Download - Security auch ohne Proxy?
1 | © 2020 Palo Alto Networks. All Rights Reserved.
Marc HorstmannChannel Systems Engineer
Security auch ohne Proxy?
PRISMA ACCESS
Business Forces are Driving Change
Cloud Adoption94% of businesses use
the cloud
2019 State of the Cloud Report, Flexera
Mobility43.3% of the global workforce will
be mobile by 2023
Global Mobile Workforce Forecast Update 2017-2023, Strategy Analytics
WAN Transformation By 2024, 60% of enterprises will
have implemented SD-WAN
2019 Gartner Magic Quadrant for WAN Edge Infrastructure
HQ
Existing Cloud Access Security Solutions are Complex
Complex Poor User Exp. Security Gaps1 2 3
REMOTE ACCESS VPN
UNSECURED
DATACENTER
PUBLICCLOUD INTERNET SaaS
MPLS WEBPROXY
CASBPROXY
BRANCHRETAIL
MOBILE
VPN
SITETO
SITE VPN
Secure Access Service Edge (SASE) Convergence
SECURE ACCESS SERVICE EDGE
NETWORK AS A SERVICE
SECURITY AS A SERVICE
4 | © 2019 Palo Alto Networks. All Rights Reserved.
SSL DecryptionCASB Cloud SWG ZTNA
FWaaS DNS DLPSandboxing
SD-WAN QoSPolicy Based Forwarding
Network as a Service IPSec VPNSSL VPN
Prisma AccessThe Industry’s Most Comprehensive Secure Access Service Edge
Security as a Service Layer
Network as a Service Layer
SaaSPUBLIC CLOUD
INTERNETHQ/DATA
CENTER
BRANCH RETAIL
MOBILE
5 | © 2019 Palo Alto Networks. All Rights Reserved.
Prisma AccessThe Industry’s Most Comprehensive Secure Access Service Edge
BRANCH RETAIL
MOBILE6 | © 2019 Palo Alto Networks. All Rights Reserved.
Security as a Service Layer
SSL Decryption CASB Cloud SWG ZTNA
DNSFWaaS
DLPSandboxing
Network as a Service Layer
SD-WAN IPSec VPN Policy Based Forwarding
Network as a ServiceSSL VPNQoS
SaaSPUBLIC CLOUD
INTERNETHQ/DATA
CENTER
Prisma Access: A Truly Cloud Native SASE
Globally Distributed Software-based,
hardware-neutral
Single pass
scanning for
threats
Containers /
Microservices-based
In-line encryption /
decryption that
scales
Scale out and back
as needed
multitenant by
design
Prisma Access Connectivity Architecture
10 | © 2019 Palo Alto Networks. All Rights Reserved.
IPsec Tunnel● 3rd Party Device● Palo Alto Networks
NGFW / SD-WAN
IPsec/SSL VPN Tunnel● App on User’s Device
Clientless VPN● SSL/TLS Web Browser
Service Connection w/ IPsec Tunnel
SaaS SLAon Tier 1 Peer
Tier 1 Peer
Routed through customer’s egress IPs
HQ/DATA CENTER
INTERNETPUBLIC CLOUD
SaaS
BRANCH RETAIL MOBILE
Security LayerSingle-Pass Security Processing
Networking Layer Connecting Users and Remote Networks
Public InternetSP Interconnect
Security Processing Latency
Service Level Agreement
SaaS Latency Service Level
Agreement
The Problem: Mobile Users
VPN is designed forremote access to data
centers, not cloud access
When using cloud applications, users
disconnect
Mobile users still need security, but now they’re
at risk
The Problem: Branch and Retail
MPLS is costly and slow to provision
Broadband provides a better user experience for
cloud applications
Direct internet access in the branch introduces risk
AfterRemote access VPN traffic goes through the SASE in the cloud
Our Approach: Mobile Users
BeforeRemote access VPN traffic is backhauled to the data center
PUBLIC CLOUD / SaaS / INTERNET
DATA CENTER(PRIVATE CLOUD)
DATA CENTER(PRIVATE CLOUD)
MOBILE USERS
PUBLIC CLOUD / SaaS / INTERNET
MOBILE USERS
AfterBranches are connected to the data center and cloud via the SASE
Our Approach: Branch and Retail
BeforeBranches are connected back to the data center via private MPLS
PUBLIC CLOUD / SaaS / INTERNET
DATA CENTER(PRIVATE CLOUD)
DATA CENTER(PRIVATE CLOUD)
PUBLIC CLOUD / SaaS / INTERNET
MPLS
SD-WAN
Prisma™ Access
Benefits
Consistent, industry-leading security
High performance, end-to-end
Simple to consume
Centrally Managed By Panorama
BYODISPBRANCH
RETAILMOBILE
USERBRANCH
RETAIL
Network as a Service Layer
VPN
IPsec VPN SSL VPN/IPsec SD-Wan Clean Pipe Clientless VPN
Zero Trust Network Access
Contextually control who can access your applications and data
Maintain full inspection of traffic on all ports & protocols
Enforce consistent DLP policies to control data movement and enforce compliance
User-IDApp-IDHost Information Profile SaaS
PUBLIC CLOUD
HQ/DATA CENTER
USER
Quality of Service
Enforce QoS for bandwidth on all ports & protocols
Use existing tags
Apply QoS tag policy based on User-ID and App-ID
Critical ApplicationsPayment processing and
monitoring systems
Latency SensitiveVoiP, conferencing,
and webcasts
Non-Critical ApplicationsPersonal video streaming, and
personal web browsing
Firewall as a Service
• Enforce policies in Prisma Access,
removes the need for a branch device
• Inspects inbound and outbound traffic
• Centrally commit policy updates in
one location
INTERNET
Threat Prevention
• Blocks known malware, vulnerability
exploits, and C2 activity
• Single-pass Architecture
• Prisma enforces policies on:
• App-ID
• User-ID
• SSL Decryption
Unit 42 WildFire Telemetry
Passive DNS Cyber Threat Alliance
Threat Intelligence
ALL TRAFFIC
Protocol DecodersAnomaly Detection
ThreatDatabase
VulnerabilityMalwareAnti-Virus
C2FiletypeData
Automated Policy Enforcement
Threat Matches
Security as a Service Layer
SSL Decryption CASB Cloud SWG ZTNA
DNSFWaaS
DLPSandboxing
Network as a Service Layer
SD-WAN IPSec VPN Policy Based Forwarding
Network as a ServiceSSL VPNQoS
Cloud Access Security Broker
TOLERATED SANCTIONEDUNSANCTIONED
API
BRANCH RETAIL
MOBILEHQ UNMANAGED
SaaS Apps
25 | © 2020 Palo Alto Networks. All Rights Reserved.
paloaltonetworks.com
Email: [email protected]
Twitter: @PaloAltoNtwks
Security, auch ohne Proxy.