Secure Third-Party SD-WANs with Prisma Access Overview
How to integrate SD-WANs with Prisma Access (Panorama
Managed).
The following sections provide an overview of SD-WANs
and describe how to deploy them with Prisma Access.
For information about Prisma SD-WAN (formerly CloudGenix)
integration with Prisma Access, see the Prisma Access & Prisma
SD-WAN CloudBlade Integration guides on the Prisma SD-WAN Technical Documentation
page.
SD-WAN
Overview
As organizations grow across different geographical
locations, choosing a network becomes a delicate balancing act of
cost, performance, and security. A software-defined WAN (SD-WAN)
simplifies the management and operation of a WAN by separating the
networking hardware (the
data plane
) from its control mechanism
(the control plane
). SD-WAN technology allows companies to
build higher-performance WANs using lower-cost internet access.With
the adoption of SD-WANs, organizations are increasingly connecting
directly to the internet, introducing security challenges to protect
remote networks and mobile users. Additionally, the deployment of
SaaS applications has exploded, with many organizations directly
connecting to cloud applications, introducing security challenges.
The adoption of SD-WAN technology introduces many benefits in cost
savings, and enables organizations to be agile and optimized. However,
it also makes branch offices and users targets of cyber attacks.
SD-WAN
security needs to be as flexible as the networking, but it’s not
always easy to adapt traditional methods.
In a traditional
campus network design, there is a full stack of network security
appliances at the internet perimeter that can protect the branch,
as long as all traffic is brought through the core network. SD-WANs
don’t always use this design, especially when you integrate cloud
applications.
An alternative to the traditional approach is
to deploy network security appliances at the branch office, which
complicates the deployment but brings security closer to the branch.
To
understand the best way to secure an SD-WAN deployment, you should
understand the different SD-WAN deployment architectures.
SD-WAN
Deployment Architecture Types
SD-WAN technology uses the
principles of software-defined networking (SDN) and separates the
control plane and the data plane. Based on this principle, SD-WAN
deployments generally consists of the following two components:
- A controller that administrators use to centrally configure WAN topologies and define traffic path rules.
- SD-WAN edge devices, either physical or virtual, that reside at every site and act as the connection and termination points of the SD-WAN fabric.
This section describes two different
types of SD-WAN architectures:
- Type 1 (Branch and headquarters deployment)—At each branch site, organizations can deploy one or more SD-WAN edge devices and connect them to form an SD-WAN fabric or SD-WAN overlay. Administrators use the SD-WAN controller, based either in the cloud or on the organization’s premises, to manage and configure these edge devices and define the traffic forwarding policies at each site.
- Type 2 (branch, headquarters, and regional data center deployment)—This architecture adds SD-WAN devices in regional data centers, along with the SD-WAN devices at each branch and headquarters site. These regional data centers can be public or private cloud environments. SD-WAN devices at the regional data center aggregate network traffic for smaller sites in that region. Organizations use this deployment when there are multiple regional branch sites with lower bandwidth connections to the internet.
Secure
SD-WAN Deployments with Prisma Access Overview
Prisma
Access provides a flexible way to effectively secure SD-WAN deployments.
By delivering security from the cloud and closer to the branch sites, Prisma
Access lets you optimize networking and security with the same protections
that you have at corporate headquarters.
Prisma Access supports
standard IPSec tunnels from third-party SD-WAN edge devices using
Internet Key Exchange (IKE) and IPSec crypto profiles. For a complete
list of IKE and IPSec crypto profiles supported by Palo Alto Networks,
refer to the following documents:
While
Palo Alto Networks has technology partnerships and jointly-qualified
security integrations with SD-WAN vendors, this implementation is designed
to be compatible with any SD-WAN as long as the SD-WAN supports
creating third-party IPSec tunnels using standard IKE/IPSec.
To
secure SD-WAN deployments, use the following workflow:
- Onboard the branch sites by setting up site-to-site IPSec tunnels between the SD-WAN edge devices and Prisma Access.
- For a Type 1 (branch and headquarters) deployment, set up IPSec tunnels between the SD-WAN edge device at each branch and headquarters site and Prisma Access.
- For a Type 2 (branch, headquarters, and regional data center) deployment, set up the IPSec tunnels between the SD-WAN edge device at each data center and Prisma Access.
- Use the SD-WAN controller to create traffic forwarding policies or rules for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.
