VPN from most vendors are insecure if you don’t patch them, not just Fortinet’s . Pulse Secure, Anyconnect etc have their own history of vulnerabilities. I have mine protected with 2FA, non standard ports and geo ip blocking. Plus Fortinet has recently added virtual patching to protect it from zero days. The next step is ZTNA and SASE indeed, but that comes at a cost.
vulnerabilities that continually arise in edge-facing devices like >them.
vulnerability’s will always exists in every software, just keep your products update.
Fortigate SSLVPN+MFA are very good solution price/security.
There are better and more secure ways? yes, include within Fortinet products, included ZTNA.
You have the options. But OP must be begin at least with VPN+MFA
Zscaler entered the chat…
citrix has entered the chat…
What are you trying to archive? VPN is always the way to go in such situations. An alternative would be something like Citrix as posted by my in your last post. There is no other good way dude
It’s not true. Depending on the VPN appliance and your network, but you can control by IP or user names or groups what each part of the network each person has access to. Mine can see if they’re in a contractor group so gives them just contractor network access that we setup. Myself and sysops group get full network. QA people only get their subnets etc .
Lmao good thing you paid for support so a real admin/engineer can implement a firewall for you at the very least.
You not need to deal to vpn level just firewall rules, but you can too.
Firewalls like fortigate works at app level too.
If ips are not static your work with the network, i assume your sip traffic is in different network. The rule is separate the sip traffic in other network/vlan.
Your company/network must be mess or simple like my sister home network.
Not offense but your company must hired a senior network guy, who knows what he’s doing,
Those are not difficulties for someone who knows what they are doing.
In ZTNA, a server inside your network doesn’t directly “know” about a user at a remote coffee shop.
- The agent on the server authenticates with the ZTNA service within your network, establishing a secure channel for communication.
- When a user at a coffee shop needs access, their device connects to the ZTNA service, not directly to the server.
- The ZTNA service verifies the user’s identity, through MFA, and assesses the device’s security posture.
- Based on user identity and device posture, ZTNA grants access rights. It doesn’t rely on the server’s knowledge but on pre-defined access policies and contextual information.
- ZTNA creates a secure tunnel between the user’s device and the specific server, ensuring encrypted, direct, and authorized access while keeping the rest of the network inaccessible.
I guess this is how it works.
SD-WAN would allow you to make your own connection into the cloud, allowing you to serve, share, and marry those services as if they were on prem, with anyone and anything.
Your SD-WAN fabric can be available anywhere there is internet. You can build access into the fabric or connect it to whatever identity provider you currently use.
I agree- it might not be the answer in all (most?) cases but if the OP a) has no VPN at present, b) is worried about the complexity of managing one, and c) until recently I think was considering opening RDP to the internet, it might be worth considering.
I haven’t tried the new services out yet, but I have deployed app proxy and it’s worked well to provide access to an application that was otherwise only accessible via a Citrix gateway.
Obviously there are other products which do similar things but, yeah, I suppose it does depend on how critical this will be to the business and how much they’re will to spend
They do regular username + password and then MFA if that is successful.
Even if we wanted to get rid of it (we don’t), our insurance company would drop us for cyber insurance. Doing MFA on any kind of remote access method was a strict requirement for the few insurance companies we talked to.
Fortigate SSLVPN+MFA are very good solution price/security.
We just got this setup, O365 MFA using SAML, fetching user groups from AAD/EntraID to detemine which resources to grant access to.
Still in pilot, but seems to work well for setting up granular access to the needed onprem applications
That’s literally the opposite of how ZTNA works. ZTNA may have been a concept as it’s now productized by Zscaler, Cloudflare, Netskope, AppGate and a host of other vendors. The whole point of ZTNA is that it doesn’t provide any access to your network unless explicitly granted and very narrowly defined. If properly configured, a compromised host or device would not see anything beyond hostnames/domains. The edge device not being managed by you is the benefit. Authorization and access is determined before the connection hits your network. The brokering device that you host is not publicly accessible either.
And firewalls, RBAC, ACLs, VLANS etc….
Yes… But no.
It doesn’t do auth or tunneling unless you build that in… Then stick it with the greater SD-wan.
Meaning you’re just building traditionally tunnels and vpns… SD-wan is just helping to put traffic rules around that… And again only outbound per location.
Same here. I guess then with certificates you’ve got a very, very secure setup. Three factor authentication (or four factor with machine certificate & user certificate?)
You don’t need a VPN.
no, you don’t need a vpn
We need.
Cloudflare is still using TLS to tunnel… It simply took the load off and configured the spec to be different.
It’s just sitting in front now… And I assume there’s an agent/s or your edge routers are —> cloudflare instead of 0.0.0.0 - → ISP
AKA you did setup a vpn.
We use AD groups (onprem) for restrict with firewall rules, it’s simple and work fine.
The broker would have to be… Something outside → request to inside or cloud… or SAAS.
There has to be something at the edge ready to auth and forward traffic. Add another proxy in front sure, but same concept… Now just another door in front with a bouncer checking your ID and if you’re on the cool kids list. Before sending you into another bouncer checking the list.