Zero trust based

  • 1 minute read
Prev Next

AppGate ZTNA Overview

AppGate ZTNA uses a Zero Trust Network Access (ZTNA) model that hides systems from unauthorized users and requires detailed contextual information for trust establishment before network access is granted.

The Software Defined Perimeter (SDP) implements ZTNA through appliances using Single Packet Authorization (SPA), blocking port 443 connections unless a pre-agreed, cryptographically signed SPA packet is received first.

  • Clients and appliances utilize SPA before establishing any TLS connection.

  • Controllers authenticate and authorize new user/device sessions, providing necessary tokens for the Gateway.

  • Gateways render protected networks invisible and grant access through individual micro-firewall instances, with rules defined by the token payload.

Trust Establishment via the 6-Layer Model

AppGate ZTNA employs a multi-layer authorization model for real-time, context-aware user access control. The following numbers correspond to the process layers in the accompanying diagram.

  1. Single Packet Authorization hides the system, allowing only clients with the pre-shared key to establish a communication channel. The system accepts one or more SPA keys included in the client profile.

  2. MFA at sign-in registers a user's device as a second trusted authentication factor, blocking authentication attempts with stolen credentials. Configured multi-factor authentication (MFA) can be used, and once a device is registered, users do not need to perform MFA at every sign-in.

  3. Authentication verifies user or device credentials against trusted sources like a local database or LDAP.

  4. Authorization evaluates user or device claims data to assign specific entitlements.

  5. Access controls monitor entitlements to check if additional access criteria are needed in real-time before granting access, with the Gateway dynamically managing access rights based on defined actions.

  6. Alert actions trigger system responses to bad behaviors, such as unauthorized port scans.

A diagram displaying the six layer trust model.

After the client receives the profile link and the device is onboarded, the user can select Keep me signed-in, making the 6-layer model transparent and requiring fewer interactions than a standard VPN. User interaction may only be necessary if a condition demands it.

Related articles