Hi,
I am looking to introduce a ZTNA solution to replace our corporate VPN. Some products that are being suggested are: TwinGate, Fortinet, Prisma, ZScaler, Cloudflare. Any pros/cons with each? TwinGate seems nice but in terms of policies and flexibility and ease of management perhaps the other are problem. Not sure of your experience.
As someone that has to deal with Z-Scaler currently, I would not recommend it for an enterprise. But that also may depend on who is controlling and configuring it. I have seen some really hacky and convoluted set ups with ZScaler that turns into a game of whackamole issues for end users.
Z-Scaler can probably be pretty good when wielded intelligently. I just haven’t witnessed that yet and I’m not in control of it now to really see what could be better. I could be totally wrong and the way it’s used now at my org is the most optimal.
As someone else mentioned, NetFoundry, IMO, is one of the better options.
I have also run ZTNA using Defined Networks which is built on the open source Nebula. And I love it.
The main drawback with going with something like Defined.net is you’re on your own for infrastructure. Depending on your requirements, this may or may not be desirable.
Be careful and test thoroughly. Look into how DNS works for your implementation. Look at something like Tailscale’s Magic DNS and it’s limitations especially with SMB.
This is a good overview of vendors with different architectures and their pros and cons.
The no-bullshit ZTNA vendor directory (zerotrustnetworkaccess.info)
It’s probably worth getting in touch with a few different vendors and getting an overview of the product and pricing and using that to judge.
I’ve used Netskope Private access in the past and I think it’s great.
Add NetFoundry to the list. Its built on top of OpenZiti, which is open source - https://openziti.io/.
I work on them both, and I have written plenty of material comparing these and more. Straight off the bat, Fortinet and Prisma are both ‘non-magic’ zero trust solutions as defined in this blog I wrote comparing ZTN using Harry Potter analogies - Demystifying Zero Trust Networking. Twingate, NetFoundry, Zscaler fits better into doing more magical.
Zooming out, what are your requirements and use cases?
You could add Netskope Private Access to your list.
Don’t know too much about TwinGate.
Fortinet is a bit of mess with their general product strategy and identity, IMO. What exactly is their ZTNA and cloud strategy? I’m not sure they even know. They are certainly a portfolio company, so if you’re looking forward to adopting a platform solution, then Fortinet is probably furthest from that goal of all the big suppliers in this space.
Zscaler private access. Pretty mature. Cloud native architecture, but private access doesn’t provide any inline security inspection (think threat prevention). So, if the device is trusted, the user is authenticated and the app in question is allowed…doesn’t matter who you ACTUALLY are on that endpoint, your traffic is unscrutinized to the resource you are permitted to access. Kind of feels like all that ZERO TRUST marketing misses a pretty important detail here. You need to keep your traditional Firewall + ATP in place with Zscaler. Now, they’ll tell you they can provide you with ATP for your private access traffic, but it’s not a practical solution. It requires you add Internet Access (ZIA) subscription to the service and hairpin all the traffic from the DC back out to their cloud to hit their Cloud Firewall before coming back to the DC to access resources. Not a great option, IMO, and not something I’ve heard many (or any) actually put into practice.
Cloudflare, similar story to Zscaler on the inspection side of things. Also, kind of one trick pony in the context of Networking and Network Security. If you’re looking for platform solution (like SASE) as a long-term strategy, Cloudflare is quite a bit off. They do have a pretty massive network, but it’s unclear to me how their global network/CDN plays a role in VPN replacement or remote access. They certainly sell it like it does.
Palo, complicated and expensive. I was following something on X the other day and someone was promoting their full guide to deployment and configuration of Palo Prisma Access. It was like 300-400 pages long…just on Prisma Access. I’ve talked to many Palo engineers (former and current) and they’ve all mentioned how complicated of a deployment it is. Palo Prisma Access is tied to hyperscaler compute locations. They talk about their grand global network, but you’ll note in fine print, traffic inspection and processing happens only in the GCP or AWS compute locations (IaaS Datacenters). Also note, their PoPs are not service symmetrical. You have some security services running in some PoPs and others elsewhere. All these services might not be material to your current use case, but consider what happens down the road as your needs change. Also, lots of products in their portfolio. Very complicated “solution” in the long term if you align with Palo for many use cases. Of course, it’s not any easier for the business if you choose other suppliers for other things…it’s literally the same complex problem for IT.
