Introduction

Fortinet's Zero Trust Network Access (ZTNA) solution provides multifactor authentication and security by isolating network connections. ZTNA means “zero trust network access”.

With Fortinet ZTNA, you can ensure that only the right users are on your network by requiring multifactor authentication and isolating network connections.
ZTNA means "zero trust network access," and it's a way of thinking about how organizations should secure their networks. In this model, you don't trust anything unless it's proven trustworthy. This is an important distinction because even trusted employees can be tricked into installing malware or giving away sensitive information if they're not careful with what they click on.
To put this in more concrete terms: When someone logs into your company's system remotely (or over   the Internet), that person must provide   two types of verification before their identity is confirmed as being legitimate: One type of verification will come from something only someone who has physical access to your organization would possess; another type will come from something only you know about yourself as an individual user.

ZTNA is a way to secure cloud and mobile workers

ZTNA is a new approach to network access. It means “zero trust network access”, and it's an evolution of the perimeter security model. ZTNA allows for devices and users to be authenticated before being given access to resources in your network. This new way of doing things can help you secure your cloud and mobile workers using something called identity authentication through gateways.

Zero Trust networks have been around for a while, but it is just now starting to be taken seriously by the industry.

Zero trust network access is a new way of thinking about security. It's not a product, but rather an approach to securing your network against attacks.

It's all about protecting your data from unauthorized access and protecting your users from phishing attacks.

In the past, companies would implement a perimeter security model in an attempt to keep bad actors off of their network.

In the past, companies would implement a perimeter security model in an attempt to keep bad actors off of their network. The assumption was that users were trustworthy and that the network was secure. This approach has been broken by cloud computing and BYOD (bring your own device). In order to address these new challenges, organizations have moved from the traditional perimeter security model to a defense-in-depth strategy. This means that there are multiple layers of protection deployed throughout the company’s infrastructure – for example, web proxies are placed between external clients and servers; firewalls protect servers from internal users; anti-malware software protects each endpoint device from malicious software; and so on.

This approach worked when companies primarily had users on their corporate network.

There was a time when the perimeter security model worked. That's because it was based on two assumptions about how networks were built, and those assumptions are no longer true.

● The first assumption is that your corporate network is internal and secure. This was easy to assume when most companies didn't have any internet-facing assets, but today we all have public websites or services hosted in the cloud—and hackers know this too.

● The second assumption is that users come from inside your company, and they're all trusted (or at least have been trained). That's not true anymore either—there are millions of phishing emails sent every day trying to trick people into clicking on malicious links or opening infected attachments so their machines can be compromised by malware like CryptoLocker or GameOver Zeus (which you can read about here).

That model has completely broken down with the rise of cloud services and mobile workers.

ZTNA combines Fortinet’s advanced security expertise with its innovative visual management interface and machine learning algorithms to deliver a robust solution for the growing threat landscape. The model has completely broken down with the rise of cloud services and mobile workers.

Fortinet's Zero Trust Network Access (ZTNA) solution provides multifactor authentication and security by isolating network connections, which means that each device must authenticate itself before gaining access to any part of your network—hardware, software or cloud-based service. It gives you granular control over user privileges by applying policies based on user identity, location and behavior across your enterprise—all managed through a single pane of glass using Fortinet’s award-winning visual management interface.

Companies need to be able to securely open up access to their applications for off-network users, both employees and vendors.

Open-source collaboration tools like Slack, Trello, and Github have made working together across organizations a lot easier. But these tools still remain proprietary in nature and can't be used on an enterprise network unless there is an external facing internet connection available or a VPN connection available between the internal network and the external internet.

With Fortinet ZTNA 5 we provide a solution that addresses this problem: the ability for companies to securely open up access to their applications for off-network users while maintaining security at every step of the way

Zero Trust assumes that all users outside of the trusted zone are untrusted.

Zero Trust Network Access (ZTNA) is a new way to think about security. It's more than just a trend, it's a fundamental shift in how you should design and implement your network access controls.

