SlideShare a Scribd company logo

secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf

R
rhunter5312

This document discusses security options for branch locations that have different needs than corporate headquarters. It notes that a one-size-fits-all approach does not work well due to variations in factors like employee count, sites, bandwidth needs, applications, IT staffing, and budgets across locations. It presents three main options: hardware firewalls at each branch, virtualized firewalls running on SD-WAN edge devices, and using Palo Alto Networks' GlobalProtect cloud service. For each option, it outlines considerations around deployment, administration, use cases, and key advantages and limitations. It concludes by listing several important questions to evaluate for determining the best branch security approach, such as location characteristics and networking configuration.

Data & Analytics
1 of 14
Download to read offline
Secure Your Branch
Different Locations have Different Needs • # of Employees • # of Sites • Bandwidth Requirements • Applications • IT Staffing • Capital Expense Budgets • Operational Budgets 2 | © 2018, Palo Alto Networks. All Rights Reserved. Headquarters Branch offices Retail store It’s not one size fits all.
Corporate HQ Challenges with Traditional Hub & Spoke WAN • Branch sites connect via MPLS • Optimized for reliable connections to an internal data center • Centralized firewall secures internet traffic • Networking not optimal for internet/cloud access Internet Branch office MPLS Internet Branch Router
Insecure Breakout at the Branch • Direct path to the cloud • Branch UTMs and proxies deliver much less security • Security fragmentation at different locations • More administration, higher staffing costs Internet Branch office Internet UTM Cloud Proxy for HTTP Branch Router Non- HTTP
Options for the Branch
Branch Solutions from Palo Alto Networks 6 | © 2018, Palo Alto Networks. All Rights Reserved. Hardware Firewall Virtualized Firewall (VM- Series) GlobalProtect cloud service Deployment Security appliance at the branch Runs as a VNF on SD-WAN Edge Device Integrates with a tunnel to on- prem branch router or SD- WAN fabric Administration Customer managed Customer Managed Customer policies on cloud service managed by Palo Alto Networks Use Case Full control over device for local network segmentation, high performance, flexible network insertion For secure internet breakout at the branch without on- prem security appliance Consistent security with predictable operational cost
Hardware Firewalls at the Branch • Direct internet for local breakout • Same security policies as HQ • Integration with on-prem hardware, internal network segmentation, multiple zones, VLAN support • Branch may not have technical staff • Need resources to handle hardware replacements / cold spares / upgrades Internet Branch office Internet Branch Router / SD-WAN Edge Device Palo Alto Networks NGFW
GlobalProtect Cloud Service • Full stack security without the backhaul to a corporate firewall • Does not require an on-prem security appliance • Unlike other branch solutions, inspects all traffic, bidirectionally Branch office Internet Internet Branch to GlobalProtect cloud service Branch Router or SD-WAN Edge Device
Corporate HQ Virtualized Firewall on SD-WAN Edge SaaS Internet IPSEC Internet Branch office SD-WAN • Organization manages the VMs in the CPE • Does not necessarily provide full access to the interfaces (i.e. often implemented as a service chain) • Maintains full visibility and optimal SD-WAN performance • Can be mixed with GPCS integration use cases SD-WAN Edge
Key Questions in Branch Security 10 | © 2018, Palo Alto Networks. All Rights Reserved. Question Key Decisions How many branch locations do you have? Sending IT staff or consultants to handle maintenance and upgrades at each location can be time consuming and slow. How many users are at each of these locations? If your site doesn’t have on-site technical staff (or is not large enough to justify hiring one), then on-prem maintenance may be difficult. Where are your branches located? Location may make the logistics of deploying hardware more challenging. What applications do your users need at these locations? High bandwidth requirements may require local appliances for high performance. What services are operating at the location? If you want to do network segmentation or zero trust, it makes sense to do local enforcement of policy. How are you networking the branches? Organizations using SD-WAN may need to consider from a range of security deployment options.
Example: Post-Merger Security Operations
Corporate HQ Example of Mixed Operating Environments: Post-Merger Operations • Company inherits an entirely different security environment from the acquisition • Standardizing on one security environment takes time to replace boxes • Different security posture at different locations Branch Company using Palo Alto Networks Acquired Company using Another Firewall Vendor Branch Branch Branch Branch
Mergers and Acquisitions • Quickly standardize security policy by onboarding sites to GlobalProtect cloud service • Other vendor’s boxes can be left in place, or swapped out to Palo Alto Networks hardware in the future Corporate HQ Branch Branch Branch Branch Branch Company using Palo Alto Networks Acquired Company using Another Firewall Vendor
THANK YOU

