¶ How Zero Trust Network Access is replacing VPNs
Legacy security technologies are based on a secure perimeter paradigm that implicitly trusts the resources, devices, and people connected to a protected network. Appropriate to network architectures of the 1980s, the secure perimeter has become a liability in today’s decentralized, cloud-based, work-from-home world.
Consider some of VPN’s weaknesses:
- Performance impact - VPN gateways concentrate traffic, reduce bandwidth, and increase latency.
- Management complexity - Multiple access control systems complicate security administration
- Visible attack vector - VPN gateways are discoverable and exploitable by hackers.
- Over-permissive access - VPNs grant full access to the protected network’s resources, services, and protocols.
¶ Core principles of ZTNA
Designed for today’s decentralized networks and workforces, ZTNA is based on three core principles:
|
Assume breach |
Verify explicitly |
Least privilege |
| Any network, device, credential, or user could be compromised at any time. Never assume trust for any of them. | Authenticate user identity, confirm device posture, and evaluate the context of every request. | Only authorize access to specific resources the user needs for their work. |
¶ Benefits of ZTNA
ZTNA is network-agnostic, creating direct connections between users wherever they are located and a company’s resources whether on-premises or in the cloud. Some of the benefits of ZTNA include:
| Unified access control | ZTNA lets companies manage access for remote and on-premises workforces within a single system. |
| Securing development environments | ZTNA improves the security of a company’s most sensitive resources while improving developers’ access. |
| Universal multi-factor authentication | Exium’s ZTNA solution lets you extend MFA to every resource — even to services such as SSH |
| Improved security | ZTNA lets you apply granular, role-based access controls based on the principle of least privilege. |
¶ Agent-based vs. Agentless ZTNA Approaches
As the name suggests, the Agent-based approach requires an agent running on the user’s device. This agent collects the identity, security posture, and context evaluation before sending the information to the ZTNA system. Once the user is authenticated, ZTNA solutions such as Exium create encrypted tunnels between an authorized resource and the user’s device.
Which approach you choose will depend on several factors unique to your organization. These three scenarios highlight some of the trade-offs:
- Installing an agent on a managed device is straightforward. Logistic and privacy concerns, however, make agents difficult to install on employees’ personal devices or a third-party’s devices. An agentless approach would be better in this scenario.
- Agentless ZTNA only works with applications that users can access through their browser. Users will need to install a ZTNA agent to access legacy applications that do not support web interfaces.
- Agent-based ZTNA can simplify the migration to a new security architecture. The ZTNA agent will seem very familiar to anyone already used to VPN clients. In addition, users won’t have to learn a new browser-based system. Agents let them access resources as they always have.
Exium supports both agent-based and agentless ZTNA. In this document, we will guide you on how you can easily start your agentless ZTNA journey by following simple steps below.
¶ Getting started with the Agentless ZTNA
In the agentless ZTNA approach, the user opens a browser to access the company’s ZTNA portal. This browser session collects data on the device’s security posture and the context of the network connection. Integrated with an Identity Provider (IdP), the browser verifies the user’s identity with a login password, single sign-on, or multi-factor authentication.
With the user’s identity authenticated, the browser session redirects to whatever web-based resources the user is authorized to access.
Exium's agentless ZTNA approach provides secure remote access to your public-facing as well as internal private applications, regardless of whether they are hosted by a public cloud service provider or in your organization’s private data center.
With all traffic directed through a fully encrypted tunnel and HTTPS, your private applications are never exposed to the public internet. This, combined with its granular zero trust capabilities, ensures a higher level of security for remote employees, partners and suppliers connecting to your public-facing as well as internal private applications.
¶ Onboarding Agentless Access
The workspace admins follow the steps below to add users in the admin console:
Step 1: Log into the partner admin console and navigate to the company workspace
Step 2: Add users using one of the user onboarding methods.
¶ Registering for MFA
If this is first time you are accessing the Company ZTNA Portal, you will need to reset your password and set up Multi-Factor Authentication (MFA).
After you click on the web link for your Company's ZTNA Portal, you will be presented with a web page similar to below. Click on “Reset Password?”
Enter first part of your email. For example if your email address is John.Doe@exium.net, Enter John.Doe and Click on “RESET”
You will receive an email similar to the one below to reset your password. Click on “Reset”
Enter New Password and Repeat new password.
You will be asked to register your mobile device for Multi-Factor Authentication (MFA). Click on “Register device”.
You will receive another email similar to the one below. Click on “Register”
At this time, you would like to download (if you already have not) an one-time password (OTP) app such as FreeOTP, Google Authenticator or any other app that supports Time-based one-time password (TOTP).
