Enabling Secure Cloud Transformation with the SASE Framework (T11665)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody good afternoon and before we start the session this is in Lee talked about this a little bit ago in the keynote where he's talking about how Prisma access is is a new foundation for for the Sassi framework so we're gonna talk about a little bit more details on that topic in this session my name is javi javi Menon I'm a director of product management at Palo Alto Networks for our Prisma access product line and joined here by allegory introduce himself yeah we're be Warburton also product manager my focus is on the infrastructure side or prism access all right so with that so here's the the agenda for for this session so we'll talk about why why Sasi framework makes sense and what is it about and why prism access are our unique approach to to that Sasi framework and we'll talk about a little bit of the use cases where you can apply this framework in your security posture and then we will go a little bit more deeper into the into the feature sets of prism actions that help you deploy deploy security in a sassy framework and then we'll come back and talk about a little bit of the business value and then what what momentum we are seeing in the field behind this this framework right so what are the the foundational emerging challenges because of which this this framework is being proposed by by Gartner right what did the reason for that one is if you start looking at how the businesses are transforming you will see that about about 94% of the businesses or the enterprises around the world are doing some form of cloud adoption whether it is one app or 10 apps or hundred apps they are deploying applications in the public cloud right is there anybody in the room who's not deploying an app in the public cloud zero okay so that's a hundred percent for this room then not 94 and the the researchers are all so predicting that about like 42 percent of the user-based will be mobile workforce in the next couple years that number would be around like 30 percent or something as of today but that number will grow up to about 42 percent of the mobile workforce that is computing from outside of your of your controlled environment which means they will be working from from public networks like Starbucks hotels home offices and so on and so forth right and then also if you start looking at branch and retail and this is a very interesting fact saying that like how the attacks of the POS systems in in these networks have overtaken the regular attacks that are happening inside inside inside the network right so if put all of these things together what's happening is in order to solve these problems what customers or enterprises have been deploying in their network it is that consolidates is that fragmentation of different technologies this is the 200 Tekken's security vendor landscape that Amit talked about in the keynote this is that picture that that knee were showing on on in his presentations where the Bulls pursue the Bulls and and and many homes are built with with ladders and so on and so forth at picture that can collapse any moment this is what it is about right in order to deploy this you are deploying multiple kinds of different technologies for different use cases branch and and branch use cases you have an MPLS or a site-to-site VPN and then you have a secure web gate where you have proxies deployed in in in the environment you also have mobile remote user VPNs deployed in the environment Caspi is deployed in the environment and all of them has to sis together in order to perform provide the the security across your enterprise and in order to do that now you have to talk about like multiple management consoles multiple people who needs to be trained and operationally efficient in order to be able to do this so first this is a very complex architecture to manage and maintain second it provides a very poor user experience because the user security posture or the access to application varies based on its location if he's in a branch location he may get access to different set of resources when he is mobile he will get access to a different set of resources and so on and so forth and on top of that it does create security gaps because if you find a threat or a policy in one place in one product that's not applied the same policy in the in other places and it does leave gaps in your security and posture right so what is our unique approach and this is something that that Gartner defined which is called secure access service edge and they're calling it as sassy that's the the acronym for it and sassy what that means is you deployed network as a service you deploy security also as a service so that you can zoom all of this and together it forms as a secure access service edge and what that secure access service edge means networks and users and and infrastructures connect into that that access edge as a network as a service and then a security is applied on top of that connectivity and then you get the benefits of our different things and what are those different things for security as a service we have talked about this the SSL decryption Caspi cloud secure web gateways zero trust network access firewall DNS DLP and sandboxing this is what Gartner is also defining as the security as a service offering that needs to be delivered from thee from this framework and on top of that to saying for the network piece of it Estevan QoS and and policy based forwarding and IPSec VPN and SSL VPN has to be delivered in order in order for this to form an edge where the users or networks can connect and get consumed as a security right so Prisma access provides exactly that it provides network as a service layer where your mobile users and the branch users can connect into and then it provides a security as a service layer on top of that so once the connectivity is complete you