I didn’t see Cato Networks in your list or Netskope, etc. Anything specific about those solutions you know about or don’t like? Why you wouldn’t consider them?
Netskope is similar to Zscaler. They don’t have an answer for inline ATP inspection. You’ll need to maintain that separate firewall with ATP between user and resource.
Cato Networks is actually a pretty comprehensive solution. They are cloud-native but their architecture is more like a traditional firewall than what Zscaler and Netskope are. Think of it like Zscaler was a PANW NGFW with full ATP…but in the cloud. Cato is often considered the easy button considering the access use cases it addresses (SD-WAN, Remote Access, etc.) and the full stack security coverage it provides vs. what’s otherwise pretty complex or incomplete elsewhere. Cato also covers “Universal ZTNA” which is the newest marketing term for saying…ZTNA Is about more than just remote access users and mobile endpoints. Universal ZTNA applies to all users and hosts, whether they are remote or in an office.
Look into Entra Private Access too.
I’d look at Versa Networks Secure Access and Netskope too.
Tailscale is a great in my experience.
Twingate and PDQ Deploy didn’t work at all when I used them about a year ago and the information I got was that it would never work.
Microsoft Entra Global Secure Access or Perimeter 81.
I met a Zscaler rep at a tradeshow a couple years ago and he wowed me with this magic called ZTNA. So I asked him for a quote and promptly suffered from sticker shock. So I asked google for some alternatives. Came across Twingate which we’ve been using for about 1.5 years now. I quite like it and they’ve added a few things. Their support is pretty knowledgable and get things sorted out quickly. They are pretty open about outages too. I’d say they’re kind of sorta SMB and enterprise as they have added some things like DNS filtering that you would likely already have a solution for (like Cisco Umbrella) but they don’t force you into their DNS filtering, it’s a toggle and I believe an additional cost.
Zscaler has been a disaster so far for where I work. It causes a lot of issues.
Depends on your requirements, but I find Twingate to be the best mix of security controls, performance, and ease of management.
The routing is really clear and easy to understand and there’s of administration you can automate with Terraform, scripting, etc.
I’ve deployed it a ton of clients and feedback has been very positive. The downside vs the bigger guys is Twingate doesn’t do deeper TLS inspection for outbound internet traffic if you care about SWG. I have mixed experience with SWGs so usually don’t recommend that anyway, so Twingate suits my needs really well.
FLOSS - DefGuard, NetBird, Headscale.
Proprietary - Printul, TailScale.
Netbird is good for me
We have been using Cloudflare ZTNA for a little over a year. ~500 users accessing resources across ~9 different locations. The simplicity of spinning up access on the fly to new locations has been great. There is also very useful overlap if your organization uses Cloudflare services. Cloudflare ZTNA also allows you to setup WARP-to-WARP connectivity, which can basically setup connectivity between private networks in different locations.
The biggest challenge was that there aren’t really any templates or best practices on how to setup all of the ZTNA policies in a secure way and manage access at scale. Initial onboarding was a mess as we didn’t have good documentation of all of our private applications out there and who was accessing them(definitely not cloudflare’s fault), and you never want to take an approach where you implement an “allow everything” at the bottom of the policies.
Because of our lack of preparedness and constant changing environment, I created a configuration management platform in Python with google sheets(yea shoot me) that allows us to change/add access at scale.
Now everything works fantastically.
How are Cloudflare Tunnels used compared to competition? Any experience?
They terminate the TLS unfortunately (but other proxies such as Z scaler do as well).
Setup your requirements first and then see which vendor meets your needs at an affordable price.