Branch Connectivity and Remote Worker Security – A New Twist

There’s a paradigm shift I’m seeing with how organizations are securing their branch offices and remote workforce: they’re moving away from the traditional firewall at every branch office for a north-south perimeter security architecture. Let’s dig a little deeper.

 

 

Traditional Branch Office Architecture

In many branch office deployments, we have traditionally seen the use of MPLS as a private WAN to connect the branch offices to a datacenter at headquarters. Another design model was to have a firewall at every branch office and connect back to the HQ datacenter via an IPSEC VPN connection. This deployment may have been fully meshed or partially meshed, depending on the dispersal of resources that required access. In the IPSEC VPN scenario, manually creating and maintaining the VPN connections on every firewall is a configuration and operational headache. Supporting this architecture requires not only the creation of all phase 1 and phase 2 profiles, but also the creation and validation of all of the routing that goes along with this type of deployment. Additionally burdensome is the ongoing care and feeding and the requirement to “refresh” this firewall hardware based on either a depreciation schedule or as the equipment’s life ends. This constant “refresh” brings additional headaches around the cost to acquire, configure, ship, deploy and test new hardware. Depending on the timing of this refresh, it may also require the running of a newer version of the operating system, which may require an upgrade to a management platform as well to support this new version. In summary, the IPSEC VPN model is a very time-and resource-intensive effort for organizations to maintain.

 

 

A New Branch Office Architecture on the Rise

The COVID pandemic has played a part in how organizations support their mobile workforce. Many enterprises were built for a subset of their employees to work remotely, but very few were prepared for their entire force to work from home. This required many organizations to quickly come up with a 100% remote design. In some cases, this required new HQ or datacenter hardware. It may have included the need to move to a split-tunnel VPN scenario to alleviate bandwidth constraints and trade-off security for performance. It also meant that no one was working in the branch office.

 

Many CISOs began looking at SASE solutions and their potential to quickly deploy a secure architecture to support a mobile workforce. They also took this time to reevaluate how their branch offices were deployed and secured.

 

These organizations started to look at whether SASE solutions might also be a fit for securing their branch offices. In some cases, organizations realized they no longer wanted to be in the “firewall business.” The constant care, feeding and refreshing of this equipment every three-to-five years no longer made business sense.

 

Palo Alto Prisma Access for Remote Networks
One of the solutions that these customers started looking at was Palo Alto Networks Prisma Access for Remote Networks. The constant configuring and managing endpoints at every branch office can become complex and the difficulty is compounded with each newly added branch office (and its specific mesh requirements). Utilizing Prisma Access for remote networks, a branch office is onboarded to the service via an IPSEC tunnel. This IPSEC tunnel on the branch office end can be established from any device that supports IPSEC connectivity, like an SD-WAN device or even on on-premise router. Once onboarded and established, all traffic from the remote branch can traverse through a Palo Alto Networks firewall in your dedicated Prisma Access environment.

 

What do I mean by “can”? Customers that have deployed an SD-WAN overlay for their internal branch office communications to possibly replace MPLS can onboard the SD-WAN device onto Prisma Access. They can then route all internet or SaaS-based application traffic through the SD-WAN device and through Prisma Access to have the same visibility and control of this traffic as they would with an on-premise Palo Alto Networks firewall. The only difference is this firewall lives in the Prisma Access cloud.

 

High Level Diagram

 

Image
branch_office_security_img1

 

Shared Management Model
Prisma Access follows a shared management model. This responsibility breaks out as indicated below.

 

As part of the service, Palo Alto Networks takes care of:

 

  • OS updates for the Prisma Access infrastructure
  • Guaranteeing the availability of the service
  • Automatically scaling the service when needed
  • Generating logs
  • Establishing full-mesh networking within the Prisma Access infrastructure, as well as secure internet access
  • Monitoring all the networking infrastructure within Prisma Access and providing status information
  • Deploying the Prisma Access networking infrastructure to support the remote network
  • Deploying the network infrastructure within Prisma Access to enable branch and mobile user access to your corporate network
  • Provisioning security processing nodes as needed to support your licensed Prisma Access services

 

 

The Home Office User

Another paradigm to consider is the “new” home office user. Many organizations are now considering a permanent or hybrid work-from-home (WFH) environment. One of the concerns with this is securing home users. Do I treat them as mobile users or as a branch office of one? A few things to consider:

 

  • What devices are used by this home user? Corporate laptop, corporate IP Phone, personal devices? Are there corporate devices that cannot run a client?
  • What do home user networks look like? Do they have appropriate secure wireless coverage?

