Securing SD-WAN with Prisma Access (T1165)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Warby and i will be presenting this so I'm a VP of Product Management looking after our SD van strategy and you know Bobby and I will be co-presenting yeah where we Warburton director product management my focus area is prism access infrastructure I'm gonna have cruise kick things off and I'll come back later awesome thank you so to to get going how many people were in the session yesterday with SD man just a show of hand okay so if you so today we're going to be talking about the prism access and how it complements our SD band solution in fact it's actually the differentiator for SD van solution so we're gonna do a little bit of a deep dive but I'm gonna review some of the content from yesterday to not only reinforce but there's new people here that haven't seen the pitch I think that near and Lee did a fantastic job setting it up yesterday ignite is actually our launch event for SD Wan net new functionality for pan OS much of what you're going to see on the panel west side is actually in beta right now for those of you that are participating in the beta program and it should be available at end of this year in panelist nine one zero so that's that's our GA targeted you know in December maybe early January but it's right around the corner and much of the prism access stuff is functional but will be making a lot of enhancements about what you're going to be seeing today so just to review the SD ran portion the this clicker is a little bit delayed so all right so what is driving SD ban right why is Estevan popular all of a sudden the main reasons is that applications are obviously moving to the cloud that's SAS and cloud public cloud workloads that are companies have moved there there is a aspect that these clouds cloud workflows needs more bandwidth right and high quality connectivity and then there is the limitations that private connectivity like MPLS have not only just in terms of bandwidth but in terms of the way that the traffic gets to the cloud so with Sdn those problems are addressed the first piece is that the user experience is improved you get more bandwidth at those branches then need them and you have this low latency high quality connectivity right so that's the main benefit that made estevam popular in the last couple years and it's a prime use case now for branch connectivity and part of what people are trying to do is that once they're comfortable with Estevan maybe in when they're MPLS contracts are expiring they move away maybe in a year or two right nobody is like canceling contracts right away it's in a hybrid deployment today now there is quite a bit of challenge with with SD vine deployments I'm not sure maybe a show of hands of how many people are actually in an SD Wan POC today or I've actually played around with SD man with other competition okay so after you see these challenges and maybe I'll ask you again you know how many of them are resonate with with your experience so the first one is well three categories right I'm gonna actually deep dive into most of these so security and Security's in two aspects of branches are exposed to the internet now well whereas before it was private connectivity so there's a security challenge we'll deep dive into performance is another part that SD ran is high performance but it actually is not until unless you actually do it right in an end-to-end fashioned I'll talk about that as well and the third part is the complexity and so initially Estevan is simple in fact agility is one of the attributes of Estevan but once you get going and you actually get to solve the security aspect it becomes really complicated and especially if you want to set up complex topologies it makes your life very difficult so these are and so let's deep dive into why is Estevan difficult and one of our differentiation x' coming into the SMN spaces to fix these challenges that are in the SD my deployments so the first part is about the networks before sd man so this is an example of a network where can I divet ease through a private connection the traffic is going to the firewall that you have at your data center so connectivity is easy security is easy each person has its own domain but the traffic is taking the long way around so the hair pinning effect where latency and bandwidth become an issue when you introduce the SP man into the into the mix a few things fall apart right so one is that this normally you don't have a firewall at the branch location and you the management of the Securities at the at your data center firewall with Sdn what happens is that the traffic now bypasses that firewall that was in place so SD man really drives security to the edge of the network and for Palo Alto that means that you need to put firewalls either as VMs or as Hardware firewalls either on the edge or Prisma access so the top one is prism access logo so those are the two ways that people have been securing the branch and for a Palo Alto customer because most of the policies are in Panorama it's much easier for the customer to take the same policies and push them down to the edge to keep the consistency of their security right so SDRAM products or projects always become security projects after the POC is done and then the you know jointly with a security team the company has to figure out how to solve the connectivity and security problem together and these four different ways are what has been in play in the last couple of years right so the first one is easy put the two boxes of security and SD Bannen next to each other plug them together problem is solved if you have a che then you've got four boxes there you've got two different management systems so