Page 155 - Cyber Defense eMagazine September 2022
P. 155
SSL VPNs are available as stand-alone appliances, as part of next-gen firewalls (NGFWs) and other
security products like Hillstone Networks’ solutions, and as cloud services. Early in the pandemic, when
governments attempted to lock down their populations to prevent the spread of COVID-19, many
corporate IT teams turned to SSL VPNs to support workers who suddenly needed to work from home.
Now, however, the distributed workforce has become a reality rather than a phenomenon, and the need
to support remote workers in large numbers has brought certain issues and limitations of SSL VPN to the
fore, including:
Common Vulnerabilities: Over the years, numerous vulnerabilities in enterprise-class VPNs have become
apparent, raising red flags for many cybersecurity professionals. In 2021, for example, multiple U.S.
federal civilian organizations faced the potential of data breaches via the Pulse Connect Secure VPN
vulnerability. Two years earlier, in response to active exploitations of certain VPNs, the U.S. National
Security Agency issued an advisory.
Licensing Costs and Expansion Limitations: Usually, commercial SSL VPNs are licensed per-user and
per-capacity, meaning that scaling to support additional remote workers can be expensive both in
purchase of licenses as well as in IT staff labor. Physical SSL VPN appliances might also require the
purchase of additional modules in order to expand capacity.
User Authentication: Visibility into users and devices that are connected to the network is one of the
bedrock principles of cybersecurity. A typical enterprise VPN will perform authentication just once, on
initial login and set-up of the VPN tunnel, and then access is granted for all the network resources for
which the user is pre-approved. This can create a security risk if, for example, user credentials are stolen
by an attacker.
As mentioned, SSL VPNs are in broad use; the market in 2021 was estimated at nearly $5b USD. There’s
a cost connected with a forklift upgrade to a new secure remote access technology, but with the issues
and concerns raised above, many security teams are considering ZTNA as another option.
ZTNA: Basic Definition
At its most basic, the mantra of ZTNA is ‘never trust, always verify.’ To expand upon that, ZTNA is
intended to abolish absolute trust of devices and users and to allow only the minimum access and
authorization based on user role, position or other factor. Under ZTNA, authentication is constant and
ongoing – a change in the user’s or device’s security posture can result in revocation of access, for
example. If it’s executed well, ZTNA can deliver extremely fine-grained visibility and control with improved
scalability, flexibility and reliability.
From a technological viewpoint, ZTNA employs a user-to-application approach, rather than the traditional
network-centric focus, which completely inverts the concept of authentication. With ZTNA, users and
devices are examined at a deeper level – encompassing identity as well as the context of network and
application resources being requested.
Cyber Defense eMagazine – September 2022 Edition 155
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.