Traditionally, enterprise networks have been managed as perimeters: users on the inside of the perimeters were trusted, while those outsides were not. This was done regardless of whether users were internal employees or external partners accessing services from remote locations such as hotels or coffee shops via cellular devices that they carried with them. There was no difference between these two types of users - both required the same level of trust because neither could be authenticated without compromising some aspect of your data protection strategy (for example, using VPNs).

To further complicate this, many organizations want to break down silos and allow users from one business unit to see data from another business unit or external contractor. This means that even internal users must now be authenticated as well. Internal trust is gone as well.

Zero Trust Network Access is a security model that assumes all users are untrusted. Zero Trust Network Access is more than just a new way of thinking about security; it requires a new approach to authentication and access management. Traditional approaches to trust have been replaced with user-based access models, which are based on the user’s identity, privileges and location in the network. In other words, zero trust means that any computer or device connecting to your company’s network must first be authenticated before gaining access, even if they are already inside your organization’s firewall.

With zero trust, every user connection is considered suspect until proven otherwise by performing an identity check against an external source (iCMP). This can include verifying against an internal directory service or using an LDAP query over HTTPS to validate the username/password combination provided by the end user during their session login process.  Once validated users are granted access for some time period (which can vary from minutes to hours) before needing another authentication handshake again in order for them continue working after this time period expires without requiring additional re-authentication checks at each subsequent session start up - reducing overhead costs related specifically towards maintaining account credentials across logged in sessions.

The key aspects of a Zero Trust solution are user authentication, role-based access control (RBAC), and micro segmentation (protecting the application not the perimeter)

The key aspects of a Zero Trust solution are user authentication, role-based access control (RBAC), and micro segmentation (protecting the application not the perimeter).

For authentication, Fortinet ZTNA uses two-factor multi-factor authentication (MFA) to ensure that only authorized users can access critical data. This is done via a combination of username/password and an app or token device (like Google Authenticator). It also supports fingerprint recognition on mobile devices as well as Windows Hello biometric authentication on laptops, desktops and tablets. For organizations that want to go all out with security, you can use face recognition instead of fingerprint scanning."

Takeaway:

Fortinet's solutions to Zero Trust Network Access include: FortiGate, FortiToken.

The FortiGate is a virtual appliance that can be directly deployed into a cloud environment. If you've an existing FortiGate as in hardware, then that can be used too.

FortiToken is an identity and access management platform which helps you automate user provisioning and management across all your enterprise systems—from network access to VPNs and WiFi networks through SAML-based SSO (single sign-on) or LDAP/Kerberos - based authentication.

Fortinet's solutions to Zero Trust Network Access include: FortiGate, FortiToken.

●     FortiGate is an innovative virtual appliance that can be directly deployed into a cloud environment.

●     It's a one-click install that requires no maintenance or management, and it can integrate with AWS and other popular public cloud platforms.

●     If you've an existing FortiGate as in hardware, then that can be used too.

The FortiGate is a virtual appliance that can be directly deployed into a cloud environment.

FortiGate is a virtual appliance that can be directly deployed into a cloud environment. If you've an existing FortiGate as in hardware, then that can be used too.

The second method is to use the FortiToken for two-factor authentication for your users. Everyone who has access to the network should have an account with FortiToken enabled—it's just like any other user account, except that it won't allow you to login unless you've entered the code sent by this app on your phone or tablet first.

The FortiToken can be used for 2FA authentication for your users.

The FortiToken is a hardware token that plugs into your computer and provides hardware-based authentication for web applications. It can be used for 2FA authentication for your users, or you can use it to log in to the FortiGate or other devices.

The FortiToken is an ideal solution for remote workers who need to access systems securely without increasing security risks. Because the device uses two-factor authentication (2FA), it requires two methods of confirming identity before granting access: something you know (a password) plus something you have (the physical token).

 

This blog post is about Fortinet's Zero Trust Network Access.

Written by: Afaq Ahmad - Network Engineering Consultant - CCIE x 2, #42243

Ask me, there's a solution for everything.