Two ZTNA Weak Spots that Hackers can Exploit and How to Fix Them

Adopting a ’zero trust’ network access posture has become an important strategy for securing hybrid and cloudified enterprise networks. Officially known as Zero Trust Network Access/Architecture, the ZTNA model is really very simple. First, contextual data is used to fully vet users and devices seeking network access. Then, if a user is approved, they enter a sort of private network-for-one that gives access to the resource they need—and nothing else. This way, if trust in the user was misplaced, at least the amount of damage they can do is limited. And you’ll know if this trust was misplaced because ZTNA lets you keep an eye on users’ behavior the whole time they’re connected!


Accurate, granular Application ID and contextual metadata are key in ZTNA


Two Weak Spots that Can Unravel ZTNA

In theory the ZTNA model is very strong, but it is vulnerable at two critical junctures:

  1. At initial access authorization,
  2. At the establishment of a limited ‘virtual’ network through segmentation.

At both these steps, if a solution does not have sufficient network traffic visibility, its defensive capabilities will be greatly compromised. Fortunately, Next Generation Deep Packet Inspection (NG DPI) can fill this visibility gap for more vigorous and consistent ZTNA-based protection.


Let’s look at how visibility impacts ZTNA effectiveness and how NG DPI can help at these two critical points:

  1. Identity-Based Authentication: In ZTNA, simply having valid login credentials is not enough to gain access to a network. You have to go further and prove you are the legitimate owner of those credentials. Accordingly, ZTNA authenticates users (people, devices, apps, etc.) using an identity-based schema that takes context into account, such as device profiles, date and location data, and information about private applications and services. If anything is wrong or unusual, trust will not be granted.The challenge is that some of this information can be fabricated, or simply missing (like app and service info). As a result, some users who shouldn’t have access get it, and some who should are erroneously blocked. This is where NG DPI can help. It supports identity-based access by providing contextual data drawn from the most reliable source available: network-based telemetry data. And a quality NG DPI engine can also help detect threats like spoofing attacks, and the presence of rogue private applications and devices in shadow IT.
  2. Segmentation: Once access is granted, the goal is to provide least-privileged access to required resources. If application and service information is not granular or accurate, effective segmentation cannot be established. Here again NG DPI can help. NG DPI provides the ultra-reliable traffic classification required for segmentation, and the additional visibility NG DPI brings in the form of traffic metadata and threat indicators supports advanced micro-segmentation and traffic handling rules for enhanced security.


NG DPI also helps with continuous trust evaluation. As mentioned, in ZTNA, trust is never granted in permanence; it must be continuously earned. This is handled through continuous monitoring supported by NG DPI, which provides real-time traffic analysis that includes the identification of evasive and anomalous traffic.

Finally, NG DPI also boosts ZTNA effectiveness by supporting granular traffic monitoring that can reveal potential breaches, enabling the ZTNA solution to invoke the necessary access controls, such as rerouting or blocking traffic.


Examples of Advanced ZTNA Functions Enabled by NG DPI

  • Detect and block a user trying to connect with forbidden anonymizers like Cyberghost or Ultrasurf.
  • Prevent domain fronting by revealing the use of routing schemes in Content Delivery Networks (CDNs) and other services that mask the intended destination of HTTPS traffic.
  • Detect and block a user trying to connect with RDP or telnet from an unusual location, or to a resource not typically accessed by RDP (traffic that might otherwise be seen as generic TCP traffic without NG DPI).
  • Continuously evaluate trust by monitoring traffic to detect anomalies, such as the transfer of a file using a false MIME type (e.g., an executable masked as an image), or the presence of non-standard tunneling activities over legitimate protocols (such as DNS or ICMP), which may indicate unauthorized or illegal activities.

To find out more about embedding NG DPI into ZTNA and wider cloud-based security solutions, I encourage you to download the technical white paper: How SSE Leaders Use Next Generation DPI for Market Success.

Related insights

Qosmos ixEngine Named Best Product Embedded Security in the Global InfoSec Awards 2023

Enea’s Qosmos ixEngine Wins Global InfoSec Best Product Award

Read more

Tags: Cybersecurity , Deep Packet Inspection , Intrusion Detection , Qosmos ixEngine , Traffic Intelligence

How to Boost ZTNA Performance with Detailed Traffic Visibility

Read more

Tags: Cloud Security , Deep Packet Inspection , Qosmos ixEngine , SSE , Traffic Intelligence , ZTNA

Discover the 3 Hot Topics at RSA Conference 2023 with Enea

There will be 3 Hot Topics at RSA Conference 2023: Find Out What They Are and Why

Read more

Tags: Cloud Security , Deep Packet Inspection , Intrusion Detection , SASE , SD-WAN , SSE , Traffic Intelligence , ZTNA

The Role of DPI in Cybersecurity - An Interview with Roy Chua, Founder and Principal of AvidThink

The Role of DPI in Cybersecurity – An Interview with Roy Chua, Founder & Principal of AvidThink

Read more

Tags: Cybersecurity , Deep Packet Inspection , Encryption , SASE , SD-WAN , Traffic Intelligence

Enea Qosmos Probe Shows High Performance for Cyber Security

Intel Solution Brief: Enea Qosmos Probe Shows High Performance for Cyber Security

Read more

Tags: Cybersecurity , Deep Packet Inspection , Intrusion Detection , Traffic Intelligence