Blog

Two ZTNA Weak Spots that Hackers can Exploit and How to Fix Them

Adopting a ’zero trust’ network access posture has become an important strategy for securing hybrid and cloudified enterprise networks. Officially known as Zero Trust Network Access/Architecture, the ZTNA model is really very simple. First, contextual data is used to fully vet users and devices seeking network access. Then, if a user is approved, they enter a sort of private network-for-one that gives access to the resource they need—and nothing else. This way, if trust in the user was misplaced, at least the amount of damage they can do is limited. And you’ll know if this trust was misplaced because ZTNA lets you keep an eye on users’ behavior the whole time they’re connected!

 

Accurate, granular Application ID and contextual metadata are key in ZTNA

 

Two Weak Spots that Can Unravel ZTNA

In theory the ZTNA model is very strong, but it is vulnerable at two critical junctures:

  1. At initial access authorization,
  2. At the establishment of a limited ‘virtual’ network through segmentation.

At both these steps, if a solution does not have sufficient network traffic visibility, its defensive capabilities will be greatly compromised. Fortunately, Next Generation Deep Packet Inspection (NG DPI) can fill this visibility gap for more vigorous and consistent ZTNA-based protection.

 

Let’s look at how visibility impacts ZTNA effectiveness and how NG DPI can help at these two critical points:

  1. Identity-Based Authentication: In ZTNA, simply having valid login credentials is not enough to gain access to a network. You have to go further and prove you are the legitimate owner of those credentials. Accordingly, ZTNA authenticates users (people, devices, apps, etc.) using an identity-based schema that takes context into account, such as device profiles, date and location data, and information about private applications and services. If anything is wrong or unusual, trust will not be granted.The challenge is that some of this information can be fabricated, or simply missing (like app and service info). As a result, some users who shouldn’t have access get it, and some who should are erroneously blocked. This is where NG DPI can help. It supports identity-based access by providing contextual data drawn from the most reliable source available: network-based telemetry data. And a quality NG DPI engine can also help detect threats like spoofing attacks, and the presence of rogue private applications and devices in shadow IT.
  2. Segmentation: Once access is granted, the goal is to provide least-privileged access to required resources. If application and service information is not granular or accurate, effective segmentation cannot be established. Here again NG DPI can help. NG DPI provides the ultra-reliable traffic classification required for segmentation, and the additional visibility NG DPI brings in the form of traffic metadata and threat indicators supports advanced micro-segmentation and traffic handling rules for enhanced security.

 

NG DPI also helps with continuous trust evaluation. As mentioned, in ZTNA, trust is never granted in permanence; it must be continuously earned. This is handled through continuous monitoring supported by NG DPI, which provides real-time traffic analysis that includes the identification of evasive and anomalous traffic.

Finally, NG DPI also boosts ZTNA effectiveness by supporting granular traffic monitoring that can reveal potential breaches, enabling the ZTNA solution to invoke the necessary access controls, such as rerouting or blocking traffic.

 

Examples of Advanced ZTNA Functions Enabled by NG DPI

  • Detect and block a user trying to connect with forbidden anonymizers like Cyberghost or Ultrasurf.
  • Prevent domain fronting by revealing the use of routing schemes in Content Delivery Networks (CDNs) and other services that mask the intended destination of HTTPS traffic.
  • Detect and block a user trying to connect with RDP or telnet from an unusual location, or to a resource not typically accessed by RDP (traffic that might otherwise be seen as generic TCP traffic without NG DPI).
  • Continuously evaluate trust by monitoring traffic to detect anomalies, such as the transfer of a file using a false MIME type (e.g., an executable masked as an image), or the presence of non-standard tunneling activities over legitimate protocols (such as DNS or ICMP), which may indicate unauthorized or illegal activities.

To find out more about embedding NG DPI into ZTNA and wider cloud-based security solutions, I encourage you to download the technical white paper: How SSE Leaders Use Next Generation DPI for Market Success.

Related insights

Enea Qosmos Probe Shows High Performance for Cyber Security

Intel Solution Brief: Enea Qosmos Probe Shows High Performance for Cyber Security

Read more

Tags: Cybersecurity , Deep Packet Inspection , Intrusion Detection , Traffic Intelligence

How to Build Stronger SSE Solutions with Next Gen DPI

How to Build Stronger SSE Solutions with Next Gen DPI

Read more

Tags: Cloud Security , Deep Packet Inspection , SASE , SD-WAN , SSE , Traffic Intelligence , ZTNA

Rise of Zero-Trust and SASE Shines New Spotlight on Deep Packet Inspection (DPI) - Part 2

Rise of Zero-Trust and SASE Shines New Spotlight on Deep Packet Inspection (DPI) – Part 2

Read more

Tags: Cloud Security , Deep Packet Inspection , SASE , SSE , ZTNA

Rise of Zero-Trust and SASE Shines New Spotlight on Deep Packet Inspection (DPI)

Rise of Zero-Trust and SASE Shines New Spotlight on Deep Packet Inspection (DPI) – Part 1

Read more

Tags: Cloud Security , Deep Packet Inspection , SASE , SSE , ZTNA

Boosting Suricata with DPI-Based Traffic Intelligence - Live Demo

Boosting Suricata with DPI-Based Traffic Intelligence – Live Demo

Read more

Tags: Cybersecurity , Deep Packet Inspection , Intrusion Detection , Suricata