to simplify that some companies allow our VM to run on their platform to reduce the number of boxes but you still have multiple management systems there and complexity so then number three which is that you see PE model became popular so service providers take multiple VMs put it on X six they take over the management charge a bunch of money and that's another way that the problem is solved now number four with prism access became very popular because it's the lowest number of boxes we've got one box of the branch you got the security and connectivity in Prisma access companies are partner companies for instance cloud genex and silver peak have this kind of a connectivity model with us today so complementary solutions we will continue to solve those problems but from a customer perspective as to companies to deal with two different management systems and the the in H a specially there's routing challenges and in our session yesterday so in the Windows videos come out in our session yesterday we actually talked about the challenges of using the firewall with a product that is not integrated in and with the zoning and things that I saw not introducing a lot of complexity so that's one aspect of complexity the other one is that with Sdn solutions it's easy to plug a box into the branch locations have every all the branches connecting to each other with this m-squared type of a problem and so this this is what we see a lot of people run into is that branches start talking to each other but then they reach some scalability challenges also we have if you imagine this is a offices around the world the traffic really needs to traverse from one country and you know continent to another continent and most of the time it works but when it doesn't work it the troubleshooting of it is kind of difficult right 2 p.m. on a Friday zoom doesn't work maybe some circuits between let's say India and you know us is congested and there is no way to fix that right because you don't control the middle mile of that link and so there are solutions people come up with overlay fabrics and again that be introduced is a another company into the mix that you need to buy service from and an interconnect so what happens is people start this way but then they're like well I didn't so they set up these regional gateways so that you set up a gateway for a particular country maybe in the u.s. two three regional gateways East Coast West Coast everybody home runs there then you buy high quality connectivity between those hubs pay good good amount of money actually I've been looking at circus they cost something like $50 per megabit per second just to connect sites you get per month right these are actually you know in my mind it was quite expensive so a lot of the cost of Estevan even though it may reduce cost it actually increases cost so in this world that nothing is really for free as I've noticed as you dig in so this hub-and-spoke we do recommend the hub-and-spoke but there is this just the complexities that you see on the screen but this is the ultimate topology that everybody will end up using the other aspect that I mentioned in the middle mile so this this slide basically shows branch on the left side going to traffic on the right side and you see that normally you have one link he goes to a service provider then you know a lot of things can happen along the way so if the service provider itself is congested a lot of congestion happens that peering points between two different service providers and some service providers even have congestion internally to their systems so with St man you can have multiple circuits so you can add a second service provider what St man will do is will figure out which of the two service providers provides a better service level requirement and we'll pick the best one that's called first mile SDRAM so the first segment which is which one do you pick but then even if you pick these two if there is a congestion in the middle between two different service provider it doesn't solve this problem so then what you end up needing to do is buy this high quality bypass which is called the middle mile so a lot of companies are in the middle mile Equinox for instance is one you can actually buy a platform and by the middle mile fabric and what happens is the traffic now goes from the ISP through this middle mile directly to the destination or back down to your data center so the ultimate destination that most people end up in is this kind of a solution the an end-to-end Sdn experience alright so this these are all the complexities with SD Wan that I think it's good to be aware of I'm gonna hand it off to war B to talk about prism access attributes and we'll come back and kind of put the two together which is the topic of this session YB Thank You Cruz okay so I'm gonna talk about prism access I'll do a quick overview hopefully most of you have been to some of the sessions this week on it and it's not new for you if you didn't make it they are recorded and they will be posted but basically the idea is that we have this secure access service edge or sassy that you've been hearing about it we talked about it on the main stage on Tuesday or Wednesday rather the idea is that you have both the networking piece provided as a service and the security piece converge into one solution a lot of companies are really good at one or the other one of them they do really well the other ones an afterthought something that they bolt on there may be really good at the networking piece and then through an acquisition or minimal effort they add some security but it's not true security or vice versa Sassie combines those both and Prisma access as you heard during the keynote delivers on all of those compute