The no-bullshit ZTNA vendor directory

A curated, impartial and open-source directory of ZTNA vendors and architectures.

72

Vendors

6

Architectures

7

NIST tenets

1

Executive Orders

Show me the full list of ZTNA vendors

Security, at the edge

Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

Secure Service Access Edge (SASE) or Zero-Trust Edge (ZTE) combines network security functions with WAN capabilities to support the dynamic secure access needs of organizations. These capabilities are delivered primarily as a Service and based upon the identity of the entity, real time context and security / compliance policies. Central to the Zero Trust Edge (ZTE) model is Zero Trust Network Access (ZTNA) to authenticate and authorize users.

Andrew Lerner, Gartner (2019)
David Holmes, Forrester (2021
Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

The Seven Tenets of Zero Trust

NIST Special Publication 800-207

The United States National Institute of Standards and Technology (NIST) defines Zero Trust and a Zero Trust Architecture in terms of seven basic tenets. Though these tenets are the ideal goal, not all tenets need be fully implemented in their purest form for a given strategy. The British National Cyber Security Centre (NCSC) has also published a set of Zero Trust architecture design principles in which they define eight principles to help organizations implement a zero trust network architecture.

Zero Trust Architecture, NIST (2020)
Zero Trust Architecture Design Principles, NCSC (2021)

1. Everything is a Resource

3. Session-based access

5. Monitor security posture

7. Measure and Improve

NIST Special Publication 800-207

2. Secure all communications

4. Policies must be dynamic

6. Authenticate before connect

NIST Special Publication 800-207

1. Everything is a Resource

All data sources and computing services are considered resources

2. Secure all communications

All communication is secured regardless of network location

3. Session-based access

Access to individual enterprise resources is granted on a per-session basis

4. Policies must be dynamic

Access to resources is determined by dynamic policy and real-time security posture

5. Monitor security posture

No asset is inherently trusted

6. Authenticate before connect

Resource authentication and authorization is dynamic and strictly enforced before access is granted

7. Measure and Improve

Collect as much data as possible, monitor and measure the integrity and security posture of all assets and use it to improve security posture

Zero Trust Network Access

Approach meets architecture

Zero Trust Network Access

Gartner have defined Zero Trust Network Access, or ZTNA, as "a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities."

Put simply, this means:

  • Applications are hidden from discovery, no public visibility
  • Access is restricted via a trust broker
  • The trust broker verifies the identity, context and policy
  • Lateral movement in the network is prohibited
  • There is a reduced surface area available for attack

Twenty Years of Private Access Technology

1995
IPsec
1996-98
VPN
2001
MPLS
2003
802.1x
2007
SDP
2014
SD-WAN
2018
ZTON

1995

IPSec

IPsec traces its origins back to DARPA and NSA funded work in the last decades of the twentieth century, it continued to evolve for several years before arguably starting to enter mainstream use cirac 2005 with the addition of AES and IKEv2. An open protocol most commonly used to construct network connections between hosts on the public Internet in either point-to-site or site-to-site network topologies.

1996-98

Virtual Private Network (VPN)

Twenty years and two major architectures (hub-and-spoke, also known as remote access or point-to-site & site-to-site) and a plethora of protocols (IPsec, IKEv2, L2TP, PPTP, OpenVPN, SSL/TLS VPN, Cisco AnyConnect etc.) all trying to achieve the same thing: provide a secure, private network on top of the public Internet; either by extending one logical network into another, or placing remote peers directly onto the local network.

2001

Multiprotocol Label Switching (MPLS)

First conceived in an era when bandwidth was slow, high-speed broadband was not available either widely or cheaply, MPLS helped to manage the delivery of traffic using labels. For example some packets may be labeled as mission critical traffic, others for real-time traffic or simple best effort delivery. The fastest, and lowest latency paths were reserved for the most important traffic. By enriching each packet with labels, routers had additional information to tell them how best route traffic most efficiently across the WAN.

2003

Network Access Control (NAC)

Network Access Control (802.1x) provides an authentication framework that allows for user authentication before access is granted to the network to help provide protection from rogue or unauthorized devices connecting to the LAN. 802.1x is particularly effective for flat or default-open internal networks in which lateral movement is possible and for configurations in which devices and systems on the network have little or no endpoint protection software available.

