Key Consideration Points for Implementing ZTNA

VPN
1

Hi All,
We’ll be doing a pilot project where we’ll implement the Zero Trust approach.

Here’s how it will look like (in my eyes at least):

  1. User connects to the network (wired or wireless)
  2. Every user will be in a ‘non authenticated’ subnet at first with very limited access to the internet.
  3. User connects to our VPN portal
  • SAML authentication to Entra is done
  • MFA is enforced
  • Device needs to be in compliance in order to authenticate successfully
  • user is provided with an IP from the respective Line of Business subnet
  1. All security rules will be based on User Group Membership (leveraging Palo Alto CIE with Azure AD)
  2. Protect Surface will be secured additionally with Authentication Rules (again, leveraging Palo Alto CIE)
    6.No explicitly permitted traffic between zones or subnets

I know it’s not true ZTNA but we already have lots of site firewalls, MPLS etc. and we’re thinking of a way to implement the zero trust model without an actual ZTNA cloud service such as Palo Alto’s Prisma.

Has anyone designed something similar?
Do you have any key points that we need to have in mind and any potential issues with the points above?

Any input will be valuable :slight_smile:

2

This is very similar to how we implemented our ZT. With our internal end user access as well as with our Prisma Access global protect access. The end user access to applications is controlled by AD group, the IP to user map is based on agentless user-ID.

Keep in mind these are zero trust principals, there really isn’t a right vs wrong approach.

3

You have the right idea. I’m currently in the process of doing this right now as well. Zero trust is just a set of guidelines. It’s really up to your organization to set policy and adhere to it.

that said, your approach is very similar to mine.

4

Yeah, same here. Have been using this for years, before ZTNA was even a thing.