apply a security layer on top of the traffic that comes into the into the network and it allows you access to the destinations where the a your applications resides and that applications could reside in public cloud sass your datacenter or are just general internet web browsing right and then you can manage all of this from a central management platform for both network and security from us from a common management platform that's what prism access is able to provide and I break this into into what are in these each buckets then you will see that for branch and retail and mobile users you can connect into the network using any of those technologies which is like you can connect into the service using an SD van an IPSec tunnel you can apply QoS on it you can connect using an ssl VPN you can policy-based forward your traffic into the network and you can also provide this network as a service where in the when these different endpoints can connect into and once the traffic enters the enter the service through this network layer then a security layer gets applied and in that layer you have the most comprehensive security which is everything like DNS DLP sandboxing threat prevention URL filtering SSL decryption all all enabled on that one and for Prisma access management you have both options which is a cloud management as well as a management using our existing panorama that you can manage your on-prem firewalls also with and then you can connect into different applications no matter where the applications are for SAS or public cloud or your data center or it's a general internet web browsing so if you look at this it is combining all of those disparate technologies into one platform that you can just consume as a service you don't no need to deploy any of this secure web gateway cache be firewall everything is consumed as a service without you having to deploy or manage or operate any of that you only manage policies in order to be able to get access to this network and on top of this this Prisma access is deployed in more than 100 plus locations around the world so it's available for you to be able to consume just as a service where you want it no matter where your businesses are or where your users are located ok so with that that's a little bit war we will talk about more of the use cases and other elements of the Sassi framework so I'm gonna go into a couple use cases and then do a little bit of a deep dive actual service so for for the mobile user use-case traditionally this was solved using a remote access VPN which was good for getting users to your data center where your application was hosted probably behind your firewall but as we have more and more cloud adoption more and more SAS apps as well as more and more public cloud hosted apps of your own this doesn't work very well so what often happens is using a traditional solution you're back hauling the user all the way to a data center and then going out to the cloud to get security performance isn't as good and so what do users do they turn it off so now they're happy because the performance is better but you're completely blind to what they're doing so it's not a good security posture and the users having to choose between being a good corporate citizen and and following the process or getting better performance so they get their job done which is not a situation we want to put our users in so on the Left backhauling to the data center where you had your security stack giving them a security with high latency sometimes they turned it off on the right get that security close to where they are so they have really good performance but still give them the access to the corporate data center where you they may have you may still have applications running so it's the best of both worlds you have the remote access VPN solved that's the security or the network as a service component but you also have the security stack close to where the user R is so if your headquarters is in Europe and you have users in Asia or in the US they can get security they're not have to backhaul to Europe so they're not turning it off because most of the time they don't even remember it's on it just works and they're happy so as job' mentioned we have lots of locations keeping the latency as low as possible not impacting the performance we're using our next-generation security stack in the cloud so all the applications are supported it doesn't have to be a proxy Abul so like near talked about it is a full security stack so all the applications are handled and it's always there I do a lot of discussions with customers I'm doing a demo and they say well what does the client even look like I was like oh yeah I've been running it this whole time I forgot it was running but let me show you that it's running and how I could manually connect if it wasn't running but it is just always on it's just always there so switching here it's a branch in retail the second use case common way to solve this MPLS just like we talked about in my morning session and nearly talked about you can use MPLS to backhaul it's expensive broadband has become very cheap and it's a lot more available across the world than it used to be broadband gets users very quickly to the SAS applications the SAS applications are hosted around the world there's caching there's abroad at CDN Network so broadband is really good for getting to that but if you go direct to the application then again you're blind to it so you have the same struggle that we had with mobile user do you backhaul to give them full security or do you let them stay local and then put a lightweight security stack that's not as good as what you have in your headquarters or it's difficult to manage because of the scale so again on the Left traditional NPOs backhaul higher latency on the right just like mobile user get the security close to where the users are consuming it so if you have branches all over the a continent