Featured Branch Connectivity, Remote Worker Security: a New Twist

Published on February 26th, 2023 📆 | 3011 Views ⚑

0

Branch Connectivity, Remote Worker Security: a New Twist


iSpeech

There’s a paradigm shift I’m seeing with how organizations are securing their branch offices and remote workforce: they’re moving away from the traditional firewall at every branch office for a north-south perimeter security architecture. Let’s dig a little deeper.

 

 

Traditional Branch Office Architecture

In many branch office deployments, we have traditionally seen the use of MPLS as a private WAN to connect the branch offices to a datacenter at headquarters. Another design model was to have a firewall at every branch office and connect back to the HQ datacenter via an IPSEC VPN connection. This deployment may have been fully meshed or partially meshed, depending on the dispersal of resources that required access. In the IPSEC VPN scenario, manually creating and maintaining the VPN connections on every firewall is a configuration and operational headache. Supporting this architecture requires not only the creation of all phase 1 and phase 2 profiles, but also the creation and validation of all of the routing that goes along with this type of deployment. Additionally burdensome is the ongoing care and feeding and the requirement to “refresh” this firewall hardware based on either a depreciation schedule or as the equipment’s life ends. This constant “refresh” brings additional headaches around the cost to acquire, configure, ship, deploy and test new hardware. Depending on the timing of this refresh, it may also require the running of a newer version of the operating system, which may require an upgrade to a management platform as well to support this new version. In summary, the IPSEC VPN model is a very time-and resource-intensive effort for organizations to maintain.

 

 

A New Branch Office Architecture on the Rise

The COVID pandemic has played a part in how organizations support their mobile workforce. Many enterprises were built for a subset of their employees to work remotely, but very few were prepared for their entire force to work from home. This required many organizations to quickly come up with a 100% remote design. In some cases, this required new HQ or datacenter hardware. It may have included the need to move to a split-tunnel VPN scenario to alleviate bandwidth constraints and trade-off security for performance. It also meant that no one was working in the branch office.

 

Many CISOs began looking at SASE solutions and their potential to quickly deploy a secure architecture to support a mobile workforce. They also took this time to reevaluate how their branch offices were deployed and secured.

 

These organizations started to look at whether SASE solutions might also be a fit for securing their branch offices. In some cases, organizations realized they no longer wanted to be in the “firewall business.” The constant care, feeding and refreshing of this equipment every three-to-five years no longer made business sense.

 

Palo Alto Prisma Access for Remote Networks
One of the solutions that these customers started looking at was Palo Alto Networks Prisma Access for Remote Networks. The constant configuring and managing endpoints at every branch office can become complex and the difficulty is compounded with each newly added branch office (and its specific mesh requirements). Utilizing Prisma Access for remote networks, a branch office is onboarded to the service via an IPSEC tunnel. This IPSEC tunnel on the branch office end can be established from any device that supports IPSEC connectivity, like an SD-WAN device or even on on-premise router. Once onboarded and established, all traffic from the remote branch can traverse through a Palo Alto Networks firewall in your dedicated Prisma Access environment.

 

What do I mean by “can”? Customers that have deployed an SD-WAN overlay for their internal branch office communications to possibly replace MPLS can onboard the SD-WAN device onto Prisma Access. They can then route all internet or SaaS-based application traffic through the SD-WAN device and through Prisma Access to have the same visibility and control of this traffic as they would with an on-premise Palo Alto Networks firewall. The only difference is this firewall lives in the Prisma Access cloud.

 

High Level Diagram

 

 

Shared Management Model
Prisma Access follows a shared management model. This responsibility breaks out as indicated below.

 

As part of the service, Palo Alto Networks takes care of:

 





  • OS updates for the Prisma Access infrastructure
  • Guaranteeing the availability of the service
  • Automatically scaling the service when needed
  • Generating logs
  • Establishing full-mesh networking within the Prisma Access infrastructure, as well as secure internet access
  • Monitoring all the networking infrastructure within Prisma Access and providing status information
  • Deploying the Prisma Access networking infrastructure to support the remote network
  • Deploying the network infrastructure within Prisma Access to enable branch and mobile user access to your corporate network
  • Provisioning security processing nodes as needed to support your licensed Prisma Access services

 

 

The Home Office User

Another paradigm to consider is the “new” home office user. Many organizations are now considering a permanent or hybrid work-from-home (WFH) environment. One of the concerns with this is securing home users. Do I treat them as mobile users or as a branch office of one? A few things to consider:

 

  • What devices are used by this home user? Corporate laptop, corporate IP Phone, personal devices? Are there corporate devices that cannot run a client?
  • What do home user networks look like? Do they have appropriate secure wireless coverage?

 

If I wanted to treat this home user as a branch office of one, how would I securely connect him/her to the network? Backhaul all the traffic over a VPN tunnel from a device I can’t manage?

 

Palo Alto Networks now offers a home solution called Okyo Garde. This device provides powerful Wi-Fi 6 coverage, provides corporate Wi-Fi in the home while segmenting the home network and can also be onboarded to Prisma Access and managed via the Prisma Access Cloud Manager. Below is a high-level diagram showing how the corporate traffic would traverse and be secured by Prisma Access and the home user personal traffic would be protected by the Okyo Garde device.

 

 

Okyo Garde provides new capabilities for visibility and control for both the user and the enterprise:

 

    Personal network

     

  • App-based management for the home office worker
  • Split networking keeping personal data private
  • Security coverage for all interconnected devices

    •  

    Corporate network

     

  • Enterprise SSID broadcast into the home with 802.1X authentication
  • Fully managed by the enterprise
  • Prisma Access provides a consistent policy across all connections

 

Organizations that have a large number of branch offices deployed with traditional firewall appliances providing north-south internet perimeter control and VPN connectivity for private application access now have another option. They may be looking to move away from a CapEx model, where they’re having to purchase/refresh, configure and deploy new branch firewalls every three-to-five years, to an OpEx model, where they consume this branch security as a service.

 

The pandemic has introduced us all to a much more extensive WFH model. Many organizations are thinking of these remote employees as branch offices of one. And as we know, home offices have a number of devices on the network that are potentially vulnerable to compromise and malware. Being able to segment these home networks with a device the corporate office can manage reduces risk for the organization and provides an additional layer of security.

Source link

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