VIDEO: ZTNA vs VPN
With the emergence of remote work, IT leaders have had to react quickly, many decide to simply buy more VPNs. Now years later, 77% of companies will make hybrid work a permanent fixture. They’re looking for better alternatives for application connectivity. The new reality is that user experience is key to productivity. Ransomware has grown 500% year over year, and VPNs are one of the largest culprits because they allow network access. The constant game of adding hardware appliances and managing that infrastructure is becoming more expensive from a CapEx and OPEX perspective.
So we decided to compare the Axis ZTNA services to your traditional VPN. Many users and employees only need access to certain applications. So let’s compare the Axis approach versus your VPN.
So with Axis, it’s as simple as opening up a link to get to the application using strong authentication with your existing identity, of course with MFA, if it’s enabled in your organization and that point, the user has application access.
This is without any VPN clients without having to worry about network access or knowing, “Is this an internal application or a public application?” It just simply works.
Now for the traditional VPN user, of course, the user has to download install the VPN client if they don’t already have the client. And we’ll go ahead just fast forward through that, just to show you that whole process. Now that the user has the VPN client, they’ll go ahead and authenticate. And here, our VPN also has MFA. And at this point they’re users’ devices now connected to the VPN to the network. And when they click that link, they are now able to access that private application. However, it took many more steps and here that user has network connectivity to your enterprise while the Axis user simply got application layer access without network access.
Here in the next scenario, we’re going to compare that network access between Axis as well as your VPN.
So keep in mind with a VPN, the users on the network, and depending on the ACL’s, they might be restricted to certain subnets, but they still have access to the network for them to explore. Now with Axis, for that application that we just showed that logistics app, there’s a public DNS record that points to the Axis cloud. That’s so users can access it client-less but that does not point to your enterprise network. Now, when it comes to other resources and the network, we just gave an example of trying to ping the domain controller that’s in our target network.
Well with Axis, that’s not even possible, there’s no connectivity. But with the VPN, you can see that it actually does elicit a response when we run a simple ping. So we know that the machine has connectivity. So now that we’ve done a basic connectivity test, let’s run a quick scan of those hosts to see what ports are open. So with Axis, there’s going to be no response except for that front end to the Axis cloud for that client-less web application, but there’s no connectivity at all to the domain controller.
Well, with your traditional VPN, that user has network access, and you can actually determine what ports are open on that machine and try to access that machine even though you’re not supposed to.
This next scenario, we’re going to talk about an acquisition. So you have an employee that was part of a company that was acquired by another organization.
Now IT needed to provide me access to certain logistics and HR applications. With Axis, there’s nothing that users really have to do differently. You can publish those applications through Axis, integrate their existing identity, even if you haven’t yet merged the two company organizations and identities together. And those users simply authenticate strongly to the Axis portal and they open up the application and they can submit their HR requests for time off for example.
With your VPNs, unless you merge the networks together, typically what the users have to do is either have two different VPN clients or have the same VPN client, but the user has to connect and disconnect to the different networks to their existing organization that they’re used to. But then if they need to access that HR application, for example, they’ll need to disconnect their existing VPN, connect to the other VPN at the acquire in-company in order to do that. So it’s not very efficient, it’s not very user-friendly and it loses productivity. Now with the VPN, the user will disconnect from their existing VPN and now connect to the other organization. In this case is just a secondary VPN profile. So the user will re-authenticate and enter their MFA if that’s required. The user is now connected to the acquiring company’s network and can open up the HR application and fill out that time off request.
So as you can see in comparison, this user had quite a few additional steps. So it’s not the best user experience, especially when needing to access resources at the two different organization’s networks. And of course you are putting that user and their potentially unknown device onto your network through the VPN.
Many organizations need to provide access for third party users. In this case, we have an IT engineer that manages some software on a windows machine on your network. Well, with Axis, you can provide a single server access through RDP with very limited controls.
So from a security perspective, this user doesn’t even know what the credentials are to the windows server. We’ve enabled web access only and the inability to map network drives local printers, anything like that. So it’s a very secure environment. Now with the VPN, again, you can create a very limited ACL to connect that contractor, that engineer to a certain network, but they’re still having network level access. So they’re able to potentially explore other areas of your network, aside from just the single server that they are here to manage.
Now let’s talk about visibility. One of the core fundamental values of Axis is providing that visibility and control at the application layer. So here, if we take a look at some of the example scenarios we went through earlier in this video. As the administrator, you’ll see for example, with that logistics application, you can see the page views, the files that were downloaded or uploaded by that user compared to your VPN, that will just show that this user was connected to the network and here’s their IP address, but you don’t really have that human readable understanding of what they were actually doing.
Now, similarly, with a contractor, you might have enabled an Axis or a ZTNA security profile that provides some additional auditing controls and visibility. So here you not only see that that contractor connected to that server, but did they transfer any files? Now of course, if you have a policy and Axis that does not allow the file transfers, you wouldn’t see those uploads and downloads. However, we provide that application layer visibility and optionally for some of these contractors, you might enable the screenshot auditing capabilities of Axis where every minute we’ll take a screenshot of that session. That way, if you need to understand what that contractor was doing, you have that data.
We hope you’ve enjoyed watching these scenarios of comparing the Axis ZTNA platform to your traditional legacy, VPN network access tools.
If you are interested in learning more about our ZTNA platform, feel free to speak with our team here at Axis!