all those components so it has a network service layer and the security service layer delivered from the cloud so it's one integrated solution getting all the functionality you have branch or retail locations you have mobile users they're coming into the security the the network layer they get the security applied in the cloud and then they go on to their destination SAS internet could be company hosted applications in the public cloud or company hosted applications in their own data center so digging into the pieces of these layers at the networking layer the users are connecting over VPNs could be IPSec could be SSL we have prism access we have the GP client we also have client list VPN for mobile users we use IPSec VPNs for sites today and we can do QoS policy based forwarding so all the traditional network services to get all the users all the sites all over the world connected to a local regional instance of prism access so getting the users there quickly without the hair pinning we talked about earlier and then once they're there we do all of our next-generation security all the enforcement everything that you got on your traditional enterprise home run security stack you can get in the cloud we do this all over the world so just over a hundred locations in our release in August we expanded to be multi cloud delivered so we went from what was 15 locations to a little over 100 in 76 countries so chances are your users or your branch locations are somewhere very close to where the service is hosted very minimal latency high throughput get the users to the application quickly we've done testing internally and we found that in some cases using Prisma access for a user to go to a SAS application is actually faster than going directly over the Internet so normally you add security you slow things down and you get blamed for a bad user experience in this case we actually in some cases have improved it because the clouds were running on like a device and Google has such good infrastructure it's better than going through multiple ISPs get to a SAS application so we literally can speed things up in some cases so in the branch in retail location example on the left is but the traditional solution that krrish mentioned branch connections over something like MPLS going back to headquarters so they get their private hosted application access which is a good thing but they're also having to go back to get to a SAS application most SAS applications are hosted and cached worldwide and this hair pinning slows things down significantly especially if the headquarters is it on another Conte on the right-hand side the cloud in the center is prisoner access so the branch location connects to that instance it can take prism access to the data center so you still have access to your private hosted applications but if it's just going to a SAS application or the internet it'll take you there directly it won't bring you all the way back and then go out so not only is a latency much lower but it's also a local experience so if you're sitting in an office let's say in Barcelona and your headquarters happen to be in I don't know Japan if the user did like like a search online they would get results from a different location than where they're physically at depending on their browser and the settings and how they're recognized but in this case it's actually local they're gonna go to the internet they're gonna be dropped off back with the local experience so it's very important so this works very well the onboarding can be a little bit challenging if you had many many sites and you have to build IPSec tunnels if you ever built an IPSec tunnel you know there's a lot of opportunities to make a mistake you can do things with scripting we have some third-party SD land vendors like krrish mentioned that I've done a lot of work like silver peak cloud genex that tella they do a good job integrating with prism access but it's still a second pane of glass so you still have to manage all of those devices independent of prism access and if you need local segmentation so maybe you have many subnets in a medium-sized branch location maybe there's guest Wi-Fi and IOT and employees if it's retail there's point-of-sale with a lower end routing device you can put those in separate VLANs and just have them not talk to each other but you may actually want to have some traffic allowed with full control so now you have to like kirusha mentioned earlier you have to add a security stack back on top of that for local segmentation or you have to bring it to prism access and which is okay because you're not hair painting back to corporate but you're still hair penny out of the branch just to do local traffic so it's not a deal depends on the application so what this session is all about is how do we solve the middle mile problem of SDN and some of these onboarding challenges of Prisma access so you probably know where this is going but before we before we get there apologies if this isn't familiar but I'm gonna take you through a really corny example from my childhood so this is a screenshot from a YouTube video that was ripped from a VHS tape that's why the quality is so terrible the guy here is dressed in really nice 70s attire and he's carrying a chocolate bar that's not me and this young lady is carrying a jar of peanut butter anyone know where this is going yeah yes so this is a really corny commercial I know it was popular in the u.s. I don't know about here but they're walking towards each other around the blind corner they run into each other and his chocolate they're you know you got your chocolate in my peanut butter you got peanut butter in my chocolate and then you know Reese's peanut butter cups right so maybe