Browse Docs
ONLINE DOCUMENTATION
|
||||
Introduction to Zero Trust Network Access (ZTNA)In this document
Zero Trust Network Access (ZTNA) is a security approach that allows users to access specific applications or services without exposing the entire internal network. Traditional remote access solutions often rely on VPN connections. When users connect through a VPN, they typically gain access to the internal network before accessing specific resources. ZTNA works differently. Instead of providing network access, ZTNA grants access only to the specific services defined in access policies. This approach follows the Zero Trust principle: Never trust, always verify. Access decisions are based on identity and defined policies rather than network location. The DefensX Secure Access solution creates a Zero Trust Network Access (ZTNA) mesh network on top of a distributed infrastructure deployed across Kubernetes clusters. In this model, every packet includes both a source user identifier and a destination service identifier. Each packet is verified against the security policies defined in the DefensX Backend. Although this approach introduces more processing overhead compared to conventional VPN routing, it offers significantly enhanced security by enforcing strict user-to-service-based access validation.
This design reinforces the user–service mapping model, where IP addresses are irrelevant. Access control is determined entirely by user identity and service configuration policies. Traffic Flow and Mesh RoutingDepending on availability and load balancing parameters, a user may connect through a different worker cluster than the connector hosting the target service. In such cases, the user’s encapsulated traffic securely traverses the DefensX Mesh Network, reaching the target connector privately. It is also possible to use multiple connectors across different regions for various services. Traffic is always routed based on the user and target service relationship. All traffic passing through the DefensX ZTNA network is end-to-end encrypted:
When traffic moves between clusters within the mesh network, no intermediate node decrypts it. Decryption only occurs on the final client or service endpoint, while intermediate nodes can see only the minimal user and service identifiers required for routing. ZTNA Architecture in DefensXDefensX implements Zero Trust Network Access using several core components. User DeviceThe endpoint used by the user. The DefensX Agent installed on the device enforces security policies and communicates with the DefensX platform. DefensX AgentThe agent monitors network activity and applies policy decisions defined in the DefensX management console. Secure Access ConnectorA connector is an agent that has network access to the service. It acts as a bridge between the user and the service. Secure Access ServiceA Secure Access Service represents the service that will be accessible through ZTNA. Examples include:
Secure Access PolicyPolicies determine which users are allowed to access specific services. How Access Works: Connectors, Services and PoliciesEvery DefensX Agent can function as a ZTNA Connector by assigning the Connector role from the DefensX Backend, no additional software installation is required. Once designated as a connector, the agent can start providing TCP or UDP-based services, either:
The key requirement is that the connector must have network-level access to the service it exposes. Any DefensX Agent can access services provided by connectors, as long as permitted by the Secure Access Policies. Secure Access Policies:
ZTNA ModesThe ZTNA connection mode can be configured per deployment group. DefensX supports four ZTNA connection modes:
|
||||