SD-WAN is a software-defined approach to managing the WAN by decoupling the control plane from the Data Plane. With SD-WAN, IT can deliver routing, threat protection, efficient offloading of expensive circuits, and simplification of WAN network management.
Today we will talk about the Palo Alto Networks Prisma SD-WAN solution which was formerly knows as CloudGenix.
The key design principles of the solution are:
1. Enable high frequency key rotation (hourly) at a network level for large scale full-mesh, partial-mesh, or hub and spoke VPN networks
2. Unique encryption keys per tunnel
3. Session keys seen only by respective tunnel endpoints. Specifically, the controller should not have any visibility into data plane session keys.
4. If the controller becomes inaccessible, endpoints should still be able to rotate keys without degradation.
5. Data plane to be completely isolated from the Controller
6. Ability to Authorize or Revoke access of a device to a customer network should be controlled centrally.
7. All security and network connectivity policies should be centrally managed and controlled.
The key components of the Prisma SDWAN solution are:
- Controller
- ION Devices
- ION Fabric
Function of the controller:
Within the Prisma SD-WAN security architecture, the controller is the single source of truth for policy configuration as well as for network topology and connectivity. The following services are provided by the controller:
● Northbound Services – For secure, authenticated RESTful API access from 3rd party applications to the controller
● Southbound Services – For secure access from Prisma SD-WAN ION to the controller.
With the help of the Prisma Cloud-based controller, you can centralize routing policies and build a network with multiple WAN paths. The path can use various kind of links like MPLS, VPLS, Internet and so on. Automation is the main game changer in SDWAN solution, We can push WAN configuration to ION devices at a branch or data center through APIs. It gives you a centralized point of administration for policy as well as application with rich network analytics.
The Controller enables secure, automated virtual private network (VPN) tunnels through zero touch provisioning.
ION Devices:
Prisma SDWAN customer edge device is called an “ION device”. These ION devices capable of adding WAN networks such as MPLS, LTE and internet links into a single high-performance hybrid WAN infrastructure. ION devices can be a physical or virtual device that serves as a forwarding x86 commodity-based element at a branch.
Note: ION stands for Instant-On Networks
Mode of Operation:
There are two modes of operations for Prisma SDWAN solution, Analytics mode and Control mode.
Analytics mode: In Analytics mode, we install an ION device into a green field or brownfield branch site. we will place the ION device between a WAN edge router and a LAN switch. The ION device monitors traffic and collects analytics that are reported to the Prisma SDWAN portal.
When sites are in analytics mode, the ION devices do not apply policies or make path selection decisions for applications. In this mode, a data center site is not required.
Control mode: In Control mode, we install an ION device into a green field or brownfield branch site. we will either replace the WAN edge router with the ION device or place the ION device between a WAN edge router and a LAN switch.
When the site is in control mode, the ION device at the branch dynamically builds secure fabric VPN connections to all data center sites across all WAN paths. So data center site is required. The ION device monitors traffic and collects analytics that are reported to the Prisma SDWAN portal.
ION Device Claim Process
When an ION device is purchased by, and prior to shipping to an end customer, a device specific MIC is installed on the device and registered to the customer. The uniqueness of the MIC is based on the serial number of the device. At this point, the device is both UNCLAIMED and UNTRUSTED with no ability to join a customer network.
Once the device is received at the customer location, installed and powered ON, the device will reach out to controller over any available connection. The device and controller will mutually authenticate and establish a TLS 1.2 session using the installed MIC. At this point the ION device is in an effective “quarantine” state in that it has no ability to receive policy information from the controller; communicate to other ION devices on the network; or make any policy decisions. The device will show up in an “unclaimed inventory list” for the customer on the controller.
At this point the customer can CLAIM the device via the controller. When CLAIMING the device, the controller will generate a unique device ID for the device, generate a device specific CIC and register the unique device ID and CIC in the controller. The CIC is then transmitted to the device over the existing TLS 443 connection. The TLS 1.2 session is then re-established between the device and the controller using the newly installed CIC. At this point, the device is not yet participating in the network. In order to participate in the network, policies need to be attached to the device (via site binding) and any relevant device specific configurations need to be configured on the device via the controller UI. Once the device configuration and policy assignment is complete, the device will establish VPN tunnels to other ION devices and can start data forwarding as per the defined policies.
ION Fabric
ION Fabric is the overlay mesh of ION devices in a hybrid WAN environment. The traffic flow within the ION fabric across ION devices are IPSEC traffic encrypted with AES-256.