Recommended

SDWAN.pdf
SDWAN.pdfSDWAN.pdf
SDWAN.pdf
sushil kumar
 
SD-WAN
SD-WANSD-WAN
SD-WAN
chetnaganatra
 
Rethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraRethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation Era
Zscaler
 
network design chapter 4(1).pptx
network design chapter 4(1).pptxnetwork design chapter 4(1).pptx
network design chapter 4(1).pptx
amanueltafese2
 
Network and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle TransformationNetwork and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle Transformation
Matsuo Sawahashi
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
Sekhar Mohanty
 
Moving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Moving Beyond the Router to a Thin-branch or Application-driven SD-WANMoving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Moving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Digital Transformation EXPO Event Series
 
Unit 1.2 move to cloud computing
Unit 1.2 move to cloud computingUnit 1.2 move to cloud computing
Unit 1.2 move to cloud computing
eShikshak
 

Recommended

SDWAN.pdf
SDWAN.pdfSDWAN.pdf
SDWAN.pdf
sushil kumar
 
SD-WAN
SD-WANSD-WAN
SD-WAN
chetnaganatra
 
Rethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation EraRethinking Cybersecurity for the Digital Transformation Era
Rethinking Cybersecurity for the Digital Transformation Era
Zscaler
 
network design chapter 4(1).pptx
network design chapter 4(1).pptxnetwork design chapter 4(1).pptx
network design chapter 4(1).pptx
amanueltafese2
 
Network and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle TransformationNetwork and Security Reference Architecture For Driving Workstyle Transformation
Network and Security Reference Architecture For Driving Workstyle Transformation
Matsuo Sawahashi
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
Sekhar Mohanty
 
Moving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Moving Beyond the Router to a Thin-branch or Application-driven SD-WANMoving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Moving Beyond the Router to a Thin-branch or Application-driven SD-WAN
Digital Transformation EXPO Event Series
 
Unit 1.2 move to cloud computing
Unit 1.2 move to cloud computingUnit 1.2 move to cloud computing
Unit 1.2 move to cloud computing
eShikshak
 
Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan services
RehanShrivastav
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
Advanced Technology Consulting (ATC)
 
Trending: Convergence of networking and security in stores and branches
Trending: Convergence of networking and security in stores and branchesTrending: Convergence of networking and security in stores and branches
Trending: Convergence of networking and security in stores and branches
National Retail Federation
 
fmb_cloud_computing.pptx
fmb_cloud_computing.pptxfmb_cloud_computing.pptx
fmb_cloud_computing.pptx
MrArrow3
 
A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...
National Retail Federation
 
Cloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran RocheCloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran Roche
Ciaran Roche
 
CoreSite Interconnect Gateway (CIG)
CoreSite Interconnect Gateway (CIG)CoreSite Interconnect Gateway (CIG)
CoreSite Interconnect Gateway (CIG)
Mike Trawick
 
Loughtec cloud computing
Loughtec cloud computing Loughtec cloud computing
Loughtec cloud computing
Loughtec
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
PROIDEA
 
Making Money in the Cloud
Making Money in the CloudMaking Money in the Cloud
Making Money in the Cloud
Gravitant, Inc.
 
Intelligence at the Edge: How SD-WAN can Enable a Smarter Network
Intelligence at the Edge: How SD-WAN can Enable a Smarter NetworkIntelligence at the Edge: How SD-WAN can Enable a Smarter Network
Intelligence at the Edge: How SD-WAN can Enable a Smarter Network
QOS Networks
 
An SD-WAN Bill of Rights
An SD-WAN Bill of RightsAn SD-WAN Bill of Rights
An SD-WAN Bill of Rights
Cisco Enterprise Networks
 
SD-WAN Bill of Rights -infographic
SD-WAN Bill of Rights -infographicSD-WAN Bill of Rights -infographic
SD-WAN Bill of Rights -infographic
E.S.G. JR. Consulting, Inc.
 
