We’re currently using a native Global Protect SSL VPN client with Palo Alto Firewalls to facilitate remote access for our IT team of over 150 employees. We’re exploring the possibility of transitioning ZTNA solutions.
From my understanding, ZTNA provides enhanced security by evaluating the state of the endpoint before granting access to specific resources, rather than relying solely on identity for access control.
I’m interested in hearing your recommendations for a good ZTNA solution that would suit our needs.
Additionally, I’d appreciate insights into other benefits that ZTNA can offer, especially in comparison to our current SSL VPN setup.
Thank you in advance for your insights and suggestions!
GlobalProtect have offered multi context (Identity, device posture, continuous assessment) for a while now.
The ZTNA label means different things to different vendor. Zscaler, for example, will stitch inbound tunnel from remote user with outbound tunnel from the resource, without giving remote user network (Layer 3) access to the protected network. PANW offers similar feature in Prisma Access using the ZTNA Connector feature.
I personally am a skeptic of the claimed superiority of this approach. In any case, the real work lies with the customer to catalogue their applications and devise access policies based on least-privilege approach. Even the best technology will be ineffective with any any rule.
It can do posture + identity, but we’re a ZScaler shop slowly recovering from Cisco AnyConnect, and it’s easiest to start by mapping your identity policies from VPN to ZTNA- posture checks do require additional spend we haven’t made yet (we’re still transitioning and heavily reliant on ISE- I’d personally like to see us move all clients to ZScaler and pilot PacketFence for NAC on the office switches, but we’re not there yet).
Your description of ZTNA just sounds like host posture checking, which for Palo Alto is HIP policies. I would describe the ZTNA products I’m familiar with as more of a hybrid of VPN and CASB where you get the benefit of tenant control from the CASB for cloud applications and you make the edge transparent to the end user so they no longer need to “connect” to the VPN to access internal resources and they are limited by your policies when they are not connected to the VPN. And then on top of that you’re obscuring access to private resources limiting access to those sources. I know with NetSkope they tunnel everything through their cloud and then they have the tunnel from there into the private network. Umbrella SIG is similar, but I think they are just split-tunneling where some of the traffic goes through the cloud proxy and then traffic for internal goes through RAS VPN. Then posture is just another layer of access. I know there are shops that do this shit really well, with regard to implementing and operating, but I think many organizations are at a maturity level that is closer to where they can’t even manage patching and basic maintenance. In which case adding more cost and complexity might not be the best option for them.
Disclaimer: I work for a ZTNA vendor, so I am not impartial.
For the experience of my customers, the biggest advantage of ZTNA solutions is to replace the internal FWs and the inbound port forwarding reducing complexity and simplifying operations. Moreover you can pair the ZTNA solution with other products (CDN, WAF, etc.) to increase security and improve user experience.
Anyway, you can do the endpoint checks with GP agent.
In addition to using IAM to control access, one of the biggest benefits of ZTNA is reduced external attack surface. Since the connector is internal to the network, nothing is open externally that can be abused by an adversary.
Considering you are a Palo Alto shop, it makes the most sense for you to use the ZTNA 2.0 from Palo Alto. If you want to try out ZTNA, you could use the FREE version of TwinGate to get your feet wet a bit.
I have a small setup that we use for management access. I have a jump box with the TwinGate connector, and additional access is controlled through my Palo Alto firewall rules. You can explore how things work and build a proper strategy for your deployment.
The new hotness is Zero Trust Edge Solutions, which ZTNA is a part of, with Palo Alto you’ll be in a good place.
Yup. Seems like many people still don’t know what ZTNA even means so they look for these solutions advertised as “ZTNA” whilst having all they need in their environment already.
I’m demoing this solution now and compared with Zscaler or the option from Checkpoint that my company just received a training session on its very lacking in features. I’m about to start demoing the Checkpoint option so haven’t had a chance to actually use it yet but it looks really good.
Yea, they want a VM in the middle of a subnet to route traffic to other subnets. This is called a router. Which as far as I can tell in this solution the software doesn’t participate in dynamic routing. This type of routing from an endpoint doesn’t work so well in Spine/Leaf networks.
Zero trust is an identity based security access perimeter concept where you use the identity of the user to allow access to only the resources they require to do their job. So you integrate your security solution with your IDP then define your security posture. Eg;
General = access to resources that all staff need.
Management = additional access to management stuff.
Accounts = access to accounts systems
Etc.
You then turn on some other features like always on, device posture assessment etc. Use these features to define what compliance looks like (AV, AM, certificate, Disk encryption, Update status, etc) and define an access policy for non compliant devices.
You can also extend the concept to the LAN and WiFi by using Network Access Control and dynamic hyper segmentation (easier with some vendors than others).
The idea behind the concept is to limit the potential attack surface of any connected device on the assumption that it will be compromised at some point.