If you're a Network Engineer, it's pretty much a given that you've come across the term SASE recently. Haven't heard of it? Well, you might want to crawl out from under that rock :) Especially for those of you who keep an eye on Gartner's magic quadrant, you'll know that Palo Alto's Prisma Access is currently leading the pack as the go-to solution for single vendor SASE.
But the big question is – is Prisma Access SASE the right choice for you? Just because SASE is the latest trend everyone's talking about, it doesn't automatically mean it's the best fit for every scenario. Let's dive in and find out.
Suresh Vina
Prisma Access Might Be the Best Solution for
Before I dive into this, let me be clear, this is purely my take, based on my experience using Prisma Access for a while now.
Let's picture a hypothetical company, 'Bakery Co.' This is a bakery chain that's really taking off. They've got their HQ in London and a few data centers spread across Europe and the USA. Their bakery items are a hit, and they're expanding, and opening offices globally. They have over 300 bakeries and more than 50 branch offices worldwide, with each office typically housing 50 to 100 employees.
Now, imagine the challenges they face. Think about having to install a Next-Generation Firewall (NGFW) at each bakery or branch office, applying consistent security policies across all sites, and then connecting each site back to their backbone network. This ensures all sites can communicate with each other and connect back to the data centers. The task is tremendous. And that's not even considering the need to provide VPN connectivity for remote users working from different corners of the globe.
This is where Prisma Access truly comes into its own. All you need to do is connect any IPsec-compliant device at each site to set up an IPsec tunnel back to Prisma Access. You could use an old ASA, a Meraki MX firewall, or anything similar – the key is just setting up that IPsec tunnel back to Prisma, where all the security magic happens. You will then tunnel all your traffic to Prisma where the security inspection happens, and then the traffic egress to the Internet or to any of your internal services.
For those who prefer a more straightforward approach, Palo Alto's ION devices are an excellent choice. They automatically onboard sites to Prisma Access, making the setup as straightforward as configuring a Meraki device (for those of you who are familiar with that).
Prisma's 'Mobile Users' is another great feature. It lets you securely connect remote users to Prisma Access. Say you've got remote users in the USA and Europe. Simply create two gateways (again the gateways/firewalls are fully managed by Palo Alto and deployed in AWS/GCP), one in each location. This way, when users connect, they'll connect with the gateway closest to them, ensuring a smoother and faster connection. You manage all security policies in one place, ensuring uniformity regardless of where the user is.
When Prisma Access Might Not Be the Best Fit
Now, let's consider a different kind of enterprise. Imagine one with a main head office, a couple of data centers, and a few branch offices. Each HQ and branch office is bustling with over 500 users. In this setup, having robust connectivity back to the data centers is critical. Uptime isn’t just important; it’s the backbone of the network. You simply can't afford any outages. Additionally, suppose the remote users are working from just one or two locations.
In a scenario like this, Prisma Access may not be the optimal choice. Why? Well, if you have more than 500 or 1000 users in a branch, it makes more sense to have an on-site Next-Generation Firewall (NGFW). You can still use Prisma Access but why would you want to send all the traffic to the cloud when you can just inspect them on-site? Imagine if there is an outage in Prisma, do you want to take the risk of losing access to critical services?
Closing Thoughts
In conclusion, whether Prisma Access SASE is the right fit for you really depends on your specific network environment and business requirements. If you're rapidly expanding with multiple small sites across the globe, it offers a straightforward, centralized security solution. However, for larger, more centralized enterprises with critical uptime requirements and existing on-site security measures, it may not be the most suitable choice. As with any technology decision, it's all about evaluating your unique situation and making the choice that best aligns with your needs.
