries around the globe are available for local and efficient backbone access. In our case, the headquarter in Zurich was connected to GCP/AWS node in Frankfurt and Singapore branch office to GCP/AWS node in Singapore.

Once connected to Prisma Access, clients get benefits, which are native to cloud-based applications. For example, because the Google and Amazon already host popular applications like Google Apps, Salesforce, Dropbox or SAP, clients can access these SaaS solutions with minimal overhead, delay and jitter.

The network performance is good enough to support latency-sensitive applications such as  trading platforms, VoIP, or NAC. This can be achieved at a lower cost compared to MPLS.

During our PoC, we were able to confirm the advertised low latency promises of the Prisma Access backbone. RTT between Singapore and Zurich dropped from 500ms to 80ms! This allowed us to meet client requirements, improve user-experience, save money on deployment of additional ISE cluster and simplify the network.

What makes Prisma Access stand out?

Prisma Access is the flagship product developed by Palo Alto Networks, the leading vendor of cybersecurity and perimeter control solutions, according to Gartner. The idea allows the customer to reduce on-premise device to absolute minimum. Internet access is practically enough for the company to work.

The software is composed of two layers: network and security.

A sassy new approach to networking and security

Network

Prisma Access network nodes spread around the globe are connected using proprietary SD-WAN. The underlying technology was developed by CloudGenix, a company well-established in the SD-WAN technology, which Palo Alto recently acquired. The platform’s trademark is the use of multiple links, machine learning and automation in order to provide best performance and 99.999% availability. That translates to a maximum of 5 ½ minutes of annual downtime. Traditional protocols like BGP or static routing with ECMP are supported for increased performance and load balancing.

The network is receiving a near perfect feedback with 4.9/5 points based on 288 responses.

Security

Being the core product, Prisma Access leverages all the experience Palo Alto has as the industry leading security vendor. The solution is deployed in-line between the client and the remote sites such as public or private clouds, data centers to control remote access for users or B2B partners. Universal Threat Management (UTM) stack acts as a connection broker. The full features list is extensive, however a few main include:

  • layer 3-7 inspection
  • user and application awareness
  • DLP, IPS/IDP
  • DNS security
  • Anti-Malware
  • posture checks
  • behavioural analytics

Management

Prisma Access uses Panorama to orchestrate on-premise and cloud devices. The software considered one of the best security management platforms in the industry.

Apart from typical functions, it can be configured as a central Security Information and Event Manager (SIEM). Additional artificial intelligence module called Cortex XDR can be enabled to collect logs from different sources and formats, automate parsing, analysis and response.

The system is effective since Prisma Access is deployed in-line and sees all traffic. Thanks to such design, Panorama can eliminate noise, false positives, or misleading data. It can reveal the network topology to indicate risks or anomalies and generate more accurate reports.

Further integrations are possible via API. Additionally over 500 playbooks are available out of the box to support Security Operations Center (SOC) and automate daily monitoring or deployment activities.

One of the side benefits we noticed during the PoC is how easy it is to perform tasks such as integration, acquisition, or divestiture. Those are usually complex projects. Since Prisma Access is a cloud solution from the client’s perspective there is no dependency on physical hardware or supply chain. For example, there is no need to wait several months to obtain physical appliance due to computer chip shortage that is currently affecting almost all of the manufacturers. All configuration is logical.

Any issues?

Nothing is perfect. During the PoC, we encountered an issue with licensing server, which was to be objective, let us consider that a number of licenses are required to fully utilize the solution and obtain support. However, complicated licensing is not unique to Palo Alto. Other vendors similarly require multiple licenses to enable full potential of a product.

At ngworx.ag, we are of the view Prisma Access is competitively priced considering its quality of security and use, and long term value. We encourage you to contact us to estimate the return on investment for Prisma Access in your individual case.

Conclusion

Current trends point to the increasing role of cloud computing and automation in future. The security threat landscape is evolving at a rapid pace. The office boundary is now within our home and sometimes we even use personal devices to access company networks.

To adopt the cloud effectively, we believe that simple, comprehensive, and mature solutions are the key. It may sound funny but there is a lot of value in the KISS methodology (Keep It Simple, Stupid). We believe that less complexity combined with best practices and quality support result in good security and lower operational costs.

Prisma Access is a combination of modern approach, fast network, solid security vendor expertise, refined management platform and assurance. Those attributes are not the cheapest but you get what you pay for.

If you want to introduce innovation, modernize your infrastructure, future-proof your business and do it right the first time, then shortlist Prisma Access. Ngworx can help you with a proof of concept, integration or migration.

Contact us if you would like to know more!

May 2021
written by Maciej Filipczak
Senior Network / Security Engineer

Most Popular

Network-Engineering | 8 min read

Junos upgrade – filesystem is full

Not enough storage during Junos upgrade (EX2300 and EX3400). An extension of Juniper's article…

Read more