this doesn't play well in Europe I don't know if this commercial ran here or if you're old enough to know this but this is the whole better together story that Reese's kind of had is their marketing pitch for a couple decades it's a really funny commercial it's very corny but the idea is that we have these options and they have their pros and cons that kirusha talked about but now we're introducing a fifth option which is a next-gen firewall so a panelist firewall sitting at a branch or a retail location with Sdn functionality connecting to prisoner access so we get the onboarding benefits of Sdn and we get the middle mile advantages of prism access and all with the single pane of glass that's the better together story so prism access becomes the middle mile it is the intelligent cloud that connects all these sty and Haitians one pane of glass all managed from panorama panorama is managing the devices at the locations its managing prism access you now have security inside the branch locations as well as across the cloud and it's easy to consume so because prism access has the cloud intelligence we can give you that good connectivity low latency get you to your application as quickly as possible and as efficiently as possible and we can control over time maybe it's on this cloud maybe some that one maybe it's this location wheel as we as the clouds expand we had more compute things to keep getting better and it's worldwide on those 76 countries 100 plus locations so I'm gonna bring Khrushchev and I'll return for the Q&A thanks for be alright so we're gonna put all this together now so we got prism access we're going to talk about the SD ran portion after yesterday's session a lot of people came up and actually we're very enthusiastic about the differentiated way of having single company provide the entire solution from end to end so that is actually you know the difference between all the SD band solutions that you see where it's a do-it-yourself solution that it gets hosted somewhere else in our case you can you have the option of do it yourself and you have the option of getting this as a service so we're going to talk about the st1 capabilities again review from yesterday but one of the things is that when we were building this and this project didn't start that long ago he actually started earlier this year maybe in February is when we kicked it off and so you know less than a year before it goes from concept to being available as a GA and we were saying okay how do we you know everybody is asking Palo Alto to do SD van right last in August Orion Austin ignite in u.s. people and the audience we're saying you know why didn't you guys just build your own SD van right and the question when that initially we have to deal with is do we go buy a company what do we actually do to build SD van and it turns out that pan OS actually does much of the functions that a SD band product does in fact it does all the hard functions build the IPSec tunnels digs inside applications many of the customers that I've talked to use pan OS next to a SD ran because of its custom app decodes right many large companies have written their own custom apps off-the-shelf app decodes don't do custom apps so the combination of very high quality app decodes plus custom apps plus app cache putting all this together is actually one of the fundamental pieces that as the event product needs to do the pieces that we really needed to add was basically the path metrics right we needed to figure out what these path quality is be able to use the metrics in making that initial path selection but also continuously monitor such that we can make the change in path dynamically and that's basically led to these three additional features that is in pano s 9.1 so the first one is on these overlay tunnels we are able to probe the other end and measure the delay and essentially path quality we can use this to combine it with the previously available features on application basis such that in the zoom example for instance you can say take zoom as long as the all of these paths meet this particular service level requirement let the zoom application go through if one of those paths is not usable then switch it so that's the third one is the dynamic path change so if you imagine the left link is being used and those are packets you know packet one two three goes on to the left link and for a period of time that link is not usable then the system can detect that in a sub-second fashion and flip it over to the next best link that meets the requirements and you can keep it there until the session ends or it can moving back to the original one if in case that the second one is LTE and you're paying on a for the bytes so you have the choice of keeping the sessions and not and or moving in back and we put it quite a bit of intelligence so we don't yank all their sessions back and then all of a sudden we congest the first link again so we selectively adjust to make sure we are really balancing the traffic and these are all the things that in a way we are late to the SD man but then we're not making all the mistakes that other people have made so that's kind of advantage of being late the other one is the other point is that this book ended the reason I mentioned that is that you know SD ran for all of us to take place and be able to move traffic back and forth you need the other end to be intelligent as well and that other end in the case of prism axis is prism access right so because prism access runs pan OS the two pieces actually are coordinated together and they talk to each other and that's one of the challenges is as since SP man is not a standard you can't just take somebody else's SD man and bookended with another person so