continent or all over the world you can get security close to where they are get him back to the internet quickly if they're going to SAS application give them that good broadband experience but also get them back to the headquarters that they need to get to hosted applications on your site so you get a better user experience you've lowered your cost because you can replace some or maybe all of your MPLS and you're not compromising on security you have the same security posture everywhere you as a customer manage it either via panorama or the new cloud management you have full control and you're not having to do a subset of security features at a branch location that you have at your headquarters you have the full stack in all locations so a little more details as Nene Rand Lee talked about you can connect sd when to prism access prism access can be your hub you don't have to deploy the hub's and form all of the backbone and do all the peering with the SAS applications we've done that and so you can just leverage that service from all these Sdn devices whether it's ours or a third party integration very high performance easy to consume and you're getting the full security stack when you use our solution when you're connecting to the service you have all these different methods so branch retail locations typically as IPSec VPN today mobile users can be IPSec or SSL we now will have a branch retail sd1 option there's a something called clean pipe it's a third use case that service providers are purchasing from us where they can take their tenants their own customers bring them across their network and then come out clean pipe aggregation points at very high speed up to 10 gigabits per tenet and they can do that across hundreds or thousands of tenants and then the client lists VPN so if you're working with a partner or you have a situation where employees have their own devices that can't run the client for any reason then you can use client less VPN to solve for that so that's all the networking part but we still need security we don't want to buy a good Network solution where Security's an afterthought so all the things you get in panelist you get here so user ID app ID hip profiles you can get all the information have full visibility and control and really be very granular with your policy whether it's going to a SAS a p-- going to the public cloud hosted app or to your data center DLP is very important here now with the new DLP feature that is now in line with prism access and for for your connections I talked to somebody in the earlier session today they were trying to find the right balance of do I buy a whole bunch of throughput or do I buy a little bit less but how do I deal with when I run out so we do enforce at about I think it's a hundred and ten percent of the throughput that you license for a site so I'm talking about branch or retail locations definitely you want to turn on QoS in this case so that your business critical applications are guaranteed a certain amount of throughput and at the other end non critical applications YouTube Netflix if you allow those things you can reduce the maximum amount of throughput they'll get so they're not taking too much from that from the pipe and oh by the way you can actually use domain based routing to keep those off the network in the case of mobile users which is a really good feature as well so in this this release that's coming out now we have dns security so that's the panelist feature that was in 9.0 which we're adding to prism access so we have all these sources of intelligence on the left dns is one of those applications where traditionally opened up port 53 and just kind of cross your fingers and attackers know that they leverage that heavily because if you try to lock it down and you do a bad job at it everything breaks because everything needs dns and so a lot of people just leave it open without really good inspection so we have all these sources of information to find out how dns is being abused whether it's data exfiltration or malware and we use that to block all the bad domains but we also monitor what we don't know is bad yet and very quickly add that to our intelligence and block that we also look for DNS tunneling that's a really common data exfiltration technique is just to leak data slowly through what looks like DNS queries we can monitor for that and stop that as well all of this works in prism attacks and we've always had all the threat prevention features so in addition to app ID user the ID you should be doing SSL decryption hopefully you saw a Mandeep session this morning if you haven't I believe it was recorded it's a really good session on how to go about SSL decryption you should absolutely be doing that in your prism access service as well because it's a shared ownership model you own the policy including what to SSL decrypt because you know the local laws and requirements for what you can do we don't do that for you but we have best practices recommendations to help you get started including that session this morning but you get all of the threat information wildfire passive DNS all those features are included as part of the service you don't have to go do add subscriptions and monitor that and when do you do renewals we own that we do that for you you just apply the policy to use those features and now with the release coming out DLP so in line built into prism access you can do DLP this was something that a lot of customers were waiting for so they're very happy about it lets you create really good control about what traffic is leaving your network making sure the wrong things aren't going out and you can get reports you can actively block things with all the different built-in and custom patterns really powerful feature and there's a lot of patterns built in based on specific country requirements about what PII is so Cass B with one of the features at job you showed earlier just