Zero Trust Network Access, or ZTNA, is an increasingly popular alternative to traditional VPNs for higher security.
A VPN provides network-level access. When connected through a VPN, a user can connect to any machine on the same network, using any client application, network protocol, or network port. It is a very flexible access model, but even though they do provide some level of user authentication, they typically do not provide any security filtering, meaning cyber attacks can cross the VPN to attack machines on the other side.
Typically, administrators rely on endpoint security on a remote machine to try to keep malware off the user machine. But attackers may not even need to circumvent endpoint security; user credentials can be phished or gained through social engineering, meaning that the user logging in to the VPN may not be the actual user to whom access has been granted.
Administrators may also rely on network filtering to restrict access to the corporate network. However, as a network firewall makes decisions based on information in the IP packet, there is not enough information to restrict access based on a user's role or privilege level. The result is that everyone on the VPN gets the same level of privilege – in practice, that means connecting to the entire network.
This is what ZTNA addresses. ZTNA provides minimal access for specific client applications to specific server applications or network resources, linked to a user's privilege level. Coupled with Zero Trust identity verification to reduce the risk from credential theft, ZTNA is a much more secure option for users who don't need full network access.
How CoIP Access ZTNA Works
Zentera's ZTNA uses the CoIP Overlay to provide direct secure remote access to a specific set of applications or servers. Once configured, ZTNA enforces access policies that are set by the administrator in the Zentera Air zCenter portal. There is no need to set up a separate VPN, and no need to change any rules on the corporate firewall to allow this access.
CoIP Platform supports agent-based models through the zLink agent, which may be installed to endpoints to instantly grant remote access, as well as agentless models, using a Gateway Proxy. The Gateway Proxy acts as a network-level device, but achieves high security by integrating user authentication with security filters that limit access to authorized destination applications.
CoIP Access and VPN Co-Existence
CoIP Access can simultaneously co-exist with an existing corporate VPN. This enables use cases where users may have existing VPN connections (e.g. to support existing connections to the corporate network) but admins want to provide a ZTNA connection for other assets – for example, cloud instances, or applications based in 3rd party networks. This flexibility simplifies connectivity, reducing the pressure to create a site-to-site connection for the purpose of enabling simultaneous access to assets in multiple locations.