Enterprise Network Transformation to include Cloud and new Security

Network transformation from a legacy HQ POP and WAN architecture to a more modern public cloud and secure access architecture is an interesting project. It entails migrating connectivity and security to new solutions. I recently came across a job advertisement for such a transformation project. The Job advertisement had the following list:

• Build a resilient WAN environment in Megaport with Megaport Cloud Routers,
• Connect on-prem data centres in Equinix
• Megaport Cross Connects, migrate Azure ExpressRoute and AWS Direct Connect to Megaport.
• Migrate on-prem data centre Internet to an ISP peering with Megaport with DDoS protection and migrate zScaler GRE tunnels to new Internet link.

The above is the connectivity addition and migration towards the public clouds.

The job ad continues:

• Build physical Palo Alto firewalls for office locations and on-prem data centres (all in Sydney),
• Build Panorama management solution and integrate with all Palo Altos including the ones currently hosted in Azure regions.
• Redesign and build firewall policies with user-based firewall rules and Zero Trust Model.
• Build Prisma Cloud and Prisma Access environment and migrate forward proxy from zScaler to Prisma for users and servers.
• Build new RADIUS/NPS servers with Azure MFA and configure all network appliances to use these servers with RBAC policies and MFA prompt for admin privileges.

The above is the new secure access (SASE) solution work to be done – Secure Access Service Edge.  

And then the job ad lists:

• Decommission Imperva DDoS, zScaler, legacy Cisco and Juniper firewalls and routers.

There goes the old stuff. After the migration to public cloud and the SASE solution the previous network devices which aren’t needed are being decommissioned.

The skills required are listed as:

Primary Skills Required = Palo Alto (firewalls, Panorama, Prisma and Global Protect), Juniper SRX, Cisco Switching and Routing, Azure Networks, Citrix Netscalers (for load balancing and failover), Python scripting

Ancillary Skills Required = Splunk (syslog integration and queries), Azure automation, CI/CD with Azure DevOps Additional Skills Preferred = Megaport, RADIUS/NPS

These are the skills which the network engineer needs to carry out the transformation. Heaven knows how many will already have those as these transformations are a bit new.

Networking is transforming. This takes the enterprise’s network to the next generation of solutions available. The two key items are Public Cloud and SD-WAN based secure access. So the enterprise transforms to adapt to the new traffic flows and the new traffic patterns. Traffic patterns and flows which are different in terms of sources and sinks. They now include sinks/sources to be hosted in Azure or AWS (in addition to on-prem) and a remote workforce. These new dynamics also require a new security solution as well which is very much different from a simple firewall perimeter in the HQ POP earlier. Therefore and SDWAN based Security layer is added.

Copied:

Secure access service edge (SASE) is a network architecture that combines VPN and SD-WAN capabilities with cloud-native security functions such as secure web gateways, cloud access security brokers, firewalls, and zero-trust network access. These functions are delivered from the cloud and provided as a service by the SASE vendor.

Let’s now dig a bit deeper.

The first part is L3 routing BGP style and all of that related work. Given again here so that we can first divide and conquer the connectivity related items:

• Build a resilient WAN environment in Megaport with Megaport Cloud Routers,
• Connect on-prem data centres in Equinix
• Megaport Cross Connects, migrate Azure ExpressRoute and AWS Direct Connect to Megaport.
• Migrate on-prem data centre Internet to an ISP peering with Megaport with DDoS protection and migrate zScaler GRE tunnels to new Internet link.

Here is a good picture from Megaport documentation:

Source: https://docs.megaport.com/mcr/route-advertisement/

One thing to note is the BGP ASN numbers. The red are the Megaport Cloud Routers (MCR) and so MCR are a BGP hop with their own ASN. We are looking at BGP peering configurations between on-prem and the MCR and between the MCR and the public cloud. This means 4 BGP configurations. One in the on-prem device facing the MCR (firewall or router), another 2 on the megaport MCR one facing on-prem and one facing the public cloud, another 1 facing the public cloud.

This is in its simplest form. The figure shows more because there could be private subnetworks hosted with the public cloud. These might have separate BGP neighbourships. So for example multiple Azure VNETs. If there are multiple public clouds like both Azure and AWS then each will have separate routing configured at the MCR as well.

The job ad again:

• Megaport Cross Connects, migrate Azure ExpressRoute and AWS Direct Connect to Megaport.
• Migrate on-prem data centre Internet to an ISP peering with Megaport with DDoS protection and migrate zScaler GRE tunnels to new Internet link.

So new cross connects, new SFPs, new fibre optic cables and new port configs. Then migration cutover of traffic from ExpressRoute and Direct Connect to the MCR. This would be route changes. With the MCR Megaport all set up the next hops will be cut over for traffic to travel via megaport instead of the old express route etc. Any GRE tunnels will be reconfigured in a cutover change window too.

