Zero Trust Network Access is a security model with a basic principle of trust no one & verify everything. ZTNA can be termed as the replacement of legacy remote access VPN solutions. In traditional networks including SDWAN, once an endpoint somehow gets in the network through a remote VPN connection or by being in a corporate office, that endpoint was deemed trusted and could access any network resource (subject only to application-level security). This means the network itself is vulnerable to attacks from compromised endpoints. ZTNA is a new model aimed to fix that problem by “never trusting” an endpoint on the network unless it was granted specific access.
ZTNA is accomplished using a new technology called as software defined perimeter or SDP. SDP is a new application access technology that is used to authenticate users, authorizes application-specific access rights based on user profiles & also does continuous risk assessment throughout their session.
Legacy networks have a well-defined network boundary or perimeter, usually guarded by firewalls. For accessing any corporate network resource, the endpoints have to be inside this firewalled perimeter. These appliance or virtual firewalls create a very static, fixed network perimeter. SASE uses SDP to dynamically define a virtual network boundary which is flexible to encompass all of the network resources and assets of a particular enterprise. This kind of creates virtual private clouds for different enterprises within the underlying common SASE cloud infra.
Following standard SDx architecture, SDP has three components:
• SDP client : installed on endpoint device
• SDP controller : broker between n/w & client. sits somewhere in SASE core cloud
• SDP GW : Actual data plane n/w entry point device. sits on SASE gateways
As an analogy, SDP is very similar to traditional network ACL’s. Just that ACL’s are static & works only up to L4 whereas SDP can act up to L7. So ACLs will allow access to a whole server/host, but SDP is smart & granular enough to allow access only to a particular application on that server. User won’t even see other apps on the same server.