Application of Cloud Computing in the Retail sector
Application of Cloud Computing in the Retail sectorApplication of Cloud Computing in the Retail sector
Application of Cloud Computing in the Retail sector
Nupur Agarwal
 
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix
 
SD-WAN iFLX-Brochure
SD-WAN iFLX-BrochureSD-WAN iFLX-Brochure
SD-WAN iFLX-Brochure
Tata Tele Business Services
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
Cloud and analytics Lab
 
An introduction and overview to Software as a Service
An introduction and overview to Software as a Service An introduction and overview to Software as a Service
An introduction and overview to Software as a Service
InTechnology Managed Services (part of Redcentric)
 
Level 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN DefinedLevel 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN Defined
Scott Burns
 
Level 3 hybrid wan
Level 3 hybrid wan Level 3 hybrid wan
Level 3 hybrid wan
Scott Burns
 
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictSupply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Jack Cole
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
Oppotus
 

More Related Content

Similar to secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf

fmb_cloud_computing.pptx
fmb_cloud_computing.pptxfmb_cloud_computing.pptx
fmb_cloud_computing.pptx
MrArrow3
 
Loughtec cloud computing
Loughtec cloud computing Loughtec cloud computing
Loughtec cloud computing
Loughtec
 
Making Money in the Cloud
Making Money in the CloudMaking Money in the Cloud
Making Money in the Cloud
Gravitant, Inc.
 
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix
 

Similar to secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf (20)

Transforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan servicesTransforming enterprise network infrastructure with sd wan services
Transforming enterprise network infrastructure with sd wan services
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
 
Trending: Convergence of networking and security in stores and branches
Trending: Convergence of networking and security in stores and branchesTrending: Convergence of networking and security in stores and branches
Trending: Convergence of networking and security in stores and branches
 
fmb_cloud_computing.pptx
fmb_cloud_computing.pptxfmb_cloud_computing.pptx
fmb_cloud_computing.pptx
 
A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...
 
Cloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran RocheCloud Networking Presentation - WAN Summit - Ciaran Roche
Cloud Networking Presentation - WAN Summit - Ciaran Roche
 
CoreSite Interconnect Gateway (CIG)
CoreSite Interconnect Gateway (CIG)CoreSite Interconnect Gateway (CIG)
CoreSite Interconnect Gateway (CIG)
 
Loughtec cloud computing
Loughtec cloud computing Loughtec cloud computing
Loughtec cloud computing
 
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastrukturyPlnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
Plnog 3: Zbigniew Skurczyński - Wirtualizacja i optymalizacja infrastruktury
 
Making Money in the Cloud
Making Money in the CloudMaking Money in the Cloud
Making Money in the Cloud
 
Intelligence at the Edge: How SD-WAN can Enable a Smarter Network
Intelligence at the Edge: How SD-WAN can Enable a Smarter NetworkIntelligence at the Edge: How SD-WAN can Enable a Smarter Network
Intelligence at the Edge: How SD-WAN can Enable a Smarter Network
 
An SD-WAN Bill of Rights
An SD-WAN Bill of RightsAn SD-WAN Bill of Rights
An SD-WAN Bill of Rights
 
SD-WAN Bill of Rights -infographic
SD-WAN Bill of Rights -infographicSD-WAN Bill of Rights -infographic
SD-WAN Bill of Rights -infographic
 
Application of Cloud Computing in the Retail sector
Application of Cloud Computing in the Retail sectorApplication of Cloud Computing in the Retail sector
Application of Cloud Computing in the Retail sector
 
Citrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects failCitrix Synergy 2014 - Syn231 Why cloud projects fail
Citrix Synergy 2014 - Syn231 Why cloud projects fail
 
SD-WAN iFLX-Brochure
SD-WAN iFLX-BrochureSD-WAN iFLX-Brochure
SD-WAN iFLX-Brochure
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
 
