Fortinet’s Zero Trust Network Access

Nov 15, 2023 | Elden Quesinberry

What Does ZTNA mean?

The concept of Zero Trust Network Access (ZTNA) implies that every request to access a resource on the network is a potential threat, and the technology in place should authenticate the user & device for each & every request. This is true for both internal as well as external host devices.

Why Would I Need ZTNA?

Traditional network & resource security relied on the notion of authenticating the first request, and if the request passed, the source would be allowed continual access. Additionally, many organizations implicitly trusted their assets with little or no authentication or assessment of security posture. This type of security misses threats that originate from internal users/devices. An example would be a user with a laptop being in the office on Monday, working from home on Tuesday, and returning to the office on Wednesday. Should the device still be trusted just because the company owns the laptop? The answer is “of course not”; the laptop could be infected via the home network, or the OS and/or anti-malware definitions may have just become out of date. The ZTNA model requires strict user and host identity verification for attempts to access the network or application. This type of authentication applies whether or not the device and/or user is already within the internal network, which greatly increases access security.

Helpful Prerequisites Before Your ZTNA Design

Before you think about your organization’s ZTNA design, having a few technologies in place would be helpful. Before implementing, you must ensure these mechanism(s) will integrate with your intended ZTNA design.

  1. Central Authentication – A mechanism for central authentication is a key component of your ZTNA design. 
  2. Network Segmentation – Creating separate logical networks within your internal enterprise before ZTNA helps since these networks create natural borders of access control within your internal network. It’s much harder to control access to an application with sensitive data if the server resources and the users are in the same network or VLAN. Making a separate VLAN for the server resources creates a barrier point to control access by verifying user identity & posture assessment of the device. This can also help to control the lateral movement of malware should it find its way into your network.
  3. Multi-Factor Authentication (MFA) – As opposed to just requiring the standard username & password for access to a data resource, adding a second (and different) method of authentication greatly decreases the chances of unauthorized access if a user’s username & password is compromised.
  4. Endpoint Detection and Verification – Knowing the identity of your endpoint devices is critical to a good ZTNA design. How else could your network security team know if the device is a trusted asset or an unknown device that somehow gained access to the network? Many endpoint verification technologies utilize an agent loaded on the endpoint, which reports to a central management application. The agent can report network details such as IP address & hostname, whether or not the OS and local anti-malware system is up to date. These agents and/or the central management application can interact with security devices such as firewalls and authentication systems to provide granular information about the endpoint and its current security posture. These details can be used to determine whether or not to allow users & hosts to access the network and control access to data resources.

The ZTNA Model

The primary concept of ZTNA is that a user and/or device is treated the same, whether inside the network or external. The same authentication and assessment items are checked regardless of location. For users on the internal network, devices such as a firewall or other proxy device control access by using authentication services such as Active Directory, a radius server, or other authentication services. For external users, a secure tunnel is typically built to a proxy device when the endpoint boots up, creating a secure channel to pass authentication challenges & responses. Only authenticated users/devices will have access to the applications behind the proxy. Advanced designs can also control whether the outbound traffic from an endpoint goes through the proxy for access to protected resources or another path to cloud SaaS applications.

Diagram of a firewall and firewall control

Description automatically generated

Can ZTNA Replace My Existing VPN?

The short answer is yes. If the endpoint builds an encrypted tunnel to the proxy device and the device can terminate the client VPN, then the ZTNA design can replace your traditional VPN. This is just one of the significant benefits of a ZTNA design.

How Do I Get Started On A ZTNA Design?

Some typical steps on an approach to a ZTNA design appear below.

  1. Define and locate your valued data resources.
  2. Research the available technology in the marketplace
  3. Ensure all key stakeholder departments are involved
  4. Create a phased approach and project plan
  5. Implement the prerequisites such as network segmentation and central authentication.
  6. Implement the ZTNA design.

Next Steps?

You could stay tuned for more Layer8 ZTNA articles that will provide additional information on the steps above, or you can contact Layer8 – it’s that easy. Call us today for a free consultation to see if your organization is ready for ZTNA.