We’re currently using a native Global Protect SSL VPN client with Palo Alto Firewalls to facilitate remote access for our IT team of over 150 employees. We’re exploring the possibility of transitioning ZTNA solutions.
From my understanding, ZTNA provides enhanced security by evaluating the state of the endpoint before granting access to specific resources, rather than relying solely on identity for access control.
I’m interested in hearing your recommendations for a good ZTNA solution that would suit our needs.
Additionally, I’d appreciate insights into other benefits that ZTNA can offer, especially in comparison to our current SSL VPN setup.
Thank you in advance for your insights and suggestions!
ZTNA is really about not offering a full connection to your internal network. You want some people to access one file server? There you go. Another set to get file server and RDP access? Same.
Some VPNs can offer the same but you’re still generally allowing full access to your internal network and it’s probably a bit more complicated.
I am in the process of evaluating moving from Ivanti/Pulse VPN (though mainly because our partner is a bit flaky) to a ZTNA client. I testing Microsofts version which when it work is great, but has some connectivity issues too
What kind of services do you have behind VPN? Fileservers, or just a few web applications? Are more web only it is, as more better ZTNA will work in general. ZScaler also Cloudflare are well known in this Market.
When I looked at ZTNA solutions last year, the options were:
“Contact sales”-pricing options
Cloudflare something-or-the-other
Twingate
Even though Cloudflare would’ve been monetarily free for us, I went with Twingate because the documentation was tremendously better. I also trust they’re going to keep it around since it’s their only product.
I’ve been happy with that decision. Fairly simple and straightforward. Pulumi integration for resources (bit not IdP etc) so I can configure things in our IaC pipeline. Helpful support once we upgraded to the plan that included it - didn’t need that at all for a while because everything just worked the way it was supposed to, but then ran into a networking bug for one user that ended up being Docker’s fault.
This is a great question - a company I was working at tested and deployed a ZTNA solution that is definitely not VPN and definitely faster for their remote workers using SASE, SD-WAN and UCaaS, with 1,900 points-of-presence in the cloud. One of the main reasons accessing SW-Dev Repositories and Zoom/Meet/Team meetings were just too choppy - esp with folks across APAC and the USA wasn’t bandwidth, as most users had at least 50mb and these video confersing tools say they only require at the most 5mb - was down to packet loss, which drastically killed whatever pipe the ISP was feeding.
The IT team that tested it across the incumbent and then three other alternatives plus control PC’s with no VPN found it was up to 30X faster…
That’s not just a VPN re-packaged as ZTNA as quite a lot of people think
Not to recommend something specifically, but to comment that regular VPN can have health checks as well. We currently use Ivanti (Pulse) VPN and it has a hostchecker that runs before you connect with your identity and checks for a few things (domain joined, has AV, up to date, etc.). I think difference between classic VPN and ZTNA is partitioning access. With VPN you get full access to internal network (well, you still need permissions to get to some resources, but the way is open). And ZTNA gives you access to select resources. We are actually looking into ZTNA as well. I can see that at least initially it would involve a lot of tuning on what can and should a user or a group access. Now we don’t have to wonder about what particular users are actually accessing (web apps, RDP, servers, file shares). They just need to be able to VPN and then it is not our problem anymore. It is still very early in the stage of looking at vendors, maybe demoing something next year. But with my small team now responsible for VPN, i can see lots of work and friction from different teams when implementing ZTNA. Unfortunately our application landscape is very varied and not even close to only web apps and M365. Shares still in use, some XP era apps still in use, etc. But there are some things that don’t work well with Ivanti, some issues with upcoming renewals and our security leaders not liking the whole blanket access concept, so the push to go to some ZTNA solution is growing.
Yes - there are ZTNA-architecture based solutions that are faster than VPN.
VPNs really add a lot of overhead. ZTNA+SD-WAN+UCaaS and cloud-based pops provide integrated security and improve connectivity by reducing packet loss - its like a speed and security upgrade.
I’ve honestly never seen a firewall vpn(Sonicwall, Sophos, Meraki or Fortinet) that didn’t offer you access rules, user management, or some AD integration right within the interface.
I get it that’s it’s more steps than going ‘zero trust’ outright, but if your network isn’t already setup in a way where you have those rules in place already idk what to say.
Like do they just walk into the building log onto their computer and access all those resources anyway?
If you can afford ZT like zscaler or cloudflare is the way to go. Both use on premise servers though so if you have M365 spin up a Linux VM and use Microsoft Tunnel. It is included in the defender user license. I tested all three and my budget got cut so I just used MS tunnel .