1 | © 2020 Palo Alto Networks. All Rights Reserved.

Marc HorstmannChannel Systems Engineer

Security auch ohne Proxy?

PRISMA ACCESS

Business Forces are Driving Change

Cloud Adoption94% of businesses use

the cloud

2019 State of the Cloud Report, Flexera

Mobility43.3% of the global workforce will

be mobile by 2023

Global Mobile Workforce Forecast Update 2017-2023, Strategy Analytics

WAN Transformation By 2024, 60% of enterprises will

have implemented SD-WAN

2019 Gartner Magic Quadrant for WAN Edge Infrastructure

HQ

Existing Cloud Access Security Solutions are Complex

Complex Poor User Exp. Security Gaps1 2 3

REMOTE ACCESS VPN

UNSECURED

DATACENTER

PUBLICCLOUD INTERNET SaaS

MPLS WEBPROXY

CASBPROXY

BRANCHRETAIL

MOBILE

VPN

SITETO

SITE VPN

Secure Access Service Edge (SASE) Convergence

SECURE ACCESS SERVICE EDGE

NETWORK AS A SERVICE

SECURITY AS A SERVICE

4 | © 2019 Palo Alto Networks. All Rights Reserved.

SSL DecryptionCASB Cloud SWG ZTNA

FWaaS DNS DLPSandboxing

SD-WAN QoSPolicy Based Forwarding

Network as a Service IPSec VPNSSL VPN

Prisma AccessThe Industry’s Most Comprehensive Secure Access Service Edge

Security as a Service Layer

Network as a Service Layer

SaaSPUBLIC CLOUD

INTERNETHQ/DATA

CENTER

BRANCH RETAIL

MOBILE

5 | © 2019 Palo Alto Networks. All Rights Reserved.

Prisma AccessThe Industry’s Most Comprehensive Secure Access Service Edge

BRANCH RETAIL

MOBILE6 | © 2019 Palo Alto Networks. All Rights Reserved.

Security as a Service Layer

SSL Decryption CASB Cloud SWG ZTNA

DNSFWaaS

DLPSandboxing

Network as a Service Layer

SD-WAN IPSec VPN Policy Based Forwarding

Network as a ServiceSSL VPNQoS

SaaSPUBLIC CLOUD

INTERNETHQ/DATA

CENTER

Architecture

Prisma Access Locations100+ locations in 76 countries

Prisma Access: A Truly Cloud Native SASE

Globally Distributed Software-based,

hardware-neutral

Single pass

scanning for

threats

Containers /

Microservices-based

In-line encryption /

decryption that

scales

Scale out and back

as needed

multitenant by

design

Prisma Access Connectivity Architecture

10 | © 2019 Palo Alto Networks. All Rights Reserved.

IPsec Tunnel● 3rd Party Device● Palo Alto Networks

NGFW / SD-WAN

IPsec/SSL VPN Tunnel● App on User’s Device

Clientless VPN● SSL/TLS Web Browser

Service Connection w/ IPsec Tunnel

SaaS SLAon Tier 1 Peer

Tier 1 Peer

Routed through customer’s egress IPs

HQ/DATA CENTER

INTERNETPUBLIC CLOUD

SaaS

BRANCH RETAIL MOBILE

Security LayerSingle-Pass Security Processing

Networking Layer Connecting Users and Remote Networks

Public InternetSP Interconnect

Security Processing Latency

Service Level Agreement

SaaS Latency Service Level

Agreement

Mobile Users/Branch&Retail

Use Cases

The Problem: Mobile Users

VPN is designed forremote access to data

centers, not cloud access

When using cloud applications, users

disconnect

Mobile users still need security, but now they’re

at risk

The Problem: Branch and Retail

MPLS is costly and slow to provision

Broadband provides a better user experience for

cloud applications

Direct internet access in the branch introduces risk

AfterRemote access VPN traffic goes through the SASE in the cloud

Our Approach: Mobile Users

BeforeRemote access VPN traffic is backhauled to the data center

PUBLIC CLOUD / SaaS / INTERNET

DATA CENTER(PRIVATE CLOUD)

DATA CENTER(PRIVATE CLOUD)

MOBILE USERS

PUBLIC CLOUD / SaaS / INTERNET

MOBILE USERS

AfterBranches are connected to the data center and cloud via the SASE

Our Approach: Branch and Retail

BeforeBranches are connected back to the data center via private MPLS

PUBLIC CLOUD / SaaS / INTERNET

DATA CENTER(PRIVATE CLOUD)

DATA CENTER(PRIVATE CLOUD)

PUBLIC CLOUD / SaaS / INTERNET

MPLS

Prisma Access Deep Dive

SD-WAN

Prisma™ Access

Benefits

Consistent, industry-leading security

High performance, end-to-end

Simple to consume

Centrally Managed By Panorama

BYODISPBRANCH

RETAILMOBILE

USERBRANCH

RETAIL

Network as a Service Layer

VPN

IPsec VPN SSL VPN/IPsec SD-Wan Clean Pipe Clientless VPN

Zero Trust Network Access

Contextually control who can access your applications and data

Maintain full inspection of traffic on all ports & protocols

Enforce consistent DLP policies to control data movement and enforce compliance

User-IDApp-IDHost Information Profile SaaS

PUBLIC CLOUD

HQ/DATA CENTER

USER

Quality of Service

Enforce QoS for bandwidth on all ports & protocols

Use existing tags

Apply QoS tag policy based on User-ID and App-ID

Critical ApplicationsPayment processing and

monitoring systems

Latency SensitiveVoiP, conferencing,

and webcasts

Non-Critical ApplicationsPersonal video streaming, and

personal web browsing

Firewall as a Service

• Enforce policies in Prisma Access,

removes the need for a branch device

• Inspects inbound and outbound traffic

• Centrally commit policy updates in

one location

INTERNET

Threat Prevention

• Blocks known malware, vulnerability

exploits, and C2 activity

• Single-pass Architecture

• Prisma enforces policies on:

• App-ID

• User-ID

• SSL Decryption

Unit 42 WildFire Telemetry

Passive DNS Cyber Threat Alliance

Threat Intelligence

ALL TRAFFIC

Protocol DecodersAnomaly Detection

ThreatDatabase

VulnerabilityMalwareAnti-Virus

C2FiletypeData

Automated Policy Enforcement

Threat Matches

DLP: Built-in to Prisma Access

Security as a Service Layer

SSL Decryption CASB Cloud SWG ZTNA

DNSFWaaS

DLPSandboxing

Network as a Service Layer

SD-WAN IPSec VPN Policy Based Forwarding

Network as a ServiceSSL VPNQoS

Cloud Access Security Broker

TOLERATED SANCTIONEDUNSANCTIONED

API

BRANCH RETAIL

MOBILEHQ UNMANAGED

SaaS Apps

25 | © 2020 Palo Alto Networks. All Rights Reserved.

paloaltonetworks.com

Email: mhorstmann@paloaltonetworks.com

Twitter: @PaloAltoNtwks

Security, auch ohne Proxy.