06-16-2022 10:07 AM - edited 06-30-2022 09:55 AM
Ask your questions now through June 30 as the LIVEcommunity Cyber Elite Experts will be available in a Q&A session for an opportunity to learn, join in, ask questions, and meet our experts! The Ask Me Anything (AMA) Event will be an opportunity to ask our Cyber Elite Experts questions about a range of technologies, solutions, and how they can help you find what you need.
To participate in this event, please use the Reply button below to ask your questions. Come back on Thursday, June 30 from 8 a.m. to 10 a.m. PT to join the event as our experts answer your questions!
Please be sure to click Like if a post is helpful to you and to "Accept as Solution" to let everyone know that the answer to your question hits the mark!
Want to learn more details about the event? Check out this article.
06-30-2022 09:41 AM
Hello Cyber Elite Experts,
Your posts are extremely helpful.
My question: What is the best way to connect with peers in this community? How do you connect and stay connected?
Thank you for all you do to help the community!
Hello @AVaidya1 ,
I start off by asking those in the local area and see what groups are around. Internet searches are also a good method. BSides is a good example of a group that are local. Also the Fuel user group has local chapters, https://www.fuelusergroup.org/. I try and follow some twitter folks but it tough at times to muddle through the minutia. Once you break into one of the groups, ask around to see what other groups are in the area or that others follow. Black Hills Infosec is a company that puts on a conference and has weekly/daily free videos related to security, etc. They also have discord channels you can join and chat around. There are many out there, I hope this gives you a bit of a start.
06-30-2022 09:57 AM
I would like to ask Cyber Elite members their suggestion/opinion/advice how to approach a network segmentation in an organization with below scenario:
- 100+ sites (mixture of MPLS L2 VPN, MPLS L3 VPN, DMVPN).
- up to 1500 servers globally.
- Mixture of on-prem Data Centers with 100G DCI and also all major Public Cloud Providers.
- Different business units, some of them with a strict change control and reluctant to make changes.
Would you opt for hw or sw based segmentation / micro segmentation?
Thank you in advance!
BTW, because of time zone, I will not be able to attend live, but would still love to hear from you.
Hello @PavelK ,
That's an easy one, kidding of course 😉. The bigger the company the more 'it depends' are the answers. Obviously I would recommend Palo Alto devices at all the sites and have as much traffic flow through them as possible. One thing I know companies are shying away from are VPN's. That is my biggest pet peeve since they are tried and true, thanks marketing 😉, not saying Prisma is not worth it. If you use a Palo Alto then you can achieve zero trust for your endpoints. All traffic between the end users machines is encrypted, logged, analyzed, so proxies are taken care of and zero trust on the endpoint. This is also true for the inside of your network, instead of allowing whatever device to connect to your network to be allowed access, only allow limited access to the internet and have all users VPN in. Now you have NAC (posture validation of endpoints so no one sneaky can VPN in with a non corp asset) and zero trust to other workstations and servers. This makes your compliance a lot easier and no additional need to additional products, additional proxies or NAC products. I'm a huge fan of maximizing what you already have or using one technology to do it all, well almost :). Best part to get the exes to go for it, cost savings 😁, less purchasing, etc.
The servers are the toughest, but you ca group them by feature and put them into vlans anchored at the PAN so you can put policies of what can flow in and out.
Definitely a long roll out but once you have then overall vision of what you want it to look like, its just a matter of rolling up your sleeves and getting to it. Sorry no easy button ☹️.
Hope this helps. I love talking and thinking about this stuff so feel free to keep addition specifics to the post and let the community chime in!
06-30-2022 01:14 PM
That's a tough one. So ...
Wherever possible I would use VM series firewalls for the segmentation. You simply have more flexibility with the sw based approach than with hw. In case you need more throughput you simply extend the HA to a HA cluster with up to 16 nodes per cluster. Of course if you need 100G throughput for single sessions, then there is no other option than the big HW firewalls from paloalto.
For a recommendation for the rest of the situation I would need some more information. As there are quite a few locations with different MPLS lines, I assume there is no additional internet access at these locations and all traffic including internet traffic needs to go to HQ. This makes it easier as you have less firewalls to control. Also here it really depends on the security requirements of the company. From routing all locations together up to separate even different subnets at these locations there are more than one recommended setups - it all depends on the budget and the security requirements.
Regarding the different business units: if there are such different units I would make sure that their systems are located behind dedicated firewalls so unit a will not have access to unit b. In order to keep at least some control I would recommend to use panorama with pre rules and the units only have access to post rules or only rules local on the firewall. With that you at least have aome control with a company policy.
At least on prem I would go the "old" way with the network segmentation and not do micro segmentation as I think in a lot of cases there is no need to have everything sent over a firewall. Of course it is also for blocking connection as near as possible to the source systems but this can be done easily with the host firewalls or with Cortex XDR which has even way more advantages regarding the security standard in your network.
With more informations about the requirements the answer might be better if you ask the live community but this can be time-intense for the ones that reply to queations here - but we are all in this together and happy if we can help. I hope you are not disappointed with the answer.
06-30-2022 03:20 PM
Many thanks for your valuable input @SteveCantwell @OtakarKlier @vsys_remo
Definitely, your answers are not disappointing! Your thoughts on this help me 😀
07-01-2022 10:16 AM - edited 07-01-2022 10:28 AM
Thanks @SteveCantwell as I had emergency call to join the session in the last moment. @darrin.goodman I also think the firewalls may also need an upgrade the firewalls not only globalprotect as the issue with the linux was that the globalprotect on Linux did not like the firewall using " unsecure renegotiation" if I remember so also the firewalls can be upgraded and maybe if nothing helps try also switching to ipsec if the VPN is using SSL.
How to detect when Global Protect client fails to establish IPS... - Knowledge Base - Palo Alto Netw...
07-01-2022 10:20 AM
I am sorry that I did not manage to join the conversation but I had an emergency call for an issue (you know how it is in the IT world 🙂 ) . I still will be glad to answer the question that should have been assigned to me if no one answered it and to see an recording of the session.
07-01-2022 10:43 AM - edited 07-01-2022 10:58 AM
As @SteveCantwell mentioned Prisma Access and they now have the nice option for Inbound applications that does not need an n-prem firewall for every site where you have public Internet applications as most SASE offerings don't have that. Still for your big setup on some big Data Centers you will probably need on-prem firewalls for the Public Applications, so I see it as Steve mentioned with better going with Prisma Access Panorama Managed that Cloud Managed Prisma Access that does not support on-prem firewalls. Also Prisma Access is having a new ZTNA broker/agent that could be a better way to build the ipsec tunnels to the Prisma Access cloud than on-prem router/firewall ipsec/gre tunnel but you can book a free Palo Alto Virtual Hands-on Workshop for Prisma Access and see it for yourself as Palo Alto has many free workshops/trials/demos on their site.
Provide Secure Inbound Access to Remote Network Locations (paloaltonetworks.com)
Also for zero trust east to west sever traffic @PavelK can consider also Prisma Cloud in some cases especially containers and Kubernetes or the Palo Alto CN series Firewall but better compare to see which is better as I had asked before this question and I got help in this same forum, but basically as I see it Prisma Cloud is better as filtering the access between containers and processes with its machine learning (the so called zero trust) while CN-Series firewalls is a firewall in a container that does more scanning like malware on already allowed traffic and in youtube there are a lot of videos by the palo alto live channel.
Solved: LIVEcommunity - Does Prima Cloud install agents on the kubernetes containers or it uses the ...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!