Business & Technology

Not All Firewalls Can Do Zero Trust (But Ours Can)

By Peter Newton | April 21, 2022

Zero trust should be a part of any cybersecurity strategy. Because of the increase in the number of Internet of Things (IoT) devices, the fragmenting of the network perimeter, and the new norm of work from anywhere, secure access is more critical than ever. Today's shifting work and resource structures require security solutions that can span all locations, and zero trust is essential.

To protect systems, networks, applications, and data, companies must take a zero-trust approach to security by implementing strong authentication capabilities, network access control technologies, and pervasive application access controls. When evaluating security products, the solution should be able to provide traffic SSL decryption and zero-trust capabilities for both cloud-based assets and on-premises assets, including providing the internal segmentation and zones of control.

Recently, concerns have been raised about the ability of firewalls to support a zero-trust environment. And that may be true of some next-generation firewalls (NGFW). They aren't up to the task, particularly in terms of performance if they have SSL decryption turned on. But to discount firewalls entirely is a mistake. If you have the right NGFW with zero-trust network access (ZTNA) built-in across all form factors, you can leverage its extensive capabilities to control access for everyone across an extended network, covering both cloud and on-premises-based applications.

Fortinet NGFWs have unique strengths in supporting zero trust and being part of a complete cybersecurity solution for hybrid networks. No other firewall has ZTNA built-in, or custom security ASIC chips with hardware accelerators for the SSL decryption process.

Here are a few reasons why organizations need ZTNA and the risks the wrong solution can pose to your business.

Risks of Not Having ZTNA

Expanded Attack Surface

Networks are more distributed with more edges than ever before. Because of the pandemic, the walls separating the home and the corporate office have eroded, which has given cybercriminals new, easily exploited ways to gain a foothold into the corporate network. Remote work has led to devices operating outside the corporate network perimeter, significantly expanding the attack surface. Networks are exposed to increased risks because home networks are often poorly secured. Because the same devices that are used to remotely access the corporate network are also being used to access the internet without the protections of the corporate firewall, connected resources are exposed to potentially malicious content. When employees travel, these devices are also used to connect to corporate resources through unsecured public access points.

With ZTNA, users and devices can't access an application unless they provide the appropriate authentication credentials. ZTNA places applications behind a proxy point, creating a secure, encrypted tunnel for connectivity. Unlike a traditional VPN tunnel that provides unrestricted access to the network and applications, ZTNA connections are granted to individual applications per session. Access is granted only after both the device and user have been verified. Because location is no longer a reliable indicator for access as it is with a VPN, ZTNA policy is applied whether users are on or off the network.

Inconsistent Security

ZTNA should be something that users don't have to think about. It should work the same way, no matter where the user or the applications happens to be physically located. However, many organizations use different products to secure access when people are working remotely versus in the office. They may use a cloud-based ZTNA service for remote workers but use a different approach for on-premises security. It's inefficient to use different products and it’s also less secure because it increases complexity and reduces visibility. IT staff must use multiple consoles or dashboards that aren't integrated and deal with separate policies in multiple places. This lack of central management increases the likelihood of human error and misconfiguration.

User productivity is also affected when accessing applications isn't the same for the user when they are working from the corporate office and away from it. Inconsistent access can lead to confusion or frustration, particularly if one of the products is challenging to use.

ZTNA should work the same way no matter where the applications or the users may be located. Setting up universal ZTNA with a FortiGate ensures that consistent policies and controls span across all of the operating environments, including across multiple clouds. The same adaptive application access policy is used whether users are on or off the network because ZTNA is built in to FortiOS. This integration with the Fortinet Security Fabric simplifies management and visibility across the network. ZTNA can be implemented incrementally by simply changing settings, so organizations can start with one section of the network or implement specific zero-trust capabilities and add more over time.

Increased Costs and Complexity

Far too many organizations add security onto the network as an afterthought, creating unnecessary complexity and weaker security postures. Essential technologies such as centralized management, integrated network, security operations center solutions, and AIOps are impossible to implement in a fragmented security environment.

According to a Ponemon Institute report, on average, organizations have deployed more than 45 security solutions across their organizations. Because these solutions operate in silos, it adds to network complexity, often using integration workarounds that require constant adjustments. And according to a Fortinet survey, 82% of IT teams with 10 or more security vendors in place spend at least 30% of their time addressing issues related to vendor complexity. Siloed security solutions almost inevitably lead to higher licensing costs and increased workload from the need to respond to security alerts and incidents that cannot be automated.

The Fortinet ZTNA solution simplifies security with a single access policy for all locations managed centrally. And because a firewall performs the ZTNA enforcement, all of the firewall policies can be enforced on that traffic as well.

Lateral Threats

When networks are set up as a flat, open environment without any security inspection past the perimeter, hackers who manage to breach the network perimeter can easily move laterally to seek valuable resources, sow malware, and disrupt business. Replacing perimeter-based VPNs with the zero-trust model provided by ZTNA ensures that whenever a user or device requests access to a resource, they are verified before access is given.

Incomplete Security

Although ZTNA is often associated with cloud application access, many organizations don't have all their applications in the cloud. Users require access to cloud applications, but they often need access to applications located at a data center or branch location as well. For complete security, ZTNA should be used everywhere. It shouldn't matter where the applications or the users are located. Having ZTNA everywhere ensures consistent policies and controls across all operating environments. For ZTNA to be everywhere, it can't be a cloud-only solution. Firewall-based ZTNA provides universal coverage for all hosted locations, including SaaS applications.

The Right Solution for ZTNA Everywhere

Firewalls aren't all created equal, but if you have a FortiGate, you've taken the first step toward ZTNA everywhere. Fortinet uses the client-initiated ZTNA model, which uses an agent on a device to create a secure tunnel. With FortiOS version 7.0 and above, a Fortinet infrastructure can be turned into the newest part of a zero-trust architecture. FortiGate NGFWs and FortiClient endpoint protection employ ZTNA capabilities with simplified management. The same adaptive application access policy is used whether users are on or off the network because ZTNA is built in to FortiOS.

Because the ZTNA components are tightly integrated into the Fortinet Security Fabric, management and visibility across the network are simplified. By starting with a firewall and assembling the other pieces of the ZTNA solution under the umbrella of a single, integrated platform, organizations can implement zero-trust strategies that work no matter where their users, devices, or resources may be located.

Learn more about how Fortinets ZTNA solution improves secure access to applications anywhere, for remote users, and find out how Fortinet remains a global leader in broad, integrated and automated cybersecurity solutions: Fortinet Innovation series.