Enforce Consistent Security Posture with VM-Series on AWS Snowball Edge

Blog written by Chintan Udeshi, Senior Product Manager at Palo Alto Networks, Girum Haile, Senior Solutions Architect at AWS Telco Business Unit and Harrison Holstein, Partner Solutions Architect - AWS Public Sector

We are excited to announce the availability of VM-Series on Amazon Web Services (AWS) Snowball Edge. With this integration, customers that use AWS Snowball Edge in offline edge environments for use cases such as image collation, logistics, IoT stream capture and machine learning, can now protect their data using Palo Alto Networks VM-Series and ensure consistent network security posture for their applications running in AWS regions, on-premises or at the edge. 

Introducing AWS Snowball Edge and AWS Outpost 2U: 

A few years back, Palo Alto Networks introduced the Integration between Palo Alto Networks VM-Series and AWS Outpost. Recently, we extended the VM-Series support on AWS Outpost 2U servers so that customers who need local data for faster processing and lower latency can use VM-Series to protect applications running on AWS Outposts. Outposts Server is a smaller, standalone server version of AWS Outposts, designed for locations with limited space or power requirements. It brings AWS infrastructure and services to edge locations or on-premises environments with specific constraints. 

While AWS Outposts brings the AWS cloud infrastructure to on-premises and edge locations, certain customers need devices/servers that operate in extremely ruggedized environments with limited internet connectivity such as construction sites, oil platforms and critical pieces of tactical equipment used by the military.  AWS Outposts and Snowball Edge both offer customers the advantage of utilizing well-known AWS services and tools locally. For example, customers like the benefit of being able to use familiar application programming interfaces (APIs) for managing the infrastructure running on Snowball Edge and Outposts including Amazon Elastic Compute Cloud (EC2) instances and Amazon Simple Storage (S3) buckets for their applications and workloads. Additionally, customers can now secure these applications with a consistent approach by employing the same Palo Alto Networks technology they are accustomed to using.  

In the case of defense customers, the defense equipment used by the military collects large amounts of mission-critical and sensitive data while operating in the field, often in physically extreme environments. With Snowball Edge, such customers can quickly and securely copy, transfer, store, and access their data at the tactical edge even when their devices are completely isolated from the internet. It also allows customers to make real-time decisions, and migrate large amounts of data from anywhere to AWS for further processing and analysis. This enables them to migrate the data to the cloud, modernize their applications, and gain value from using cloud services and APIs. Depending on the requirements, customers can quickly build a cluster of Snowball Edge devices in DDIL (Denied, Disrupted, Intermittent, and Limited) environments to run workloads using a scoped subset of AWS services, even when disconnected. 

Zero trust is a major focus, especially for US Federal customers, to improve their cybersecurity posture by ensuring they don’t introduce holes in their network security. A key component of Zero Trust is maintaining a consistent security posture irrespective of where applications are running or where users reside. That’s where Palo Alto Networks VM-Series comes into picture. Palo Alto Networks VM-Series Virtual Next-Generation Firewalls support the same next-generation security and advanced threat prevention features available in our hardware firewalls, allowing you to protect your applications and data from on-premise networks, on the cloud, and at the edge. 

(Figure 1.0 Palo Alto Networks VM-Series Next Generation Firewall sample Snowball Edge Architecture)

With VM-Series integration with AWS Snowball Edge, you can now enforce consistent network security irrespective of whether apps are running in AWS regions, AWS Outposts or AWS Snowball Edge devices. 

VM-Series will protect AWS Snowball Edge workloads in the following ways: 

• Complete visibility: Gain full visibility into packet-level details for all of the network traffic going in and out of the device including the ability to decrypt and inspect traffic
• Meet compliance requirements: Organizations with compliance regulations, like the public sector, can leverage VM-Series to safely deploy applications to Snowball Edge while enforcing consistent security capability
• Inbound protection: When the device is connected to the internet, identify and stop inbound attacks originating in the public-facing internet and connected networks
• Outbound protection: When the device is connected to the internet, mitigate attempts at exfiltrating sensitive information by blocking connections to known bad destinations like command-and-control (C2) servers, and inspect the traffic for data patterns associated with sensitive data, such as credit card and Social Security numbers

The integrations with AWS Snowball Edge and Outposts 2U Servers are available today. Contact your Palo Alto Networks representative to learn more about securing your applications on the Edge. VM-Series Next Generation Firewalls (NGFW) are available through the AWS Marketplace.