Anyone switch or consider switching from Ivanti to Zscaler due to the former’s VPN hack? If so, did you consider anyone else like Palo Prisma? How long did the migration take? We’re looking to migrate but just want to get the best deal also for “good enough” tech. Everyone is pitching us with crazy discounts but not sure if this is real.
One of the best parts is Zscaler is how easy it is to start moving traffic. I’ve worked with several customers where they needed to move their whole org to Zscaler within 30 days of signing the sales agreement, and we did it. That’s not to say there wouldn’t be any tweaking or modification needed after the initial 30 days, but it’s realistic to move large orgs over pretty quickly - assume org can move that fast.
I would first see how you are using Ivanti, If you’re using it for things like RDP ssh, you may need to look at zpa pra (privilege remote access) to see if meets all requirements for you. Similar w native clientless file sharing , clientless web proxy etc.
Were you using pulse Sam / secure application manager then see which apps you were using .
If you were using full blown network connect Check to make sure what ports and protocols and which direction of traffic you need as well as applications. Zpa’s predominantly for client to server traffic and if you have all web applications it may work well . Check to see if zpa is going to break any of your applications such as server to client .
Also, what type of access control was implemented? Was it just ports and protocols based? Is this good enough ? As you will get similar sports and protocol base inspection with zpa. Is there another appliance or security device doing security inspection after the Ivanti 's?
Also we’re you doing host checker ? (Posture checks ) ?
Authentication? Was it cert based ? Ldap/ad ? Already on saml as Zscaler requires saml.
For Zia , were you tunneling all internet traffic through Ivanti or was it split tunneled and only for access to your private network (data centers etc)
And if you are evaluating I would look at the top 3 major sase / sse players and do an actual POC and production design / white boarding.
I’ve seen plenty of pocs and that look. Nothing like production
It sounds like you are trying to pick which airline to fly based on whether they ever had a plane crash? There is no Quantas in the firewall industry, if there is then it means they are either brand new or are covering up their problems.
Pick a solution based on its current merit and your business needs.
Moved 10’s of thousands of users over from another solution in a week. Most cleanup after is around geoblocks, ssl pinning and some waf blocks. Is also some cases where they need your IP so pac file exceptions and firewall exceptions are needed. Overall it is a good solution.
All the prep for it was about a month in planning. Tunnel understanding is important, especially sdwan can not see into tunnel 1 or 2 but without these you can have some auth issues.
Biggest tip is go via an experienced reseller.
Did an in-depth comparison of Zscaler vs. Palo Prisma. Ended up picking Zscaler. It’s a more mature solution. It’s also more reliable. I talked with a number of other orgs who experienced regular (like weekly) short outages of Prisma. We did benefit from having the vendors compete for our business—we ended up getting really good discounted offers from both vendors.
One big factor in migration is your network architecture. Moving to something like Zscaler or similar can be quick in the case of simple network architectures, but if you’re dealing with years of networking decisions, M&A, etc, it can get a bit challenging and involve multiple teams.
Palo also got vpn hack, prisma it seems not. I’m bit sure if they recommend vpn in a Prisma setup if they do they are not really comparable as zscaler in theory you have to hack twice, maybe three times not just once.
iboss, Cloudflare, Netskope.
While I agree in principle that it’s unfair to expect any vendor to have a flawless security record, the desire to move off of Ivanti is totally valid. To borrow your analogy, Ivanti VPN has crashed every plane they’ve flown in recent months. They are banned from government systems. The platform is fundamentally insecure.
Who would you recommend as a reseller? Looked on Zscalers site and it’s hard to tell if I should just go with CDW or a more infosec specialist consultant? Does Zscaler have a proserv arm too customers can leverage?
Also, are you already using something for web traffic filtering? Implementing that is a far greater lift than implementing Private Access.
What does this even mean ?
Palo globalprotect was vulnerable, Prisma access was not .
Both Prisma and zscaler are sase / sse solutions per Gartner so I think your comment about not being comparable isnt correct.
Iboss we found really hard to deal with be interested in your view. In the middle of a netskope deployment. My fav to deploy is netskope or Zscaler having done 17 Sase deployments now
If Ivanti has a track record of severe vulnerabilities that the company fails to address in a timely manner, sure, give it a pass. But looking at all possible vendors and deciding which to choose simply because it had a CVE issued against it doesn’t make for a good method of evaluating firewall vendors.
they are not banned from govt systems, we still have them installed and are using them.
Which country are you located in?
That’s what I said, however you can still mix vpn and Prisma. Eg when they don’t have a node so you would have been in a sticky situation with that cve potentials.
Hard disagree. As u/nattekrant35 says, “The problem is the VPN architecture…Where an external service listens to the internet like this”, thus if you have an architecture which does not listen on the internet, then you cannot be exploited from vulnerabilities (or other external network attacks (e.g., DDoS).
This rules out the likes of Palo Alto. Fortinet has had something like 4 CVE/RCEs in the last year. Checkpoint literally just had one too. We must stop listening on the network interface with inbound ports. There are so many techniques to make these attacks hard or impossible: port knocking, SPA, UDP/non-response to unauthenticated packets, and outbound-only connections.
Zscaler ZPA does this. To an extent so does Wireguard. Another project is OpenZiti (OpenZiti · GitHub) which is a free and open source zero trust networking solution - note, I work for the company behind it which delivers a SaaS implementation too.
In US gov they were as of this directive: U.S. Agencies Must Disconnect Ivanti VPN Devices Amid ‘Substantial Threat’: CISA
Fortunately we were already 90% of the way transitioned to Zscaler; this CISA directive was just the impetus we needed to get over the hump.