want to highlight a little bit so you can have all your users whether they're mobile users or branch locations or and from a headquarters going through next-gen security service using prism access but you can also layer on top of that on the top right they're using the API Prisma sax so that the data while it's there you can monitor it you can look for things you can see is it is it is the the permissions too wide or is there malware that you some users uploaded and we need to quarantine that so even while the data is at rest in your cloud our Prisma SAS service will look for that it will monitor it it'll give you reporting it will block it quarantine it whatever it needs to do so it's another layer of protection that you can add on top of this and lastly clean pipe which I mentioned a couple times so on the Left we have a service provider maybe it's large telco or MSSP they have lots of customers and each of those customers may have many sites so they buy from this telco connectivity the telco can sell them a value add on security service which can now be delivered from Prisma access via this clean pipe use case so what this does it actually connects those tenants over Google's partner interconnect which is kind of like direct interconnect or Adel uses Direct Connect but it's all API driven so this can be provisioned in under an hour per tenant all with ap is from panorama each of those tenants which again could be many sites for that region comes in to a unique V PC running their provisioned security stack of prism access this is an outbound to the internet use case for securing high-speed traffic and as it says here up to ten gigabit so it's very high through play so I'm gonna pass it back to job' to go through some business values and then I'll come back up for Q&A so the real goal about this framework is to be able to deliver a better business outcome right the better business outcome is how Kuechly can you on board a site or how quickly can you on board your your mobile workforce because this infrastructure is delivered as a service and delivered from the cloud and it's available in almost a hundred plus locations around the world covering about 70 plus countries the the speed and agility with which you can onboard this infrastructure at that massive scale is is in in days or hours not not years or months of planning and we have seen some of our larger customers being able to get this the service up and running and deliver to their users within within couple days that's the the advantage of this layer you just come in to your management platform and you click few buttons here and there and some magic happens in the back end and the firewalls and the infrastructure and the services is it all ready for you to start consuming it that's the power of of delivering this this framework as a service offering to to our customers it really takes off the operational burden of deploying and managing this this infrastructure at that global footprint and because now you are deploying this across your entire infrastructure what happens is you get a really good consistent security no matter where the user is whether their mobile workforce they are working from Starbucks they're working from your headquarters or they are working from a branch office they are all going through the exactly the same security policy and that is the Best of Breed security that can be available in all ports and all protocols fully connected anybody can talk to anybody which means mobile users is connected to your headquarters data centers mobile users is connected to your public cloud applications mobile users is connected to your SAS applications mobile user can also browse to the Internet nothing is left behind and all the branches and the branches can talk to each other the headquarters and held the staff sitting in the headquarters can reach the mobile users can reach the branch users do all of that work in a very very efficient secure manner that's the power of the platform so you are getting a very consistent security posture because your policies are all managed from one single place and deployed across the entire infrastructure you're not writing policies which are different from mobile users versus branch user depending on where the user is makes sense and because of this you have reduced this your operational and complexity how many of you are familiar with panorama here okay almost almost almost everybody so this entire Prisma access service just becomes one template stack and one device group in that panorama infrastructure and the policies the configurations that you already have you can just very simply not even have to recreate it just use that as a child device group and and and push those policies out to all this infrastructure so that's that's the power of using that management platform and simplifying the the operational complexity around it and now because the user experience for the user is to just work and they just open their laptops and they start working they don't have to worry about where they are and what kind of quality of service they will get depending on what locations they are working from they get really really good user experience and what that means is they are also getting a very consistent user experience it's not that oh when I was I was home and I was trying to access this application I could not access it oh well I was here I could not access that applications I was able to access the application but because I moved to two networks down I was not able to get access to those applications all of that complexities and user experience goes away and the user experience improves right that's the advantage of being able to deploy this as a service at a massive scale it's not about deploying one firewall in one location we are talking about deploying hundreds of firewalls around the globe with just few clicks here and there that that's the power of prism access so if