An introduction and overview to Software as a Service
An introduction and overview to Software as a Service An introduction and overview to Software as a Service
An introduction and overview to Software as a Service
 
Level 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN DefinedLevel 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN Defined
 
Level 3 hybrid wan
Level 3 hybrid wan Level 3 hybrid wan
Level 3 hybrid wan
 

Recently uploaded

一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
ewymefz
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
enxupq
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
enxupq
 
Computer Presentation.pptx ecommerce advantage s
Computer Presentation.pptx ecommerce advantage sComputer Presentation.pptx ecommerce advantage s
Computer Presentation.pptx ecommerce advantage s
MAQIB18
 
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
yhkoc
 
Investigate & Recover / StarCompliance.io / Crypto_Crimes
Investigate & Recover / StarCompliance.io / Crypto_CrimesInvestigate & Recover / StarCompliance.io / Crypto_Crimes
Investigate & Recover / StarCompliance.io / Crypto_Crimes
StarCompliance.io
 
Opendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptxOpendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptx
Opendatabay
 
Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptx
DilipVasan
 

Recently uploaded (20)

Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictSupply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
 
How can I successfully sell my pi coins in Philippines?
How can I successfully sell my pi coins in Philippines?How can I successfully sell my pi coins in Philippines?
How can I successfully sell my pi coins in Philippines?
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
 
Tabula.io Cheatsheet: automate your data workflows
Tabula.io Cheatsheet: automate your data workflowsTabula.io Cheatsheet: automate your data workflows
Tabula.io Cheatsheet: automate your data workflows
 
一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单一比一原版(YU毕业证)约克大学毕业证成绩单
一比一原版(YU毕业证)约克大学毕业证成绩单
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
 
Slip-and-fall Injuries: Top Workers' Comp Claims
Slip-and-fall Injuries: Top Workers' Comp ClaimsSlip-and-fall Injuries: Top Workers' Comp Claims
Slip-and-fall Injuries: Top Workers' Comp Claims
 
2024-05-14 - Tableau User Group - TC24 Hot Topics - Tableau Pulse and Einstei...
2024-05-14 - Tableau User Group - TC24 Hot Topics - Tableau Pulse and Einstei...2024-05-14 - Tableau User Group - TC24 Hot Topics - Tableau Pulse and Einstei...
2024-05-14 - Tableau User Group - TC24 Hot Topics - Tableau Pulse and Einstei...
 
Computer Presentation.pptx ecommerce advantage s
Computer Presentation.pptx ecommerce advantage sComputer Presentation.pptx ecommerce advantage s
Computer Presentation.pptx ecommerce advantage s
 
Using PDB Relocation to Move a Single PDB to Another Existing CDB
Using PDB Relocation to Move a Single PDB to Another Existing CDBUsing PDB Relocation to Move a Single PDB to Another Existing CDB
Using PDB Relocation to Move a Single PDB to Another Existing CDB
 
Innovative Methods in Media and Communication Research by Sebastian Kubitschk...
Innovative Methods in Media and Communication Research by Sebastian Kubitschk...Innovative Methods in Media and Communication Research by Sebastian Kubitschk...
Innovative Methods in Media and Communication Research by Sebastian Kubitschk...
 
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
一比一原版(CU毕业证)卡尔顿大学毕业证成绩单
 
社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .社内勉強会資料_LLM Agents                              .
社内勉強会資料_LLM Agents                              .
 
Pre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptxPre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptx
 
Investigate & Recover / StarCompliance.io / Crypto_Crimes
Investigate & Recover / StarCompliance.io / Crypto_CrimesInvestigate & Recover / StarCompliance.io / Crypto_Crimes
Investigate & Recover / StarCompliance.io / Crypto_Crimes
 
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPsWebinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
 
Opendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptxOpendatabay - Open Data Marketplace.pptx
Opendatabay - Open Data Marketplace.pptx
 
Business update Q1 2024 Lar España Real Estate SOCIMI
Business update Q1 2024 Lar España Real Estate SOCIMIBusiness update Q1 2024 Lar España Real Estate SOCIMI
Business update Q1 2024 Lar España Real Estate SOCIMI
 
Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptx
 

secure-your-branch via Virtualized Firewall on SD-WAN Edge.pdf

  • 2. Different Locations have Different Needs • # of Employees • # of Sites • Bandwidth Requirements • Applications • IT Staffing • Capital Expense Budgets • Operational Budgets 2 | © 2018, Palo Alto Networks. All Rights Reserved. Headquarters Branch offices Retail store It’s not one size fits all.
  • 3. Corporate HQ Challenges with Traditional Hub & Spoke WAN • Branch sites connect via MPLS • Optimized for reliable connections to an internal data center • Centralized firewall secures internet traffic • Networking not optimal for internet/cloud access Internet Branch office MPLS Internet Branch Router
  • 4. Insecure Breakout at the Branch • Direct path to the cloud • Branch UTMs and proxies deliver much less security • Security fragmentation at different locations • More administration, higher staffing costs Internet Branch office Internet UTM Cloud Proxy for HTTP Branch Router Non- HTTP
  • 6. Branch Solutions from Palo Alto Networks 6 | © 2018, Palo Alto Networks. All Rights Reserved. Hardware Firewall Virtualized Firewall (VM- Series) GlobalProtect cloud service Deployment Security appliance at the branch Runs as a VNF on SD-WAN Edge Device Integrates with a tunnel to on- prem branch router or SD- WAN fabric Administration Customer managed Customer Managed Customer policies on cloud service managed by Palo Alto Networks Use Case Full control over device for local network segmentation, high performance, flexible network insertion For secure internet breakout at the branch without on- prem security appliance Consistent security with predictable operational cost
  • 7. Hardware Firewalls at the Branch • Direct internet for local breakout • Same security policies as HQ • Integration with on-prem hardware, internal network segmentation, multiple zones, VLAN support • Branch may not have technical staff • Need resources to handle hardware replacements / cold spares / upgrades Internet Branch office Internet Branch Router / SD-WAN Edge Device Palo Alto Networks NGFW
  • 8. GlobalProtect Cloud Service • Full stack security without the backhaul to a corporate firewall • Does not require an on-prem security appliance • Unlike other branch solutions, inspects all traffic, bidirectionally Branch office Internet Internet Branch to GlobalProtect cloud service Branch Router or SD-WAN Edge Device
  • 9. Corporate HQ Virtualized Firewall on SD-WAN Edge SaaS Internet IPSEC Internet Branch office SD-WAN • Organization manages the VMs in the CPE • Does not necessarily provide full access to the interfaces (i.e. often implemented as a service chain) • Maintains full visibility and optimal SD-WAN performance • Can be mixed with GPCS integration use cases SD-WAN Edge
  • 10. Key Questions in Branch Security 10 | © 2018, Palo Alto Networks. All Rights Reserved. Question Key Decisions How many branch locations do you have? Sending IT staff or consultants to handle maintenance and upgrades at each location can be time consuming and slow. How many users are at each of these locations? If your site doesn’t have on-site technical staff (or is not large enough to justify hiring one), then on-prem maintenance may be difficult. Where are your branches located? Location may make the logistics of deploying hardware more challenging. What applications do your users need at these locations? High bandwidth requirements may require local appliances for high performance. What services are operating at the location? If you want to do network segmentation or zero trust, it makes sense to do local enforcement of policy. How are you networking the branches? Organizations using SD-WAN may need to consider from a range of security deployment options.
  • 12. Corporate HQ Example of Mixed Operating Environments: Post-Merger Operations • Company inherits an entirely different security environment from the acquisition • Standardizing on one security environment takes time to replace boxes • Different security posture at different locations Branch Company using Palo Alto Networks Acquired Company using Another Firewall Vendor Branch Branch Branch Branch
  • 13. Mergers and Acquisitions • Quickly standardize security policy by onboarding sites to GlobalProtect cloud service • Other vendor’s boxes can be left in place, or swapped out to Palo Alto Networks hardware in the future Corporate HQ Branch Branch Branch Branch Branch Company using Palo Alto Networks Acquired Company using Another Firewall Vendor