 

If I wanted to treat this home user as a branch office of one, how would I securely connect him/her to the network? Backhaul all the traffic over a VPN tunnel from a device I can’t manage?

 

Palo Alto Networks now offers a home solution called Okyo Garde. This device provides powerful Wi-Fi 6 coverage, provides corporate Wi-Fi in the home while segmenting the home network and can also be onboarded to Prisma Access and managed via the Prisma Access Cloud Manager. Below is a high-level diagram showing how the corporate traffic would traverse and be secured by Prisma Access and the home user personal traffic would be protected by the Okyo Garde device.

 

Image
branch_office_security_img2

 

Okyo Garde provides new capabilities for visibility and control for both the user and the enterprise:

 

    Personal network

     

  • App-based management for the home office worker
  • Split networking keeping personal data private
  • Security coverage for all interconnected devices
  •  

    Corporate network

     

  • Enterprise SSID broadcast into the home with 802.1X authentication
  • Fully managed by the enterprise
  • Prisma Access provides a consistent policy across all connections

 

Organizations that have a large number of branch offices deployed with traditional firewall appliances providing north-south internet perimeter control and VPN connectivity for private application access now have another option. They may be looking to move away from a CapEx model, where they’re having to purchase/refresh, configure and deploy new branch firewalls every three-to-five years, to an OpEx model, where they consume this branch security as a service.

 

The pandemic has introduced us all to a much more extensive WFH model. Many organizations are thinking of these remote employees as branch offices of one. And as we know, home offices have a number of devices on the network that are potentially vulnerable to compromise and malware. Being able to segment these home networks with a device the corporate office can manage reduces risk for the organization and provides an additional layer of security.

Anthony Tanzi
Partner Architect-Palo Alto Networks-Strata | Optiv
Anthony Tanzi has more than 20 years’ experience in the networking and network security space. As a Partner Architect focused on Palo Alto Networks, Tanzi is responsible for Optiv’s pre-sales enablement and support to accelerate growth between Palo Alto Networks and Optiv in existing and new markets across the U.S. and Canada. This includes training and enablement of the pre-sales team as well as supporting them in pre-sales Palo Alto Networks conversations as well as assisting in proof of concepts, running Ultimate test drives, perform best practice assessments as well as being a technical sounding board for Optiv customers. Tanzi works directly with Optiv’s dedicated Palo Alto Channel SE to drive technical enablement as well as being an advocate for our customers. He is also focused on supporting Optiv’s post sale implementation team and working with marketing on Palo Alto specific campaigns.

Tanzi came to Optiv as part of the acquisition of the Philadelphia based integrator Comm Solutions in 2017. While at Comm Solutions for 10 years, Tanzi lead the Palo Alto Networks practice as a pre-sales engineer, post-sale implementation engineer, certified Palo Alto instructor as well as holding his own Palo Alto user groups and other marketing functions and support.

Tanzi is a member of Palo Alto Networks Cyberforce and was the first partner engineer to reach the highest level of “Cyberforce Hero” in the United States as well as being the first worldwide to be awarded “Ultimate Cyberforce Hero”.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Image
Third-Party Risk Challenges in Work-From-Home Environments_List-Section-Thumbail-Image_476x210

 

Third-Party Risk Challenges in Work-From-Home Environments

 

In this guest post, CyberGRX examines cyber attack vectors and offers advice on securing third-party relationships.

Image
TL_CAM-Week2-Image-Set_List-Section-Thumbail-Image_476x210

 

Work From Home Device Security

 

Optiv IoT expert John Bock walks us through a step-by-step process that safeguards you against 99% of the home network IoT threats you’ll face.

Image
remote-work-culture_list_476x210

 

Remote Work: Making the Culture Shift

 

Here are several tips that will help ease the transition to working at home.