Hello Everyone,
I’ve been trying to grasp the main distinctions and features of ZTNA solutions like Zscaler or Prisma compared to NAC-Driven VPN access, whether it’s through integrating firewalls with Cisco ISE or using built-in features by Palo Alto known as host compliance.
Both ZTNA and NAC-Driven technologies seem to offer similar capabilities, ensuring devices meet security benchmarks like up-to-date security patches, anti-malware measures, 2FA authentication, and MDM integration.
I’m somewhat puzzled. Don’t they both aim for the same outcome? I’d appreciate any insights or experiences you might have to offer!
Any insights or experiences you can share would be greatly appreciated!
The difference is ZTNA usually extends past the networks edge. NAC is focused on internal.
With a proper ZTNA, the same workflow can be used off site, for web apps, SSO, etc, when NAC relies upon them connecting to a corp network endpoint.
We bought Cisco ISE three years ago. I’m about to renew our security EA and it’s still not implemented. You need a STRONG networking team to manage ISE, but ZTNA can be managed by sysadmins. I wish I went the ZTNA route.
We did a greenfield implementation and were able to go SASE for all physical machines, including in office, and all office networks are effectively treated as untrusted network space, so all users connect to VPN regardless of in or out of the office. Our SASE is also always on.
Checked a lot of boxes that way to ensure constant protection of the network and internet connection of all devices while also applying proper trust boundaries for office networks.
For the record, we are Palo Alto shop, using PANOS in AWS, Cloudgenix for manage the office networks and Prisma Access for SASE.
Agreed with this. Further, ZTNA to its logical conclusion says, do not trust the underlay network, treat WAN/LAN/even host OS network as compromised. This leads into doing authentication and authorisation before connectivity is established, ideally with outbound only connections at source/destination to reduce complexity and massively reduce any attack surface.