We have provided below links for both the IOS (IPhone) and Android FreeOTP, and Google Authenticator mobile apps.
|
IOS |
Android |
| FreeOTP | FreeOTP |
| Google Authenticator | Google Authenticator |
Once you have installed the app, click on the “+” or similar sign to add an OTP. You will see the sign to scan the QR code, click on it and scan the QR code you were presented after the above step.
Scan the QR code you were presented with when you clicked on “Register” button in your email as described above. Do not scan the QR code on the screen shot below.
After scanning the QR code click on “DONE” on the web page in your browser. Click on the entry you added in the mobile OTP app, copy and enter the numeric code (typically 6 digits) as shown below.
Congratulations! you have successfully set up Agentless ZTNA with MFA. Now you can log into your Company's ZTNA Portal and securely access your private and public apps.
¶ Deleting and Adding OTP/ Webauth Devices
If you need to reset your password, you can do this at any time following the steps discussed earlier.
In case you lose your OTP device or you need to update to a new device, you can do this by following the steps below.
¶ Step 1: Login
- Login with your username and password, and you will be presented with a page similar to the screenshot below.
- Click on “Manage Devices”
¶ Step 2: Delete the Existing OTP Device
- After you have clicked on “Manage Devices”, you will see the screenshot below.
- Click on the “delete icon”
- After you have clicked on the “delete icon”, you will be prompted for a confirmation code.
- Go to your email → copy and enter the code and confirm deletion of the device
¶ Step 2: Add a New OTP Device
- After you have deleted the existing OTP device, the system will allow you to add a new OTP device
- Click on “ADD”
- Scan the QR code with your new OTP device
- Click “Next”
- Enter the OTP code from the device → Confirm
- Congratulations! should be all set with your new OTP device
Following is a list of security controls applied to the web traffic entering in the mesh from the published URLs.
¶ Layer 7 Protections
Detect and stop a broad range of Layer 7 attacks:
- SQL injection (SQLi), cross‑site scripting (XSS), and Local File Include (LFI), which together account for over 90% of known Layer 7 attacks
- Cross‑site request forgery (CSRF), Remote file include (RFI), remote code execution (RCE), and HTTP protocol violations
- Other common attack vectors, detected by our custom regex‑based rules
¶ Stop attacks at lower IP Network Layer
Exium leverages a modern behavior detection engine, coupled with a Firewall and a global IP reputation network to stop attackers at the entry point to the mesh. Once detected we remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.).
Automatically block traffic from known malicious IP addresses:
- Look up IP addresses in various malicious IP databases in real time and deny access to denylisted users
- Cache results from lookups for up to 24 hours to improve performance
- We also operate our own honey pot for malicious IP addresses capture and contribute back to the databases
¶ Prevent Targeted Attacks
When you use Exium to protect your hosted/ cloud apps, we hide your IPs and domain names from public exposure. This prevents attackers to target your business for attacks.
¶ Audit Logging
Get detailed logs for auditing and visibility:
- Detailed information about all transactions, including requests, responses, and details as to which rules were activated
- Remote syslogging for archival and centralized analysis
¶ Unlocking Agentless Access
To get started with the agentless access, follow the steps below:
- Navigate to the MSP admin console -> Client Workspace
- Click on “Admin Console” in the left menu bar → Setting
- Click on “Agentless” → Fill in the information requested → Save
¶ Configure Azure AD OAuth2 authentication
The Azure AD authentication allows you to use an Azure Active Directory tenant as an identity provider for Zero Trust Agentless Access.
¶ Create the Azure AD application
To enable the Azure AD OAuth2, register your application with Azure AD.
Log in to Azure Portal, then click Azure Active Directory in the side menu.
If you have access to more than one tenant, select your account in the upper right. Set your session to the Azure AD tenant you wish to use.
Under Manage in the side menu, click App Registrations > New Registration. Enter a descriptive name.
Under Redirect URI, select the app type Web.
See instructions below where to get the redirect URL in Exium admin console
Add the redirect URL that will look like https://vouch.ta501.speerity.net/auth then click Register. The app’s Overview page opens.
Note the Application ID. This is the OAuth client ID.
Click Endpoints from the top menu.
- Note the OAuth 2.0 authorization endpoint (v2) URL. This is the authorization URL.
- Note the OAuth 2.0 token endpoint (v2). This is the token URL.
Click Certificates & secrets, then add a new entry under Client secrets with the following configuration.
- Description: Speerity OAuth
- Expires: Never
Click Add then copy the key value. This is the OAuth client secret.
¶ Azure AD application Configuration in Exium
Once the your application is registered on the Azure portal, follow the steps below.
- Navigate to the MSP admin console -> Client Workspace
- Click on Admin console in the left menu bar
- Click on Settings → “Agentless” as shown in the screenshot below
- Note the redirect URL that you need in the creating the Azure AD application
- Provide the requested information such as your client ID, tenant ID, and client_secret
- Navigate to any of the agentless domains you created
- Login with your Azure AD credentials