Third-Party SD-WAN Integration with Prisma Access
How to integrate SD-WANs with Prisma Access.
The following sections provide an overview of SD-WANs
and describe how to deploy them with Prisma Access.
For information about Prisma SD-WAN (formerly CloudGenix)
integration with Prisma Access, refer to Prisma Access CloudBlade Integration
Guide (Cloud managed).
SD-WAN
Overview
As organizations grow across different geographical
locations, choosing a network becomes a delicate balancing act of
cost, performance, and security. A software-defined WAN (SD-WAN)
simplifies the management and operation of a WAN by separating the
networking hardware (the
data plane
) from its control mechanism
(the control plane
). SD-WAN technology allows companies to
build higher-performance WANs using lower-cost internet access.With
the adoption of SD-WANs, organizations are increasingly connecting
directly to the internet, introducing security challenges to protect remote
networks and mobile users. Additionally, the deployment of SaaS
applications has exploded, with many organizations directly connecting to
cloud applications, introducing security challenges. The adoption
of SD-WAN technology introduces many benefits in cost savings, and
enables organizations to be agile and optimized. However, it also
makes branch offices and users targets of cyber attacks.
SD-WAN
security needs to be as flexible as the networking, but it’s not
always easy to adapt traditional methods.
In a traditional
campus network design, there is a full stack of network security
appliances at the internet perimeter that can protect the branch,
as long as all traffic is brought through the core network. SD-WANs
don’t always use this design, especially when you integrate cloud applications.
An
alternative to the traditional approach is to deploy network security
appliances at the branch office, which complicates the deployment
but brings security closer to the branch.
To understand the
best way to secure an SD-WAN deployment, you should understand the
different SD-WAN deployment architectures.
SD-WAN
Deployment Architecture Types
SD-WAN technology uses the
principles of software-defined networking (SDN) and separates the
control plane and the data plane. Based on this principle, SD-WAN
deployments generally consists of the following two components:
- A controller that administrators use to centrally configure WAN topologies and define traffic path rules.
- SD-WAN edge devices, either physical or virtual, that reside at every site and act as the connection and termination points of the SD-WAN fabric.
This section describes two different
types of SD-WAN architectures:
- Type 1 (Branch and headquarters deployment)—At each branch site, organizations can deploy one or more SD-WAN edge devices and connect them to form an SD-WAN fabric or SD-WAN overlay. Administrators use the SD-WAN controller, based either in the cloud or on the organization’s premises, to manage and configure these edge devices and define the traffic forwarding policies at each site.
- Type 2 (branch, headquarters, and regional data center deployment)—This architecture adds SD-WAN devices in regional data centers, along with the SD-WAN devices at each branch and headquarters site. These regional data centers can be public or private cloud environments. SD-WAN devices at the regional data center aggregate network traffic for smaller sites in that region. Organizations use this deployment when there are multiple regional branch sites with lower bandwidth connections to the internet.
Secure
SD-WAN Deployments with Prisma Access Overview
Prisma
Access provides a flexible way to effectively secure SD-WAN deployments.
By delivering security from the cloud and closer to the branch sites,
Prisma Access lets you optimize networking and security with the
same protections that you have at corporate headquarters.
Prisma
Access supports standard IPSec tunnels from third-party SD-WAN edge
devices using Internet Key Exchange (IKE) and IPSec crypto profiles.
While
Palo Alto Networks has technology partnerships and jointly-qualified
security integrations with SD-WAN vendors, this implementation is
designed to be compatible with any SD-WAN as long as the SD-WAN
supports creating third-party IPSec tunnels using standard IKE/IPSec.
To
secure SD-WAN deployments, use the following workflow:
- Onboard the branch sites by setting up site-to-site IPSec tunnels between the SD-WAN edge devices and Prisma Access.
- For a Type 1 (branch and headquarters) deployment, set up IPSec tunnels between the SD-WAN edge device at each branch and headquarters site and Prisma Access.
- For a Type 2 (branch, headquarters, and regional data center) deployment, set up the IPSec tunnels between the SD-WAN edge device at each data center and Prisma Access.
- Use the SD-WAN controller to create traffic forwarding policies or rules for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.
