The Benefits of Self-Hosted SASE – Part 2
February 18, 2021
In our previous installment, we explored the potential of using self-hosted firewalls in the cloud to meet the expanding needs for remote access. Now we will explore utilizing Palo Alto firewalls to fill those needs.
Components of the Architecture Refresher:
- Next Gen Firewalls in the Cloud
- Firewalls in different regions to cover your user base and minimize latency
- AWS Global Accelerator, for anycast IP address presence routed to the closest firewall
- AWS Transit Gateway for routing
- Routing between regions and to on-prem resources
- AWS Transit Gateway Peering
- For inter-region routing over high-speed backbone offered by AWS
Palo Alto Firewalls
Palo Alto is the leader in the next gen firewalls market and coined the term “next gen firewall.” They have led the market ever since. The reason they are leading the market is multi-faceted, the most important points are as follows:
- Application visibility and control
- User identification and user / group policies
- Flexibility in user identification using syslog parsing, APIs, captive portal
- SSL Decryption
- Global Protect VPN
- Global Protect clientless VPN access
- Panorama for central management and logging
So, we need to address a couple of issues of concern if you decide to host your own SASE infrastructure. The main concern is bandwidth cost. Let us see how this can be solved. We know users are bound to watch YouTube, Netflix, and other video streaming applications from company issued devices that are outside the perimeter. Let’s not kid ourselves, this will happen. Certainly, you do not want to pay the cost of bandwidth for such applications as they can become costly and can quickly add up to an unexpected AWS bandwidth bill. The goal of the solution is to protect your asset and your users from malicious web attacks, malware, spyware, and other threats. Thankfully, Palo Alto thought about this and with Pan OS version 8.1 and above coupled with a GlobalProtect license you can do the following:
- Exclude traffic for certain domains and applications from getting tunneled
- For voice applications like Ring Central and Cisco Jabber, you would want the traffic for those applications to find the shortest path to reach the destination and back. This is allowed by excluding those applications from getting tunneled.
- Exclude video traffic based on application visibility proven record of identifying applications. This means you can set your firewall to exclude those pesky applications from tunneling and saving you a few bucks in the process.
Here is the flow for user traffic for tunneled traffic.
As you can see there are multiple steps that occur. User traffic is tunneled to the AWS firewall in steps 1, 2. The traffic will get routed from the AWS firewall to the internet destination in steps 3 and 4. The intended recipient will get the request and respond. Traffic will return to the AWS firewall, which is depicted in step 5 and 6. The traffic will be tunneled back to the user in step 7.
Here is the flow for user traffic for non-tunneled applications.
As you can see there are just 4 steps which will result in minimal delay as well a lower cost for bandwidth. The user is still protected by DNS filtering as the DNS traffic is tunneled back to the firewall which can filter DNS requests to malicious resources.
Another great feature from Palo Alto is application control which can be used for both QoS as well as to restrict the traffic from unwanted applications. Application control allows you to prioritize traffic to applications that are business related and restrict other non-business-related traffic, which will further reduce your bandwidth bill.
User ID integration and user control are other benefits of this solution. You can allow certain users to download data from Salesforce for example while preventing other users from doing so. This utilizes application visibility coupled with user ID integration and SSL decryption to give you ultimate control.
Now that your traffic is fully tunneled behind the firewall, there are more advanced tricks that you can do. If all your users’ traffic is tunneled, you know which IP address your users are coming from, that would be an easy question to answer. Your users would be coming from one of the public IP addresses of the firewalls which would be either the IP address of an on prem or an AWS firewall. So, the answer to the question of what my users IP addresses are when they work outside the perimeter will no longer stay a mystery. Armed with this knowledge you can do fancy things like restricting who can access your Office 365. So, in Office 365 you can specify trusted IP lists that are allowed access to your Office 365 SaaS account. This can be achieved using conditional access.
One other use case that needs to be accommodated is non-company issued devices that are accessing your Office 365 or other SaaS services that allow for IP address restriction. Those would be your contractors, third party vendors or other external visitors. That would be easy to solve using GlobalProtect clientless VPN which allows you to proxy the user traffic behind the cloud firewall.
We covered lots of ground in this article, and hopefully, I did not bore you with details. Obviously, running your own cloud firewall, setting up global accelerator, multiple firewalls, connecting them to panorama and managing them centrally sometimes is not an easy ask for a resource strapped IT department. Palo Alto thought about that as well by offering everything I mentioned here in a Palo Alto offered turnkey ready solution, this solution is Prisma Access.
Groupware Technology will be hosting an Ultimate Test Drive of Prisma Access on March 11th, please join us in exploring how to fulfill all the components mentioned in this article using Prisma Access. Click here to register for the upcoming virtual event on March 11th.
Mike Wissa is a Senior Solutions Architect at Groupware Technology. He is a certified security expert holding reputable certifications from multiple vendors. He is Palo Alto Networks PCNSE, CISSP, CCIE Security #35266. In addition, Mike is certified in AWS, Azure and GCP, he is well versed in multiple cloud solutions.