you talk about momentum like just very highly couple couple qqs cases we have a global consulting firm which operates in about 158 countries right they are a big consumer of Prisma access surveys so their mobile workforce they said like okay I'm gonna take off everything from the infrastructure and I'm going to have all the users connect into the service from all these different countries and all these different locations and provide access to my entire infrastructure through the service in a secure manner so this is some massive large-scale deployment like this doesn't happen overnight right and so this is the kind of infrastructure because we are operating it as a service in the cloud environment we are able to automatically scale and expand to this kind of growing growing user user population and as the demand shifts even if these 158 country users decide to have come to one country for that for a particular user conference or a company event or whatever because we are delivering the service from a public cloud scale it automatically scales up and is able to consume and provide that service for that growing user base or shifting demand for that matter shifting gears from mobile users if you talk about sites how do i how do i secure office locations like in the in the older model you would have deploy a stack of security in the office or connected that office into into your corporate data centers in order to provide that security stack but here there's a large retailer a USBs retailer who removed all the security stack from their all their retail stores and they were able to onward about 1,600 retail stores to our Prisma access service in in a sassy format and being able to consume this as a service and this deployment happened in less than a month 16th worldwide like a US based stores being able to secure and and on board it to the service ok we are purposefully keeping this this session on talktrac limited to 30 minutes or so so that we can open it up for more questions and and in case you have some yeah yes so the question was when the new features like DLP DNF security when what what's required before they're visible for current customers right so for that feature said yes both DNS security and the DLP service will be available to customers if you upgrade your your panorama to 9.0 and you upgrade to 1.5 plugin yeah the DLP currently the the DNS security will be available to all customers at no additional cost so if you are a prism access customer you will be able to consume the DNS service as is like means you don't have to buy or pay for anything DLP on the other hand is not a free service so that you you all understand and currently in with 1.5 we are launching that in an eval mode for now so that you can try out the DLP service and we will make that available to purchase in pretty shortly how is it different from for the branches for instance if you compare it to IPSec VPN do you need any device at the site third-party device and do you need a parallel device there for the sd1 solution ok very good question so there's two ways by which you can on board and as divine device in two or three ways if you will into the prism axis the first is it could be an any SD band device on on the network first of all it can be any device that is capable of creating an IPSec side-to-side tunnel to the prism axis you can onboard a site using an site-to-site VPN tunnel if it's an SD van device from any whipped elavil or cloud or Jakob doesn't matter any SD band device you will be able to onboard that device into into Prisma access using the decide to site VPN tunnel from that as divine device the the the advantage of that one though is like if you already have an SD one deployment going on and you can continue to use that but what we are announced today is the Palo Alto Networks firewall a PA 220 or a PA 850 or a PA 320 3220 any of those Palo Alto Networks firewall devices or a VM series firewall for that matter will have the Sdn capabilities built into the into the panels itself so instead of deploying third party as the event device if you deploy the Palo Alto Networks device in a branch then you get the benefit of the SD when you get the benefit of the connectivity from end-to-end connectivity it's not just about being able to reach us and we also announced the SAS latency SLA which means that you're getting an end-to-end connectivity from the service using our devices and you can also provide local segmentation and local security in the branch because you have deployed a firewall in the branch so it's an end-to-end security play if you decide to deploy our devices as an SD band device and a non on-prem networking and security device does that help answer your question okay so the question was when will that functionality be available in pan OS so that is currently in beta many of our customers are already testing that and this is part of the 9.1 release it will be available to most of our customers you you will you will have to buy the SD band subscription that we talked about in the keynote and if you buy that that functionality get enabled so by the end by the end of this year that will go GA but it's already in beta if something there are many many many customers who are already trying that in beta and providing very good feedback to us and there's also a live beta forum for you to participate in and if something that is of interest to you you should talk to your cell account account team and and participate in the beta to get early access thank you the mobile user client will that be integrated with the traps or cortex client or is it a separate client and all yeah to two different clients so the question yes so the the difference is the cortex client is providing endpoint security meaning whatever is happening on the endpoint it is securing that the globe protect client is providing two functions one it is providing network security for anything that leaves in and out