Thanks for taking the time to respond. I am always very conscious of ‘drinking the vendor koolaid’. I think you points offer a very interesting perspective. With a lot of technologies it about ensuring you understand the pros and cons of the technology to make an informed decision about its application. Your post has helped me do this; thanks.
And if you dont want to use ZPA but want similar/better capability, roll your own FOSS - https://openziti.io/. I work on the project so can share a more detailed comparison if you’re interested.
VPN, fundamentally, is a means of putting a remote user onto the network. If you want to get specific, it’s about creating a virtual private network between the client system and the VPN Gateway/Concentrator. In practice that usually has the effect of putting that remote user onto/into the internal private network.
To your point, there are compensating controls that can be put into place to say limit the scope of what folks can access once connected via VPN - but fundamentally it’s a different technology than ZTNA solutions like ZPA.
VPN is all about connecting networks. ZPA is about providing access to specific destination applications (address + port + protocol = application in this context).
When it comes to connectivity, everything from Zscaler is outbound to the Zscaler cloud via an encrypted 443 connection. It’s a hell of a lot easier to whiteboard this - but here’s a rough diagram:
– 443 connection → 
Zscaler Cloud:cloud: ← 443 Connection – 
ZS App Connector:blue_circle: → 
Internal App:large_blue_diamond:
Here’s a good walkthrough (time-jumped it to when the App Connector discussion starts) on Private Access: https://www.youtube.com/watch?v=YRo8HWdh810&t=297s
I believe no available solution can inspect all ports and protocols because many protocols use their proprietary encryption/encoding schemes.
ZPA seems to inspect applications as per About AppProtection Applications | Zscaler.
I’m really struggling to see how ZPA differs from how you just defined a VPN. The gateway is in the cloud, sure, but otherwise I don’t really see a difference from the VPNs that I have used. Whenever I have set up a corporate VPN, I have integrated it with my IdP to allow access to specific destination applications based on the user group. It’s not something I implemented as a compensating control, it was built into the solution. Am I missing something on the difference here?
I watched the video. It seems like the request from the “WFA user” goes to the ZTE and then the ZTE repeats the request via a microtunnel to the App Connector which interacts with the app. It seems like a complicated way of still allowing the remote user to access the application. Does the App Connector send requests at regular intervals to await the spin-up of a micro-tunnel? Is the tunnel not an inbound connection?
OWASP controls isn’t payload inspection, hence their name change from “inspection” at feature launch.
There will always be traffic that can’t be inspected but Zscaler only inspect http/https/dns and ftp thanks to its proxy architecture.
Though they lie and tell everyone they can inspect more.
I also used to be a Zscaler SE so I know all their dirty little secrets lol.
I thought their tunnel 2.0 implementation encompasses all ports and protocols? That’s why they have a firewall/DNS/IPS implementation outside of just web?
Also what about SIPA? Is that not a way to inspect ZPA traffic using ZIA engines?
Genuinely curious, because as a customer it seems to encompass all ports and protocols and inspect ZPA traffic.
Ztunnel 2.0 can carry all ports and protocols, the problem is the inspection engine is a proxy, so beyond dpi for firewall enforcement, other traffic isn’t inspected for threats.
Their marketing is purposely misleading, an easy example is the “150 data centers.”
Hope this makes sense!
Dang okay, i wonder why we haven’t been breached. Zscaler is essentially our security stack. Concerning since I’m apart of a civilian agency.
What about SIPA to forward ZPA traffic through ZIA? Does that work the way it should? This is concerning.
Yeah, that 150 datacenter thing we called out during the sales conversation, but they deflected to saying that’s commercial and not federal.
Backhauling to the other service can provide ZPA with some inspection capabilities and provide ZIA with a non public egress IP, but with the same caveats.
A great example is SMBv3, it doesn’t matter for internet bound traffic so not inspecting with ZIA is fine, but when you are considering east/west traffic it can be a problem to leave uninspected.
I will also admit that a proxy technically covers most internet bound use cases, but it it’s important to know the limitations.
Also that data center answer they gave you is crazy! On the commercial side it’s like 50-60 pops, if you are considering ones customers can actually use and not just any place there is a piece of hardware running Zscaler code. Also ZIA pops and ZPA pops are not necessarily at parity as well.
My biggest issue overall is the lack of transparency with customers, security vendors have a massive responsibility to society and misleading marketing always drives me up a wall.
Makes sense. They were recently pitching us about Airgap to control east west traffic.
Good info to throw at my Zscaler SE to get answers about