undefined | Better HN

0 pointsnmadden1y ago0 comments

Sure, zero trust implies those things, but I was asking specifically about these kinds of all-in-one “zero trust appliances”. For me, as an AppSec specialist, I’d say ZT is primarily about making sure all your apps enforce authN/Z regardless of whether the users are on an internal network or not.

One way to do that is to stick a simple reverse proxy in front of every app that does OIDC to your central IdP, and then arrange your network so that you cannot bypass that (eg using (micro)segmentation or something like IAP’s signed headers). My impression from reading Zscaler’s docs was that it was really just an over-complicated version of this without even doing the segmentation for you, but it sounds like it does do that bit too.

0 comments

PLG881y ago

The idea of “zero trust appliances” is that you can reduce the attack surface from the external network, that is how Zscaler positions it, to make you apps 'dark'. IMHO though, the logical conclusion is to give every application, as part of the software development lifecycle its own private network, which implements zero trust principles - least privilege, microsegmentation, default deny, strong identity, device authentication, and more.

The beauty of this approach is that you eliminate a whole class of vulnerabilities (see 'secure by default from CISA), that is, network/IP attacks, without changing the users experience (they just access the app).

Another key aspect is that this approach should be applied to every use case, not just client to server. All of this is possible on the open source project I work on, OpenZiti - https://openziti.io/.

nmaddenOP1y ago

But a simple gateway/ELB can protect your apps from the public internet. (But unless you’re pushing a root CA cert to all client devices then those apps aren’t “dark” in any sense due to CT logs). Zscalar’s ZPA docs say:

> [ZPA] mitigates lateral threat movement through advanced segmentation

https://www.zscaler.com/products/zscaler-private-access

So it must be doing some segmentation at the network level, otherwise what does that statement mean?

PLG881y ago

The gateway/ELB has inbound ports and 'listens' on the WAN interface for incoming connections. Therefore it can be subject to external network attacks, and be compromised if a CVE etc exists.

Zscaler Private Access makes outbound connections so that you can deny all inbound connections and not be subject to external network attacks. It also creates application-specific connections, rather than a full tunnel so that each connection is inherently microsegemented and inaccessible to anything outside of that tunnel.

We do the same thing on the open source project I work on, OpenZiti (https://github.com/openziti), though our platform is more like ZPA on steroids.

1 more reply

j / k navigate · click thread line to collapse

0 pointsnmadden1y ago0 comments

0 comments

PLG881y ago

Another key aspect is that this approach should be applied to every use case, not just client to server. All of this is possible on the open source project I work on, OpenZiti - https://openziti.io/.

nmaddenOP1y ago

> [ZPA] mitigates lateral threat movement through advanced segmentation

https://www.zscaler.com/products/zscaler-private-access

So it must be doing some segmentation at the network level, otherwise what does that statement mean?

PLG881y ago

The gateway/ELB has inbound ports and 'listens' on the WAN interface for incoming connections. Therefore it can be subject to external network attacks, and be compromised if a CVE etc exists.

We do the same thing on the open source project I work on, OpenZiti (https://github.com/openziti), though our platform is more like ZPA on steroids.

1 more reply

j / k navigate · click thread line to collapse