there's this advantage of having both ends be the same vendor this other aspect of single pane of glass management so you used panorama for security the same workflow applies for SDRAM so you see the new pane that has been added for SD when you can configure the service level requirements you can attach it to the same applications that you are used to for security so the same palette of applications is available on the SDRAM side and it also provides a topology creator as well for next generation firewalls that we are going to be extending such that you can coordinate hardware and Prisma access tunnel configuration so that's a work-in-progress it's not available yet but we're going to make that easier as well the other aspect that we've added in actually we're working on so it's not available yet but we are adding in is a zero touch provisioning so this is where you take a hardware firewall you can ship it to store at some geography and the box the brand-new box can boot up connect to our zero touch provisioning redirector we are using our customer support portal to map your boxes that you purchase to your account and your panorama such that we can redirect brand-new boxes to panorama for automatic configuration so this is your attached provisioning feature that Palo Alto is going to be introducing and there's going to be new hardware SKUs with a dash ztp at the end that will have this behavior out of the box so when you order them you can tell which one will have a ztp behavior versus the normal boxes so almost all of the PA 220 PA 800 series etc will have the new SKU for zero-touch provisioning around end of february or so ok and we come back and open it up for Q&A in case there's questions there all right let me switch to a little bit of topology because I think this is this is where the value of prism access becomes very clear so these three are Gartner categories for SBU anthropology the middle one basically being the regional deployment so if you get a country and you got maybe 50 locations they say they say 500 but really after 50 you shouldn't be doing that where you connect all of the sites together so that's called regional global is that if you have two or more continents are you going across the globe and you want to connect let's say Shanghai to New York so you want go a predictable global user experience and predictable flow so those are the two aspects but then distributed enterprise falls into its own category because there's just a lot of sites so scale is an issue and ease-of-use is an issue and and that becomes those three categories if I was going to map them to how Estevan is deployed so if you know this we talked about the challenges of the meshing sites together right it's complex it doesn't scale and it has the middle mile challenge so the hub-and-spoke is what most people do we do so hub-and-spoke where you can deploy our VM or our Hardware in regional locations and put to put the hubs either in your own data centers or get equinoxes and get interconnect them so that's the do-it-yourself it's supported but with prism access right that complexity goes away we manage the infrastructure for you so you get hub you get interconnect you get security and you get last mile performance connectivity to SAS and major public cloud applications plus the mobility of the users that was already part of it with GP client so you get all of these five together with prism access so as an example if you have a site listing in Chile and you get multiple ISP links they go to the closest pop there's actually one in Santiago so it goes over a performance backbone from there to the closest compute that's where the Sdn hub is so from a hub it picks the best link out of these tunnels and then it can take it across the globe let's say to Shanghai and drop it on to the service connection that you're already familiar with so you get first mile middle mile and last mile all with a predictable user experience this is actually how we got there so if you go from from where people started out with mesh right so mesh is easy doesn't have a hub it's the lowest number of points but again we already talked about that so most people then end up in this hub and spoke topology which actually scales pretty nice so hybrid mesh is basically a hub-and-spoke you just connect all of their meshes together it's also called a two-tier and that's the same topology that prism access has so you can either build this yourself or use prism access and in terms of topology is exactly the same way and so you get all the benefits of simplicity security scalability and so scalability is actually the other piece is that if you have you know 3,000 retail locations I've done a many deployments with 10,000 plus retail locations and they're scale of connecting so many tunnels into a single hub actually is another challenge so one challenge is Geographic scale the other one is just the density scale and both of those require you to provision the links by enough bandwidth when you use prism access because it is in the cloud it just scales horizontally to address these challenges so today or at by the end of this calendar year the middle two which are the do-it-yourself are available the prism access portion is also usable the management piece which is the EZ out of box one-click configuration that's targeted for maybe about four or five months from now but it is usable from a data path perspective just to make sure that I said the expectation of availability all right so if you take the connectivity of enterprises you have the branches you have your traditional MPLS and with sd1 you can get the DIA circuits and again you need another place to terminate that so in this case you have this colocation hub that it terminates