of the device that's how you should think about it anything that is locally running on the device is cortex anything that is leaving the the device in and out of the network is provided by global protect but on top of that security globe attack is also providing you access to the applications right that connect you needs to be provided so that you can get access to your business applications as well when you're when you're not in the network I couldn't hear it so the question was cortex is a framework will that will the GP client become part of the framework at some point part of the cortex framework maybe but there's no current plan in order to combine the two clients into into one client SSL decryption is there any way to limit with regions we dip lower as the decryption certificate so for example if you operate in North America and Europe and we don't God don't want them to be deployed in Asia is that possible with Prisma and why would you help me understand that why would you want to do that though and for example we have we run boarding some new regions and they have like separate tenant and we won't like to use their certificate for example Atem and keep using our one for North America and Europe so if you're thinking about having different entities in different regions then we have a feature called multi-tenancy so you would deploy that feature and turn that on and then you can control that that way perfect so specific to that Estevan solution how are you managing the middle mile yeah yeah so the there's a there's a couple components to that there is a session on Friday that's just focused on how prism access can be the hub for SD when so you'll get a more complete answer there but for the middle mile piece we do have today monitoring and redundancy and and we're looking at throughput we have lots of lots of metrics that we track over time we'll start to do more and more routing around jitter latency things like that as they change and become more dynamic but already today we have lots of redundancy and throughput now for the middle mile where prism access is the SD one hub so the question was what is this an acquisition or did we develop it so so the the device that like the PA to 28:20 example that's that's a panelist feature that will add SD when using Prisma access that we built already today so prism access today is already built on panelists under the hood as far as a security compute over time will be adding functionality that's also pan OS developed it so it's not an acquisition it's all in our own development yep both at the edge and in the cloud but yeah but just to be double clear like the the infrastructure that we use in order to deliver Prisma access we are using public cloud infrastructure like from Google AWS and and so on and so forth so we are able to take advantage of that massive network and the fibers and things like that they have deployed and we are a very premium partner of that service so we take advantage of lot of those features that are built into the public cloud in order to be able to provide the middle mile and the last mile for that matter of the service yeah so for the middle mile piece the question was around what kind of enhancements around routing things so like for example if we use both Google and AWS but in the in the case of GCP let's say the user connects to a gateway that happens to be on GCP we will route on their fiber to the closest possible point to get to the service provider the sass provider like office.you 65 whatever it is all the networks google AWS azure there all tier one they direct peer so we cross that network as far as possible and then we hand it off as close as possible rather than route back out to the internet again but as far as this particular path the latency is a little bit high for this moment we don't yet dynamically a route around that but it is something we're looking into and there was one pretty far back yeah if in case we already have an SD band solution and is there a benefit to actually scrap that solution which is being sat in front of next-generation firewall and use the Estevan feature in in the edge device is there a benefit because it's IPSec tunnel that's actually established between the device across into prismo yeah yeah absolutely so there are couple there's a there's a commercial and a sales answer to this which is yeah absolutely should scrap all that and and and and buy Palo Alto Networks right but I'm not we're not salespeople so I'm gonna give you technical answer to that right so the technical answer is when when how does an SD band or the network pad get selected right one is that you have one end of the device and then you have some symmetric based on that when you will you will monitor the the efficiency of each of those those links that are going into that as divine device and you will say let me do let me monitor these these links and decide which network to take okay but for it to actually work you need to get some responses from the server side also to say that okay what is happening on that side of the network when when the whole session is to be established and how does the session failover like in the middle of the session if there's an path that is performing better how do you silently failover the session to the other link and and do that transaction for that efficiency to happen you need to have both the the client-side and the and the headend side right so it matters where that SD when device is terminating so that's where the Prisma access hub will become an interesting intersection point for that SD when device that is on pram so together they are able to provide a much better routing end and path monitoring and all of that in order to provide the best best path to the to the actual destination but if you control only one end of it then you will still be able to take advantage of whatever features that SD ran devices providing you in order to do that but