BlogPalo Alto Networks Prisma AccessPalo Alto
Blog • • 5 minute read

Prisma Access: How it Fits into your Environment

SASE feels like a confusing concept, but it is much simpler than you think

In this blog

  1. What does it do?
  2. How does it work?
  3. Conclusion

What is Prisma Access?

At its core Prisma Access is firewall as a service, or firewall at scale. If you come from a traditional firewall background it helps a lot to think of it more in this way rather than a fully abstract concept. The pandemic brought a lot of companies to a hybrid workforce allowing them to hire talent across the globe, but also needing to deal with how they are going to bring all these users into the corporate network. While a lot of applications have been moving to a SaaS model, allowing users to connect directly to a cloud-hosted app, there is still a large need for being connected to the corporate network at large. Where Prisma Access shines by bringing you connectivity and security at scale without the need to spread your typical infrastructure across the country or world. You can bring the connection point for your users much closer to where they are, either in their homes or when traveling. 

 What does it do?

You have likely seen a lot of options in the SASE realm from different vendors all claiming the same thing. "We can securely connect your users to either the office or the internet." There is a large discrepancy here on how these companies accomplish this. Prisma Access offers many of these connection options to its customer base, such as VPN, Proxy, and Browser-based connections. I want to focus on the difference between VPN and proxy-based connections for users. A Proxy secures connections by way of ports 80 (HTTP) and 443 (HTTPS). This leaves a gaping hole in your security envelope by not inspecting or acting on any traffic that might be traversing over any of the other 65,533 ports that are available. Most of these ports are available to software to use to reach out to another device, either by way of the internet or local network in general. If you are not able to see the traffic, then you are unable to act. VPN Is your most secure option here as you are wrapping up the entire traffic landscape within the VPN tunnel and then sending that to a firewall or security device to inspect and make decisions based on what it sees. While VPN has been a technology that we have been using for decades this is still the most secure approach. Where the limitations of VPN come into play is with the physical hardware and where it is geographically located. This is where SASE and, more importantly, Prisma Access can bring a solution that grants major quality-of-life of life improvements to your users as well as your IT teams.

 How does it work?

With Prisma Access you can keep that much more secure VPN connection but decouple it from the physical hardware and location limitations. Prisma Access is built on a virtual infrastructure platform that is hosted in AWS and GCP. Prisma Access is licensed based on user count, for users, and bandwidth, for remote networks. This allows you to purchase your usage based on what you need and not have to worry about right right-sizing the underlying infrastructure. If you have 500 users and you want to turn on decryption for their web traffic you can do so without having to think twice about resources. Prisma Access dynamically spins up more processing nodes to handle this task without having to preplan like you would if you were to do this with physical hardware. Not only are you getting a great experience from not over-subscribing your hardware you are also able to take advantage of Prisma Access's other stand stand-output feature which allows your users to connect to the Point of Presence (POP) close to them and then uses AWS/GCP dark fiber connection to reach back to the Prisma Access fabric, which allows for MUCH better speed and latency than using traditional internet routes. 

Remote Networks is another option available for you to use Prisma Access. This allows you to use any hardware you would like as long as it is capable of building an IPSEC tunnel. This allows you to bring any remote location onto the Prisma Access fabric easily while giving you full security capabilities. The major benefit here is your ability to use much cheaper DIA circuits while still having security and connectivity to your larger corporate network. Using this feature of Prisma Access, you can very quickly add a new site and have it fall right into your security policy design that you have already built and be up and running at a much greater speed than previously achievable.

Prisma Access has the features needed to comply with ZTNA practices for your infrastructure. By using Global Protect for connection points into the fabric, you get authentication on a per-user basis. You can then build policies like you would a traditional Palo Alto firewall and put your security profiles in place for detection and blocking. 

 

 Conclusion

Prisma Access is the next evolution for network security in a very dynamic and ever-changing landscape. It is not something to fear and can complement your already diverse environment. You can decouple your remote workforce needs with the needs of your corporate environment, allowing you to scale them both separately, saving money where it can be saved. All of this while still having the options to keep an extremely secure environment and the speed and quality of life your users are now accustomed to. No longer will you be dealing with the "Do we need to use the VPN? It's always so slow I can't get my work done." You can eat your cake and have it, too.  

 

Technologies