Now let’s move on to the newer security phenomenon which is securing the remote edge and devices.

For this part the job ad states:

• Build physical Palo Alto firewalls for office locations and on-prem data centres

This is simply a firewall rollout. Installation and integration into the network. Palo Alto documentation is the best friend. Some vendor help might be required which comes when you buy stuff.

Jod ad again:

• Build Panorama management solution and integrate with all Palo Altos including the ones currently hosted in Azure regions.

What is Panorama? Here it is:

Panorama is a centralized management system that provides global visibility and control over multiple Palo Alto Networks next generation firewalls through an easy to use web-based interface. Panorama enables administrators to view aggregate or device-specific application, user, and content data and manage multiple Palo Alto Networks firewalls—all from a central location.

So it’s a GUI. A centralized Management Server. Therefore it is a software application which will need to be installed on a VM or a server. It will need to be configured to add all the Palo Alto firewalls rolled out above. The GUI/Server will need to be added to the network and assigned an IP and it will need IP level connectivity to each firewall to administer it.

Moving on another part of the job ad:

• Redesign and build firewall policies with user-based firewall rules and Zero Trust Model.
• Build Prisma Cloud and Prisma Access environment and migrate forward proxy from zScaler to Prisma for users and servers.

What is Prisma Access?

Prisma Access provides a network of cloud-based next-generation security gateways that secures traffic. Mobile workforces are distributed around the world, and Prisma Access for mobile users establishes points of presence for them to use.

Prisma Access works together with the GlobalProtect agent/app on laptops and mobile devices. When a remote user has internet connectivity, the GlobalProtect app locates the best gateway available for the user’s location and sets up an IPsec/SSL VPN tunnel. All traffic passes through Prisma Access.

Therefore we can say that it is a secure gateway solution for the remote and mobile workforce. The zscaler for each remote worker.  In essence it appears to be an enforcement point where a client on the devices sends traffic to Prisma Access and then Prisma Access secures it. It will use SD-WAN and application level access policies under the hood.

Prisma Access brings protection closer to users so traffic doesn’t have to back-haul to headquarters to reach the cloud. Prisma Access ensures Zero Trust Network Access (ZTNA) with service and application-specific access controls.

I think practically this will require proxy connectivity configurations to be put in place and for policies to be added and removed via Palo Alto management portal. From looking at the Palo Alto documentation on configuring Prisma Access it appears it has mobile devices onboarding, Panorama connectivity onboarding amongst other things.   

What is Prisma Cloud ?

Prisma Cloud is the industry’s only comprehensive Cloud Native Security Platform (CNSP) that delivers full lifecycle security and full stack protection for multi- and hybrid-cloud environments.

Cloud Security Posture Management (CSPM) Prisma Cloud provides:• Visibility, compliance, and governance» Cloud asset inventory» Configuration assessment (runtime)» Compliance monitoring and reporting » Infrastructure-as-code (IaC) configuration scans (IDE, SCM, and CI/CD)• Threat detection» User and entity behavior analytics (UEBA)» API-based network traffic visibility, analytics, and anomaly detection» Automated investigation and response

Cloud Infrastructure Entitlement Management – Prisma Cloud provides:• Permissions visibility• IAM governance• Automated response• User and entity behavior analytics (UEBA)

Prisma Cloud seems to be a cloud access security point. A developer, development environment and application security checking point. So whereas Prisma Access was securing the remote workforce the Prisma Cloud secures the cloud deployment by checking the users and entities accessing the servers in the public cloud. The Entitlement Management is a high priority thing for the public cloud where it is functioning as an Identity and Access Management permissions checking point.  From the above it is also doing IaC config scans.

I think practically this is also a GUI based users, account, permissions addition and removal. There are accounts and groups and roles and policies to make. It is like the Active Directory or Cisco ISE of the public cloud security.

Job ad again:

• Build new RADIUS/NPS servers with Azure MFA and configure all network appliances to use these servers with RBAC policies and MFA prompt for admin privileges.

What is this about:

The Network Policy Server (NPS) extension for Azure AD Multi-Factor Authentication adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.

The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide a second factor of authentication for federated or synced users.

So this is a security 2 factor authentication setup for the network nodes. It uses Radius protocol for the user/permissions exchange. An extension appears to be requiring installation and here again I think users and roles and permissions and accounts will need to be setup or perhaps they will be integrated from AD.  

That’s it. A two part work required to connect to the public cloud and to put in a new security solution. One part needs BGP routing and network configs. Another part needs firewall deployment and policies and users administration. Enterprise Transformation done right.