Hi All
We are traditional user with edge firewalls deployed and our VPNs terminate there. So all traffic from employees laptop terminates on firewall, gets inspected, and then forwarded to desired server in DC. We have edge firewall in AWS for direct VPN from users to access cloud VMs. We have NAC deployed as well for segmentation.
All this is working solution; yes complicated but built over time and had to scale VPNs when everybody went remote.
New vendors are pushing for ZTNA solution. In that solution, as per our understanding, instead of VPN client on laptop, you have ZTNA client. Now there are two options:
1) install agents on each of DC servers.. and then from ZTNA client from laptop T-bones into ZTNA cloud and connects via some proprietary tunnel to that server's agent.
2) Or, you can install a (or set of) proxy near those servers, and tunnel from laptops again after T-bones into these proxies.
Of course, segmentation policies can be applied which are I think implemented in cloud at T point. Or may be downloaded into agents/proxies. Either way.
Question: Where does the traffic gets inspected before hitting servers?
A) I'm using on-prem edge firewalls and do not intend to replace them in future, these proxies or agent on servers bypassed the firewall inspection due to encrypted tunnel passing through them.
B) I asked the vendor if somebody is using their cloud based NGFW, does inspection happens at T point before traffic is forwarded to DC. He said no? I am assuming person doesn't know and that may be an option.
This is my understanding of the subject and quite likely I may be missing some big piece here. Any help or pointers are appreciated.
Thanks
No comments:
Post a Comment