Configuring Zero Trust Network Access with NG Firewall

Overview

Zero Trust Network Access (ZTNA) is a network security design that ensures all access to a corporate network from any location is authenticated, controlled, encrypted, and logged. 

Zero trust networking is built on a few basic principles:

  • treat everything as though it were "outside" of the network
  • always grant the minimum level of privilege necessary
  • verify frequently

This article describes the features available in NG Firewall to help you design your network following the ZTNA principles. 

ngfw-ztna-diagram.png

Enforcing authentication

ZTNA starts with authentication for any access request whether local or remote. Once a user authenticates to the firewall, they can inherit specific access policies, and all of their activities are reported against their user name. NG Firewall provides several options depending on your requirements. 

RADIUS Proxy with 802.1X based devices

If you use Active Directory and network devices that support 802.1X you can enforce user authentication at the network layer when a device attempts to join your network. This enables the admin to enforce user based access policies inside the physical premises, following the principle of least privilege access. Learn more about the RADIUS Proxy in the NG Firewall help documentation.

Captive Portal

Captive portal blocks access to Internet and protected network resources until the user of a device authenticates to the firewall using a web browser. Captive portal can authenticate users against a directory service or cloud based identity providers. Learn more about Captive Portal in the NG Firewall help documentation.

Multi-factor authentication

NG Firewall can leverage multi-factor authentication using oAuth providers such as Google or Microsoft. Learn more about Capture Portal with oAuth authentication in the NG Firewall help documentation

Other authentication methods

If you are not using Captive Portal or RADIUS Proxy to authenticate users on your network, you can manually map IP hosts to users in the Devices screen. Learn more about mapping Usernames to devices in the NG Firewall help documentation.

If you use Active Directory on a local domain controller you can install the Active Directory monitor agent to login and logout users to the firewall when they authenticate to the domain. Learn more about the Active Directory Login Monitor in the NG Firewall help documentation

Segmenting the network

It is important in ZTNA design to place critical resources in isolated security zones. This isolation enables you to control access to the resource through firewall policies. Security zones are typically set up as logical VLAN interfaces, or otherwise set up as a physical network segment using dedicated ports. Learn more about VLANs and interfaces in the NG Firewall help documentation.

Configuring secure remote access

NG Firewall supports multiple VPN protocols you can choose based on your requirements. IPsec and OpenVPN support user based authentication. For WireGuard you can use Captive Portal to authenticate remote VPN clients. 

Managing access policies

Firewall

The Firewall feature enables you to configure granular access rules based on a variety of conditions including users, VLANs, time of day, hostname, protocol, and so on. 

Learn more about firewall rules and access policies in the NG Firewall help documentation

ztna-fw-rule.png

Policy Manager

Policy Manager is a feature that provides more advanced control over your configuration. The Default policy governs all traffic that isn't specifically moved into another policy, which enables you to make the policy restrictive. The admin can configure specific policies based on various conditions, such as a user group, VLAN, VPN network, and so on. Learn more about policy management in the NG Firewall help documentation

ztna-policy-rule.png

Logging and reporting

Once authenticated, all user access activities are recorded in the Reports area of the product. Activities are organized into the type of access and include all relevant session information. You can search and filter or create custom reports to quickly isolate or export important data. Learn more about the Reports feature in the NG Firewall help documentation

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk