I’m looking at Fortinet EMS for ZTNA, this secures remote workers and on network users, so this is making me question the need for Cisco ISE NAC? Is it overkill using both? The network will be predominantly wireless users accessing via meraki APs with a fortigate firewall.
How would ZTNA protect switch ports?
I think it is useful to think of this as ZTNA is securing devices you control. NAC is protecting your network from devices you do not control.
They aren’t really the same technology. NAC authenticates the device or user prior to granting access to the network and can control what they have access to after they are authorized. ZTNA is better for validating after the user/device is connected and is more for remote access/cloud use cases since those are much harder to enforce with NAC policies. Overall, there is overlap in their functionality, but in most enterprise environments both should be used in some capacity depending on the connection method/device/service/application being accessed.
They complement each other but not the same product
In practice the answer’s sort of. ZTNA was originally designed for remote access in combination with SD-WAN. Your remote users proxy traffic via the ZTNA provider (Cloudflare, ZScaler, etc) and are not trusted to the provider unless they satisfy user and posture checks. But this is potentially latency intensive, bandwidth intensive, and redundant when you have an office of 1000+ people all doing the same.
Fortinet, Palo, and hopefully soon Cisco all support using ZTNA tags in firewall policy. When a user is in-office, their traffic is filtered by the firewall using some form of ZTNA tag, and should provide the same user experience and access as if they were remote; You configure the policy once and it applies everywhere.
By its nature this acts as a NAC because no device is “trusted” on the local network by default. But this isn’t cross-platform. Fortinet supports Fortinet, Palo supports Palo, etc. Also, a full ZTNA solution that supports all of what was previously mentioned (SASE) is incredibly expensive-to the point you risk vendor lock in and invalidating previous security investments since SASE has incredible overlap with m other security solutions.
In regards to FortiEMS and FortiZTNA, you might be able to replace ISE since I don’t think the tag requires the user to be remoted in. But if you require UDP or ICMP for remote users FortiZTNA will not work since FortiZTNA doesn’t support those protocols, while FortiSASE can
The network will be predominantly wireless users accessing via meraki APs with a fortigate firewall.
Errrr, no it won’t.
You are confusing “networking” with “wifi”.
I heard that Microsoft had some offices that were essentially just Internet access. A user would drop into a cubical and VPN into the infrastructure.
I’m guessing they didn’t have printers in the office space or utilized universal print.
My boss had a demo on this and wanted to turn all our offices into this but it’s something that’s not physically possible without huge cost, massive design changes and significant end user training.
That’s the only way i would see having no NAC or you use a cloud NAC service to facilitate something like this.
It would have to be cloud everything though.
Yes this will definitely reduce or even remove the need for NAC in some areas, mostly pure office jobs. But the moment you are not 100% using (private) cloud for your work, you need to have a secure port.
When alyou are manufacturing anything, you need secure LAN probably for ever.
More and more things will be cloud based though. For example printers using cloud print services or cameras connecting to the cloud. But often you still have local resources where you need a secure access.
I would say that they complement each other and that NAC enables all network connections to be managed in first line of defence mode. Not all endpoints can support a ZTNA agent (cameras, printers, IoT sensors, industrial machines, some servers, etc.). I believe that NAC enables you to manage the pre-auth part of the network and that ZTNA reinforces the post-auth part and user mobility.
ZTNA is a marketing term for a tool that does a bit of nac, a bit of VPN, a bit of proxy, a bit of firewall, a bit of antivirus… (mix of security solutions).
One day enterprise networking will be reduced to “just give it Internet, the app runs in the cloud”. Every service that shifts to some saas product makes it harder to justify spending big on complicated networks.
Our users can already do almost everything from home without VPN. There will come a day when being on the network at work gets you nothing extra. At that point, what are you still getting with a NAC?
NAC is protecting from inside - ztna is protecting from outside.
What about devices that can’t run Fortinet EMS agent? Phones, printers, IoT, guests? Are you forcing BOYD to install Fortinet EMS?
I do see benefits of ZTNA where devices with agents can bypass firewalls and free up throughout on firewalls. It’s great for remote workers.
I would say NAC is a part of an good ZTNA deployment
I think the point OP is making is that if you’re going ZTNA (w/ SSE or SASE) your datacenter(s) and cloud environments locations are completely irrelevant. All access to applications is via ZTNA/VPN and so your local networks could be dumb L2 domains connected to nothing more than a cable modem.
No. Things that can’t run ztna agents will always need nac.
ZTNA is NAC.
It’s still access control. ZTNA just specifies that no one is who they say they are unless they can prove it.
It can’t, ZTNA and NAC complement each other.
The idea behind ZTNA is you no longer have a “trusted” internal network where plugging into that gives you access to corporate resources. The idea behind ZTNA is literal “zero trust.” In a fully realized ZTNA strategic approach you’d have nothing but “coffee shop” networks in user spaces, providing just basic outbound internet access. Access to trusted corporate resources is all from tunneling out to connectors in various secure pods. In this sense NAC to protect switch ports is kind of pointless because if they plug in to a port, they just get some private vlan with basic internet access.
ISE and Clearpass are expensive! With ZTNA you don’t need them anymore. You also don’t need SD-WAN. No need to internetwork different locations together. Just coffee shop stub networks
If you’re in a ZT environment, why do you need to?