in this is one state that most people are in after they've deployed Sdn with Prisma access you can basically bring all of those tunnels into prism access so they come together and then they can go back out to the destinations and once the customers are comfortable with this then they can wean off the MPLS maybe in a few years time so the end state can be this you can even get rid of the top one as you move the your workloads into public cloud so it just becomes this single fabric that's very simple to manage scalable secure and that's really what we are announcing here as our you know as our value proposition and it's really unique in this industry and differentiate it so the three things that I just wanted to leave you with if somebody you know at the end of all of this you know what are the three things so it's basically consistency of industry-leading security you know Palo Alto has a number of number-one vendor it's that end-to-end high performance fabric that we just talked about and it's that simplicity to consume all of this without having to go and buy all the different pieces and assemble it together and even you know how the challenges of not having a service provider that can globally provide us to you so there's a global fabric so anywhere in the world you can actually use this solution alright so that's the end of the presentation thank you for your time we're gonna take some questions after this with Warby thank you all right any questions yep yep so the question was if we have the next-generation firewall at the branch can we do local breakout to the internet or is it required to go to prism access so the answer is it's not required it depends on how that's sized it could be that you want to do a different type of inspection for the SAS app versus within the branch or you could size that next-generation firewall that does everything and you just use the prism access for the middle mile and forgetting to your own data center so it's up to you anything to add to that yeah so the it depends on the amount of traffic so if you are let's say a retail shop that doesn't have guest Wi-Fi and such and everything naturally home runs out to your data center or workloads then the DIA may not be needed right some people say maybe I have some specific applications that I want to just whitelist maybe Netflix or Apple updates or something like that YouTube you know those kinds of high-traffic workloads that you don't want to carry through prism access one of the advantages there is that you can just buy an gfw with no security subscriptions it just you know all the subscription is done on prism access but if you need to do URL filtering locally or east-west segmentation is the other piece so if you retell if you want to separate the point-of-sale from other pieces and you need the ng fw then you also need the licenses at the edge as well you you are not a telecom company today how how you make sure that critical traffic is well transported into Prisma cloud between different region how to be sure how to ensure availability between the regions how do you make sure that critical traffic mm-hmm for instance if we have a voice in traffic between two region we go for the first mile to Chris Mack session then into Priss McLeod do you take advantage of DHCP taking for instance how do you make sure that traffic is well transported into prismo yeah so for example all the compute that we run in Google's network it's all premium tier the average throughput is double what a standard tier is for them or for other vendors and they provide their own dedicated fibre they don't use third-party ISPs or anything like that and so we monitor congestion and things like that between all of our points we don't today dynamically route or prioritize within the cloud we anticipate that over time as the service grows we will need to be more intelligent as we are within the cloud so far customers are doing things like zoom and VoIP and everything with no issues but yes it's something we're thinking about we probably will get to the point and the scale where we have to start doing some private in the cloud itself absolutely more on done with yes yeah there is no congestion today too near those types of information and priority stations okay thank you no problem more questions everybody eager to leave yes there's one back here okay no there's no specific devices that we are announcing yet actually I would say that's a good news because you can use the existing shipping PA 220 all the way to you know the whole family today we are working on next-gen hardware but it is not as special Sdn device it's a next-generation firewall with Estevan capabilities as part of an OS as available in hardware or as part of our VM family and you can use the combination of the two you know to just add more to that when we build our next-generation devices we're going to be adding a few more capabilities to make it much more suitable for as a branch gateway you know the people have been asking let's say for more ports or other types of things will be you know we're cognizant of that and you know please do ask the folks that you're in contact with to bubble up your needs and kind of the customers that you have so that we take that into account as we build these new boxes awesome any other questions no all right I thank you for your time we'll be here to you know answer some questions on one on one enjoy the rest of the evening why now thank you [Applause]

Info

Channel: Palo Alto Networks Ignite

Views: 5,130

Rating: 4.8139534 out of 5

Keywords: Mobile Security/GlobalProtect, Network Security, SDWAN, Technology Integration

Id: gpKy7RKVW-g

Channel Id: undefined

Length: 38min 40sec (2320 seconds)

Published: Tue Dec 10 2019