Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today
Learn More

Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Produits et solutions

5 Things to Consider When Selecting a Traffic Forwarding Solution

image
MITHUN HEBBAR
mai 24, 2022 - 5 Min de lecture
architecture Zero trust

Contenu

  1. Article
  2. Autres blogs

You have made the decision to implement zero trust security for your organization. You have done your research, looked at your options, and zeroed in on the Security Service Edge (SSE) provider who will safeguard your organization’s assets and access to resources. As a Service Edge, multiple technologies—such as identity, threat protection, anti-malware, anti-ransomware, cloud firewall, inline proxy services, and many more—are all packaged together and provide your organization with the security it needs. There is still a key decision to be made, though. How does the traffic from your users, applications, and offices reach the Service Edge platform? It is like having booked your dream vacation resort at a beautiful seaside lagoon, only to remember that you need to get there to enjoy the vacation. You still must decide what you need to pack, what you would be wearing during the journey, and most importantly, which mode of transport will get you there. A traffic forwarding mechanism is a critical component of your security solution that needs to be addressed. Let’s look at 5 considerations in this decision-making process. 

 

1. The destination is important. Just like your travel plans will depend on the destination of your journey, your traffic forwarding choice must depend on the resource being accessed. More than 90% of traffic directed to the internet is over SSL connection and is therefore encrypted by default. With an inline SSL proxy such as that available in the Zscaler Zero Trust Exchange Platform, the traffic that egresses the Service Edge toward the final resource is also going to be encrypted within an SSL connection. Therefore, in most cases for accessing the internet or SaaS applications, a GRE tunnel or similar non-encrypted tunnel forwarding mechanism will suffice to get the traffic to the Service Edge that is closest to the source. IPSec VPN tunnels provide end-to-end encryption, but is it needed when the resource that is being accessed is on the internet? Using IPSec tunnels would be like wearing a disguise with your seatbelt on in your car, that is being transported within an aircraft, while traveling to your dream destination. IPSec VPNs do have their uses, like when the location you are connecting from does not have a static IP. Overall, the final destination of traffic must be considered while making your decision.

2. Keep it simple. There is an in-built complexity in IPSec tunnels that helps make it secure. Establishing IPSec tunnels and maintaining them are processor-intensive. There are multiple stages in the establishment of VPN tunnels, and they all take up resources, both at the endpoints and on the wire. Add to this the maintenance and management of the credentials needed for the IPSec VPNs and you’ll find complexity being inserted into the forwarding mechanism. The question to ask yourself as you decide on the method to use is: “do I really need the added complexity?” Would you need to disguise yourself and hire a chopper to get you to your vacation destination? Maybe you would, if the circumstances call for it. Does it always? How can you keep your entire solution simple, with the various locations (including hybrid and multi-cloud environments), users, and resources forwarding traffic to the Security Service Edge?

3. Hybrid workplace means hybrid approaches. If the past couple of years of the pandemic have taught us anything, it is to be flexible—flexibile with where we work and the way we lead our lives. A good Service Edge provider will allow the flexibility that you need in forwarding the traffic to it. Leverage this flexibility to your advantage. Remote users cannot always deploy GRE or IPSec tunnels. Agent-based forwarding mechanisms for users or applications who need to connect remotely is an option. Should only web traffic be forwarded to the Service Edge, with other traffic being bypassed to go direct to the internet, or all traffic? If agent-based mechanisms are not possible to implement, PAC file-based forwarding could be an option. Maybe you would need to deploy a hybrid version of the two – PAC file as well as an agent-based method. If you are planning a vacation for family members spread across the country, you cannot insist on everyone traveling by air to get to the destination. Some may choose to drive; others may prefer to take a train. The key is to find the right fit for the use case at hand. Stay agile and stay flexible with the methods available.

4. People matter. No two organizations are the same. The high-level use cases may be similar and the approaches to solve the problem may also be alike, but the most critical part of any organization – the people – are different. Ignore this key difference at your own peril because the skill sets and capabilities are an imperative factor in deciding the best method to forward traffic. A highly-elegant solution that worked for your peers in the industry may not work well for you. Of course, it is important to learn from the experiences and recommendations of the vendor, but eventually, you are responsible for your organization and know what works best. Just because a friends’ family took a flight to a certain destination doesn’t automatically mean it is the best option for you. Maybe they only have one grown-up child, while you have two small children and a family dog to take along. In short, what works for others may not always work for you. 

5. Work within your limitations. Being aware of team constraints is important. A location may not have a static IP address available for establishing a GRE connection. There could be geopolitical requirements that influence the final decision. Some regions may need higher bandwidth than others. Your organizations may need to adhere to industry-wide standards to cater to your customers. These standards may need to meet certain requirements. In travel, you may have special requirements during your journey. The options you select need to keep these requirements in mind. 

The above 5 considerations must top your list when deciding the best mechanism to forward traffic to the Service Edge. At Zscaler, we enable customers to experience their world, secured. We support multiple traffic forwarding mechanisms to connect to a Zero Trust Exchange destination closest to your location. These range from GRE and IPSec tunnels to PAC file forwarding; and using the Zscaler Client Connector and/or the Cloud Connector. Look at the Traffic Forwarding options available to you on our help portal. Our Best Practices guide helps you along the journey of deciding on the best traffic forwarding mechanism to use.

 

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

vote yes
Oui, très utile !
vote no
Pas vraiment

Découvrez d'autres blogs Zscaler

Une expérience client exceptionnelle commence à domicile
Une expérience client exceptionnelle commence à domicile
Lire le blog
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
The Power of Zscaler Intelligence: Generative AI and Holistic View of Risk
Lire le blog
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Take Cloud Native Security to the Next Level with Integrated DLP and Threat Intel
Lire le blog
Cloud Compliance
The Impact of Public Cloud Across Your Organization
Lire le blog
01 / 02
dots pattern

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.