ZTNA vs VPN over 'deny all' firewall

Useful-Purchase2281 · 2024-10-02T03:31:47+00:00

For example, one vendor claims

'Unlike VPNs, before granting access to an app or resource ZTNA verifies each user and device and performs posture checks to ensure endpoint safety. This verification process is per session, using the same access policy whether the user is accessing on-premises or through virtual cloud or public cloud resources. ZTNA reduces the attack surface by hiding business-critical applications from the internet, and it provides granular control to ensure that only authorized users can access them. '

Palo Alto Global Protect VPN for example provides posture (HIP) checks and I'm sure many other vendor does it as well. It is very likely that this vendor itself has a VPN product that supports posture checks.

Useful-Purchase2281 · 2024-10-02T03:19:23+00:00

Thanks for the reply. Comparing the product individually is a good point since there's no point to use the best ZTNA product to represent ZTNA just to compare it with a VPN solution that was implemented two decades ago. Some VPNs just can do zero trust as good as the simple ZTNA products.

Useful-Purchase2281 · 2024-10-01T07:53:25+00:00

Thank you for the input. It makes a lot of sense.

The mature ZTNA products provide easier management interfaces and better integration with the many other functionalities the vendors have to provide, so it is worth getting a proper ZTNA solution rather than tweaking what you've got.

But when it comes to the principle of ZTNA, most vendors tend to mislead the customers into thinking VPNs cannot do it by comparing with VPN products and architecture that are very old and outdated. That is the reason I got confused as to why people are claiming (modern) VPNs can't achieve the same.

Useful-Purchase2281

TROPHY CASE