you're not getting the full benefit of it is that does that help answer the question yeah one other one other aspect there is if you have our palinurus device in the branch location you can get visibility within that branch if you want to have more control but you want to have that same level of security if you have a third party st man device they have some security features but you're not gonna get wildfire app ID all the different prevention that we can do and visibility so if you use us in the in that branch or retail location as not only the SD wham but also for internal visibility controlled and you get both benefits hi so it looks like we've got a solution from the client to the cloud the client to your data center we've got solutions for within the data center so either with with hardware or VM firewalls controlling within that and even within an office if if the firewall is the router for example in within your office then you're getting as the client is routing between subnets but we don't really have a solution for the client talking on its local LAN so for example in something like a Wi-Fi like a site Wi-Fi network you might have thousands of clients that are all in the same subnet and depending upon the software that you're using so something like Skype for example or you know teams or things like that that require client to client communication so those might be going directly you know in the same layer too without ever going up through through a firewall are you looking at making the client side account for local LAN communications as well so the from from a global tech solution perspective it does work on on layer 3 only right so there are there was a talk that was given by another customer in at our ignite conference in the US a couple months ago where they the way they decided to solve that problem was the saying like it doesn't matter they will treat their internal networks also as an external network it doesn't matter where you are it doesn't matter if you are connecting to your your internal Wi-Fi this said is like irrespective of that the client is always going to create a tunnel and so they deployed firewalls something that we call as internal gateway and this is a feature that is built into the pan OS that the client can connect to an internal gateway so may not be inside the Wi-Fi switch but just north of Wi-Fi switch you can create that you can deploy a firewall and make that the the access gateway before any client can talk to any client right so you are creating that communication creating incremental latency for that user but you are still securing that that point-to-point connection our our or traffic between between two clients yeah just sorry yes so they're there right but you but the point though is that you have to create the only way to secure the two users from talking to each other you will have to create a secretary bounce security boundary between the two unless you are running something locally on the client itself and trying to do all the filtering and the security inspection on the client but at that point if you start thinking about it right operationally it may look like that you you you have solved the problem by not having to buy a bigger firewall but now you're managing policies on all these different endpoints from that perspective operationally I'm not sure that it is actually going to scale on thousands of endpoints buy locally providing that firewall for example if we said a VM series firewall gets deployed locally on D on the endpoint itself now operational management and overhead and security patches and everything that needs to be deployed on the endpoint it becomes and operationally not that that efficient model so we talked about it we thought about it but I'm not still sure that I can actually productize it in such a way that a large enterprise will be okay to deployed it but open to having that conversation sure but correct but but the point though is like in this advanced threat it's not the desktop firewall like that's so like port and protocol basing that oh okay I can open this port and allow it to go to and we have all understand that that's not security per se that is just about some ACLs but for me to be able to do this detection of the advanced threat which is doing DNS SEC for example on the on the endpoint it's not just local static analysis on the endpoint I will have to do some advanced hunting which means that I have to constantly update that processes and constantly do your security patches and all that like unlike a desktop client based firewall that exists on the endpoint so that's a very different operational model if you wanted to do a local firewall the products already exist it's built into the into the native operating system from windows and and Apple but I have not found a way to actually do it in an in an intelligent way there may be possibility but I don't know of that yet but but open to that conversation yeah and if you think about the computational requirements yeah I mean you would have to either consume half or 80% of what that device actually needs to run to do everything we do in the cloud or you have to give up a lot of functionality and do something lightweight and reduced which means we're back to the problem of you have to solutions that aren't the same you would have you know 10,000 devices sending logs somewhere for monitoring and they it's not like like job' said it's an interesting conversation but we haven't figured out a way to really do that at scale and and then you know make it even worse by now you want to do it on a phone right not just not enough compute there any other questions was that a question all right then thank you very much for your time thank you thank you [Applause]

Info

Channel: Palo Alto Networks Ignite

Views: 2,778

Rating: 5 out of 5

Keywords:

Id: 8qmavBUCHAM

Channel Id: undefined

Length: 46min 40sec (2800 seconds)

Published: Wed Dec 11 2019