Currently, our environment is using AnyConnect for remote access. We have an ASA at our perimeter which terminates the SSL connections. My company is starting to focus on updating and securing our enterprise architecture and are happy to put some money into it. I am brainstorming some solutions and just curious if there is a consensus on remote access design?
We are starting to implement Palo Alto's so my idea was to replace the ASA with the Palo and create a new remote access DMZ. I could then place an ASA or router for VPN termination and further restrict traffic.
Would it make sense to do SSL decryption and inspection on the Palo Alto sitting on the perimeter? Or is it best to use a dedicated appliance for this?
Would a Web Security Appliance be suitable here if I have a Palo Alto already doing the inspection/url filtering?
I've also seen designs where enterprises are utilizing dual firewalls (External/Internal). This seems it would be the most secure but I'm curious if anyone has any experience implementing this solution as it seems it could be more complex.
No comments:
Post a Comment