With the official announcement of Zenarmor 1.12 came a few exciting and important new capabilities for MSSP’s and Enterprise, including the ability to easily and quickly deploy Zenarmor as a Secure Web Gateway (SWG) with support for multiple unix platforms including FreeBSD, Amazon Linux, Ubuntu, CentOS and not to forget the all to familiar OPNsense firewall.
If you have been part of the OPNsense firewall community, it is likely that you have already come across Zenarmor, the next-generation firewall (NGFW) plugin, and its ability to inspect and control applications and web traffic traversing your network, while offering real-time protection against threats. So you may be asking yourself, how does a Secure Web Gateway (SWG) deployment differ from this? The simple answer being: it depends on where Zenarmor is deployed in your network.
In a traditional on-premise deployment, Zenarmor lives on your OPNSense or similar firewall, and all traffic originating from your LAN heading towards the internet is inspected and filtered. On the other hand, when we use Zenarmor as a Secure Web Gateway (SWG) we are moving our security stack away from the on-premises data center into the cloud edge, allowing us to inspect and filter egress cloud traffic as it leaves our virtual cloud network towards the internet.
Secure Web Gateway (SWG) solutions like Zenarmor, are described by Gartner as a solution that “filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications.” Generally, SWG solutions forms a part of the Secure Access Service Edge (SASE) network architecture, a concept also coined by Gartner in 2019, in response to the work-from-anywhere approach a lot of organization began to adopt, which unexpectedly became the new norm for a lot of organizations when the world was hit by the COVID-19 pandemic.
In a traditional work environment, users would be based in an office space and connect to the LAN where they can enjoy the benefits of the on-premises security stack. On the other hand, in a work-from-anywhere or work-from-home remote environment, users have little to no security as they access various SaaS services or online resources which could potentially expose the organization to unwanted cybersecurity threats.
You could argue, what if I gave my remote workers VPN access to the HQ data center? The image above is a depiction of a typical solution that some organizations may have adopted, where they force all their branch network and remote worker traffic via the HQ’s data center, essentially backhauling or hairpinning traffic via the security stack implemented in the DC. This can work, however, the overall user experience can become degraded, introducing latency issues and can become a manageability and security nightmare for network administrators. This poor user experience may tempt remote workers to circumvent the VPN rather connecting directly to the SaaS services, in turn, leaving those users and your enterprise unknowingly vulnerable to cybersecurity threats as they go about their day-to-day business.
So this is where SASE comes in, as depicted in the diagram above. All the security stack and services are moved to the cloud edge. Instead of a traditional VPN, a zero trust access network or ZTNA is used to give users limited access to the resources they need to carry out their jobs, based on least privileged principles. There are also other elements to a SASE architecture like cloud access service brokers (CASB), Data Loss Prevention etc., however, in this article our primary focus is going to be on the Secure Web Gateway and the benefits of using Zenarmor to filter egress cloud based traffic as part of the SASE architecture.
Now that you have a better idea of where Zenarmor SWG fits in, let's talk about why we need to use egress filtering in our cloud environment to secure and monitor our cloud resources when they access the internet.
To make this concept easier to visualize, I have created the below cloud topology, which includes Zenarmor SWG on the cloud edge. In addition to this I have included some internal virtual machines simulating some workloads, and to provide identity and access management, I am using Azure AD with Azure Active Directory Domain Services to provide single-sign on (SSO). Zenarmor has also been integrated with Azure AD so that we can assign users and groups to our policies created in Zenconsole. This allows us to filter and control traffic uniquely on a per user or group basis.
To bring the Zero Trust Network Access element into the solution, I have used Zerotier to build a private overlay network which has also been integrated with Azure AD to provide SSO. When a user connects to the network they will need to provide their Azure AD username and password and go through the multi-factor authentication (MFA) process to join the Zerotier overlay network. Zerotier also provides a rule engine which allows us to control traffic flow within the overlay network, so for each connected device we could use a policy to only provide access to resources that individual users need to carry out their job, which further satisfies least privilege principles.
I designed this to be simple and easy enough for anyone to replicate with limited resources. All of the Azure services are covered by the $200 credit you receive when signing up an account. Zenarmor has a 15-day Business Edition trial and Zerotier charges $5 per user per month for the SSO integration.
So let's consider the following scenario based on the above network, and the benefits of using Zenarmor SWG to filter the cloud egress traffic destined for the internet. We have virtual servers running our internal accounting and engineering departments workloads, however, these servers don’t need to access any internet resources other than the update servers to download periodic updates.
- The first benefit of using Zenarmor SWG in this case, is we can easily create a policy in Zenconsole to control this process, by essentially blocking all traffic except traffic to the approved update servers.
- The second benefit of this approach is, let's imagine these servers were compromised by a threat actor, because we are blocking all other traffic, the threat actor won't be able to leave the network, set up a reverse shell, or call home to their C2 infrastructure or even exfiltrate data.
- The third benefit, by using least privilege and zero-trust principles in this network architecture, is we are able to limit the threat actors ability to move laterally through the network and we can minimize the impact or ‘blast radius’ of any damages caused.
- The fourth benefit of this approach is that Zenarmor SWG has comprehensive reporting features and the ability to view real-time connections. In this case we would be able to easily observe the egress traffic, helping us to identify any unexpected traffic trying to leave the network, giving us some insight that the server may have been compromised.
Let's consider an alternative scenario, we have remote workers accessing the cloud network resources using the Zerotier overlay network. Once they have signed in using their Azure AD accounts, each user can access the internal cloud resources needed to carry out their work based on least privileged access principles. All the users' egress internet traffic will also be routed via the overlay network through Zenarmor SWG. The benefits of this are:
- All cloud egress traffic coming from the users devices can now be inspected by Zenarmor SWG, and users can benefit from the real-time threat protection against zero-day malware, ransomware, phishing attacks and botnets while leveraging Zenarmors deep packet inspection and AI-driven cloud threat intelligence. This is a far superior means of providing security to remote users in comparison to them connecting directly from their home, mobile or public networks, which in most cases has little to no security.
- Like in the previous scenario, we can easily create policies for user groups based on their AD credentials, group or IP address and control their egress traffic using the granular web and application controls offered by Zenarmor, ultimately eliminating websites and apps that are deemed inappropriate for the workplace or are against company policy.
- In addition to this, by leveraging Zenarmor SWG’s comprehensive reporting and real-time connection viewing capabilities, we could easily identify the applications leaving the gateway, and use this feature as a means to identify any unapproved or untrustworthy applications the users may be accessing, this is known as Shadow IT, and from the users perspective may seem innocent, however, from a security point of view ideally we don't want users utilizing apps and services that have not been vetted and pre-approved by IT.
Sunny Valley Networks Zenarmor SWG, is an agile software-driven approach, perfectly fulfilling the Secure Web Gateway (SWG) component of the Gartner described Secure Access Service Edge (SASE) framework, giving you the ability to easily and quickly deploy enterprise grade security anywhere in your network or cloud without the burden of managing complex licensing or expensive network appliances. Easily manage all your Zenarmor SWG deployments through a single Zenconsole dashboard, synchronizing all your policies regardless of where your Zenarmor SWG deployments are located.
With remote working becoming the new norm and threat actors taking advantage of your staff, often the weakest link in your cybersecurity architecture, can you truly afford not to give them the best cybersecurity possible?
Try Zenarmor SWG on the platform of your choice with a 15-day business trial, sign up today!
