Step 3: Architect a Zero Trust Network

Design your Zero Trust environment based on what’s valuable to your particular business.
Armed with an understanding of your protect surface and transaction flows, begin architecting your Zero Trust network based on what’s valuable to your business. Architect the business-critical protect surfaces you identified in Step 1: Define Your Protect Surface from the inside-out. As you develop the architecture, keep in mind ease of operation and maintenance, and flexibility to accommodate protect surface and business changes. Run the Best Practice Assessment tool to set a best practice configuration baseline and measure progress toward your Zero Trust goals.
The cornerstone of the architecture is segmentation gateways—physical or virtual Palo Alto Networks Next-Generation Firewalls that connect your network segments and enforce Layer 7 policy. Run all traffic through a segmentation gateway, place segmentation gateways as close as possible to the resources they protect, and use them in conjunction with other Palo Alto Networks capabilities to automate as much as possible. Next-generation firewalls:
  • Create a microperimeter in Layer 7 policy around each protect surface. This prevents lateral movement because the microperimeter provides granular policy controls for who (User-ID) accesses what applications (App-ID) and resources in what manner (Content-ID) and at what time through the segmentation gateway. Segment based on how transactions flow across your network and how your users and applications access data and services.
  • Aggregate security capabilities into a single control point for all traffic entering and exiting the protect surface. The segmentation gateway should enforce policy, decrypt encrypted traffic, and apply protections such as:
  • Decrypt and inspect traffic at Layer 7 in real-time.
  • Log every packet from Layer 2 through Layer 7. Send logs to the Cortex Data Lake from Panorama for managed firewalls, from individual firewalls (firewalls not managed by Panorama), from Prisma Access (formerly GlobalProtect™ cloud service), and from Traps to centralize and aggregate your on-premise and virtual (private and public cloud) log storage for physical and VM-Series firewalls.
  • Use APIs for tight integration with third-party defense tools from partners.
  • Automate feedback loops that detect events and automate responses.
    • Tag workloads and use tags as filtering criteria to determine the members of dynamic address groups in security policy. This enables you to automate actions based on log forwarding events to an HTTP(S) server. The log forwarding event triggers the action by dynamically adding or removing members of a dynamic address group used in security policy in real-time. The security policy determines if the members of the dynamic address group are allowed or denied access and the firewall enforces the action. For example, set up a DNS sinkhole in an Anti-Spyware security profile to automatically quarantine potentially compromised systems that attempt to access the sinkhole. Use tags and log forwarding to add and remove those systems dynamically from a dynamic address group that is attached to a policy rule which blocks and logs all traffic to the sinkhole address. You can then investigate potentially compromised systems when notified by log alerts.
    • Use Cortex XDR to automate analyzing your network, discovering anomalous behavior that indicates a potential intrusion, and alerting on that behavior so you can investigate and remediate the issue. Cortex XDR provides visibility into network traffic, simplifies threat investigation by correlating logs, and enables you to identify the root cause of alerts and respond immediately. Use Cortext XDR APIs to integrate with Demisto and automate responses using Desmisto response playbooks that are tailored to your business workflows, which can reduce response time from days to minutes.
    • Use WildFire to automate discovery of new malware. When WildFire discovers malware anywhere in the world, it takes at the most five minutes before WildFire updates your security profiles to protect you against the new malware.
  • Use templates and template stacks in Panorama to automate policy deployment.
  • Use tools such as Ansible, Terraform, and Python to automate, orchestrate, and accelerate protecting Prisma Cloud deployments.
Palo Alto Networks enables you to architect your Zero Trust environment and apply consistent security across all locations:
  • Panroma centralizes management policy control for multiple next-generation firewalls and increases operational efficiency compared to managing firewalls individually.
  • Corporate network and data center: Use next-generation firewalls to segment the network into microperimeters for your protect surfaces.
  • Public cloud: Use Prisma Access, which uses on-premise or VM-Series next-generation firewalls, and Prisma Cloud (an API-based cloud infrastructure security solution), to implement Zero Trust policy in cloud environments. Virtual private clouds (VPCs) define protection boundaries to segment workloads.
  • Private cloud: Use VM-Series firewalls to implement Zero Trust policy.
  • Branch office and mobile users: Use Prisma Access to provide cloud-based security and to avoid round-trips to corporate network resources. Configure Prisma Access for users and also Prisma Access for networks to secure branches.
    Alternatively, use an on-premises next-generation firewall with the GlobalProtect subscription service to extend security policy and enforcement to remote users and branch offices.
  • Endpoints: Layer protection using the next-generation firewall for segmentation and the first layer of protection and using Traps for the second layer of protection. Enforce consistent policy using GlobalProtect (on-premise installation) or Prisma Access (installed using Panorama and managed for you in the cloud) VPNs to extend policy to remote endpoints and enable policy to move with the user. Prisma Access requires the GlobalProtect app on mobile user endpoints. In all cases, install the GlobalProtect app on managed endpoints and use GlobalProtect Clientless VPN on unmanaged endpoints (endpoints on which you can’t or don’t want to place an agent, such as partner systems or personal devices). Apply Multi-Factor Authentication when appropriate to protect high-value assets.
  • SaaS applications: Use Prisma SaaS to scan, analyze, classify, and help protect SaaS applications. Redirect SaaS application traffic for unmanaged devices through your next-generation firewall (traffic from managed devices goes through Prisma Access, GlobalProtect, or a next-generation firewall).

Recommended For You