The following post is by Drew Conry-Murray on behalf of Fortinet. We thank Fortinet for being a sponsor.
Fortinet’s Zero Trust Network Access (ZTNA) is a smarter way to control which applications your end users connect to. Unlike a typical VPN client that gives a remote user full access to the corporate network, ZTNA provides fine-grained, per-application access based on policies such as user identity, group roles, client location, and device posture.
As more companies let employees split time between home, office and anywhere in between, Fortinet has built ZTNA capabilities directly into its OS that provides SD-WAN to ensure that access policies can be applied regardless of user location, be it a branch or remote office, HQ, or home.
Available in the 7.0 release of the FortiOS software, which runs on FortiGate as an appliance, VM or multi-cloud and powers Fortinet’s SD-WAN solution, the ZTNA capability includes an access proxy. This proxy inserts itself between the endpoint device and the target application to enforce access. You’ll also need the FortiClient endpoint software and its centralized management.
By integrating ZTNA and SD-WAN, Fortinet extends the value of your SD-WAN while also supporting and protecting employees and applications. Here’s how it comes together.
Start With Policies
Policies are the beating heart of a zero trust architecture, and should be your starting point as you transition from a traditional VPN to ZTNA. Fortinet uses one of its central management solutions, either Endpoint Management Server (EMS) for on-premises, or FortiClient Cloud for a cloud-based option, as the repository for your access policies. The central management applies policy tags to clients, and issues and signs digital certificates to endpoints. It also manages the endpoint software, called FortiClient.
While you have to configure the access policies for users and devices within the FortiClient central management, you don’t have to start from scratch. You can import user groups and roles from an existing directory, such as Active Directory, and then apply access policies to those groups. You can also create sub-groups if a subset of people or roles within an existing category need more refined access. You can also monitor the applications being accessed and adjust access rules as necessary to balance work requirements and security policies.
FortiClient central management stays in regular communication with the appliances running FortiOS, such as an SD-WAN appliance, to synchronize device information. If that information changes, such as a device moving from a remote location to a branch office, the central management updates the relevant appliance with the appropriate access policies.
Source: Fortinet
Fortifying Your Endpoints
As mentioned, you’ll also need to run FortiClient software on your laptops, PCs, and mobile devices. The FortiClient software provides essential device information to central management including the OS, device model, and user log-in information.
The client also communicates the security posture of the device, such as whether it’s on or off a corporate network, the presence of AV software, known vulnerabilities, and other details. This posture status can influence access policies; organizations may require a user or device to remediate a security issue before getting access to sensitive applications.
The client creates a secure connection to a FortiGate appliance, such as an SD-WAN appliance or firewall. End users do not have to explicitly set up an IPSec or SSL connection–it happens automatically in the background.
Proxy On Board
In addition to the client software and central management, Fortinet’s ZTNA architecture also includes an access proxy, as mentioned above. Fortinet customers that have deployed SD-WAN and upgraded to the latest OS release already have the access proxy in place–there’s no need to download new software or activate licenses.
The proxy works in conjunction with the FortiClient central management and the client to enforce access. When a client connects to the proxy, which supports IPSec and SSL/TLS, the proxy terminates the connection. Because the proxy is integrated with FortiOS, the unencrypted traffic can be inspected by the firewall, IPS, Web filter, and other security controls on the appliance.
The proxy then sets up a new session and passes traffic to the destination application. That application can reside in a corporate data center, at a branch, or in the cloud. The proxy maintains individual tunnels per device and application.
SD-WAN And ZTNA Means Faster ROI
As work becomes more distributed, IT is responsible for delivering a good user experience regardless of location. At the same time, IT must also protect users and applications, even if they don’t control the network.
The addition of ZTNA to SD-WAN means your SD-WAN infrastructure becomes a platform that meets both requirements–critical applications take the best-performing path, and IT ensures that access policies are enforced whether a user is on the corporate network or working from their own back porch.
And because the access proxy is already integrated with the FortiGate appliance that powers your SD-WAN, it’s easy to bring ZTNA into your environment.
To find out more visit Fortinet’s Secure SD-WAN and ZTNA pages.