Are critical ZTNA mistakes compromising your network?
Zero Trust Network Access (ZTNA) is often hailed as a “magic bullet” for network security, and done right, it can be a dramatic improvement from perimeter network security.
Unfortunately, ZTNA deployments commonly suffer from some major, yet easy-to-overlook vulnerabilities. Namely:
- Keeping Inbound Ports Open
- An Over-Reliance on VPNs
- Using Machine-to-Machine Connections
- Trusting “Break-and-Inspect” Services
Mistake #1: Keeping Inbound Ports Open
Many organizations are so used to configuring firewalls with complex rules controlling open ports that this configuration game actually becomes what network security is, or is simply seen as the “nature of the beast”. Fancy AI products are put into place to set firewall rules, or, traffic is decrypted, inspected, and classified (often incorrectly) as good or bad. One mistake can allow malware, ransomware, and other damaging attacks free-reign across your network.
The true risk, however, is that there are open inbound ports in the first place.
As in the famous movie quote, the mistake is playing this dangerous “security” game to begin with.
“The only winning move is not to play.” — WarGames
The truth is, there are new products on the market that make it possible to achieve robust, feature-complete networking and access while blocking all inbound traffic on every resource, protecting your network from intrusion.
Mistake #2: An Over-Reliance on VPNs
VPNs are often used to connect remote offices or workers to corporate headquarters or data centers, and are used without considering other alternatives. Similar to creating complex firewall rules, the “it’s always been done this way” mentality leads to most companies extensively using VPNs without hesitation.
This is playing with fire: VPNs are, essentially, holes through the firewall!
Inbound traffic, allowed by the VPN, can (and often is) exploited by attackers or compromised devices. VPNs also introduce performance and scalability issues as they require encryption and decryption of all traffic.
VPNs are sometimes justified — for instance, for subnets with servers that need to perform real-time synchronization. Let’s say you had a server cluster with machines all around the world that need to talk to each other frequently. Since the servers are in different LANs, you could create a VPN that comprises only those synchronizing servers — no clients!
Allowing every client unfettered access to the whole network via VPNs is crazily insecure, and far more secure solutions exist to allow clients to access resources and communicate with each other.
Mistake #3: Using Machine-to-Machine Connections
Since VPNs create machine-to-machine connections, any process on a machine can talk to any other process — including malicious ones! This can lead to widespread ransomware, malware, virus infections, or data exfiltration, since a malicious process on one machine could begin attacking any other resource on the VPN.
Instead, connections should be restricted to only allow process-to-process communication. This means that only specific processes that are designated and meant to communicate with each other can do so, significantly limiting the potential for the spread of cyberattacks.
Leaving the scope of communication wide-open is a huge, unnecessary liability.
Mistake #4: Trusting “Break-and-Inspect” Services
Using break-and-inspect services to secure your network traffic introduces a massive security backdoor into your network.
When you rely on a third-party service or appliance that aims to keep you safe by breaking and inspecting your traffic, you’re sharing all your traffic in clear with that entity and trusting them with everything. You’re trusting their software or hardware with your entire network traffic in clear. Company secrets. Credentials. Emails. Customer data. Everything. This annihilates the spirit of Zero Trust across your network.
Although some large organizations may make the (extremely risky) security trade-off to use these services for employee surveillance, other solutions such as application-aware Smart Hybrid Protocols already exist on the market that guard against malicious code injection without compromising network security.
What now?
Implementing ZTNA can provide enormous benefits for organizaations, but successful deployments require careful planning and execution to avoid these and other common mistakes that undermine its effectiveness.
If you already have an existing deployment, it’s possible (or even likely) that your network suffers from these key, exploitable vulnerabilities — and it’s certainly not your fault, since most major ZTNA vendors’ products are susceptible to some or all of these.
A new networking paradigm, Zero Knowledge Networking, provides the same functionality as typical ZTNA deployments, but is architected from the ground-up by security experts to be free of these and other common pitfalls that hamstring network security.
If you’re interested in dramatically boosting your network security while saving money, the Xiid team stands at the ready to help!