2007

Software-Defined Perimeter (SDP)

The Software-Defined Perimeter architecture evolved out of single packet authorization and port knocking before it. Occasionally also referred to as Black Cloud, the SDP architecture evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007, concepts of which were carried forwards by the Jericho Forum and later in 2014 as part of Google's BeyondCorp Initiative. Now promoted by many vendors as the de facto architecture for ZTNA.

2014

Software-Defined Wide Area Network (SD-WAN)

SD-WAN solutions started to enter the market in 2014 where it sought to bring Software Defined Networking (SDN) concepts to the WAN; switching from the painstakingly provisioned and predetermined MPLS routes on fixed circuits, to policy based WAN routing using the open Internet. SD-WAN is often presented by vendors as means to achieve similar WAN optimization capabilities to MPLS for lower cost and less complexity.

2018

Zero Trust Overlay Network (ZTON)

A new form of serverless virtual private network delivered primarily as a Service designed to have a low attack surface. Zero trust overlay networks are composed of devices which talk directly to one another according to policy and real-time security conditions on the endpoint without the need for a VPN server or traffic concentrator. The solution may use techniques like UDP or TCP hole punching and traffic relays to operate behind NAT and not require firewalls to be opened for inbound traffic. Traffic should be end-to-end encrypted and authorization takes place via with service provider before connections are allowed. **

Architecture

Many roads lead to ZTNA
Each architecture has strengths, weaknesses and trade-offs

Software Defined Perimeter

Endpoint agent connectivity to an SDP connector (reverse proxy appliance) deployed at the network edge governed by a controller. Usually based on single packet authorization (SPA). May also be deployed as a straight Identity Aware Proxy (IAP), with no agent or SDP connector. Applications are accessed through a tunnel at the network layer or a reverse proxy.

Runs as a proxy, but proxy is invisible on account of SPA

View Vendors
Software Defined Perimeter

Zero-Trust Overlay Network

Direct, peer to peer connectivity enabled by UDP or TCP hole punching.

View Vendors
Zero-Trust Overlay Network

Identity Aware Proxy

Connector appliance establishes connection out to vendor. Clients to connect to public address, vendor adds SSO to inbound traffic. Usually no endpoint agent is required. Proxies are often publicly visible. Applications are accessed through standard HTTPS protocols at the application layer.

Connector deploys and reaches out to vendor's cloud network to act as a reverse proxy, leaving the firewall closed to ingress.

View Vendors
Identity Aware Proxy

Privileged Access Management

Vendor's product controls access to end systems. End-user credentials are transparently swapped for ephemeral credentials which grant temporary access. Some vendors may offer session recording and playback. Assumes client has network access to target system.

Vendor assumes client has a network pathway available to reach target server

View Vendors
Privileged Access Management

Host-based Firewall Control

Requires different all areas of the network be connected, and routable for any kind of traffic and uses host-based firewalls instead of perimeter devices to enforce ACLs.

Vendor manages firewalls on the host OS to control access

View Vendors
Host-based Firewall Control

Identity Defined Network

All traffic flows through a cloud relay. This is a L2/L3 (routed via) or L4 (proxied via)?

All traffic traverses network relays. Implementation of the HIP protocol

View Vendors
Identity Defined Network

Zero Trust Network Access Vendors

Filter by Architecture

Software Defined Perimeter (SDP)

Endpoint agent connectivity to an SDP connector (reverse proxy appliance) deployed at the network edge governed by a controller. Usually based on single packet authorization (SPA). May also be deployed as a straight Identity Aware Proxy (IAP), with no agent or SDP connector. Applications are accessed through a tunnel at the network layer or a reverse proxy.

Runs as a proxy, but proxy is invisible on account of SPA

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • North-south (client-to-server) traffic
  • Layer-7 traffic visibility

Weaknesses

  • Connector deploys as VM or appliance
  • Connector appliance requires patching
  • Connector availability determines uptime
  • East-west (server-to-server) traffic
  • Lacks universal protocol support
  • Must be reconfigured if network changes
  • High-availability requires multiple appliances

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Deploys alongside existing systems

Software Defined Perimeter Vendors (42)

# Company Product License Deployment Pricing
1. AppGate Secure Access Commercial SaaS Not published
2. Appaegis Appaegis Commercial SaaS Published
3. Banyan Security Banyan Security Commercial SaaS Published
4. Barracuda CloudGen Access Commercial SaaS Not Published
5. Broadcom Secure Access Cloud Commercial SaaS Not Published
6. Check Point Harmony Connect Remote Access Commercial SaaS Not Published
7. Citrix Secure Private Access Commercial SaaS Published
8. Cyolo SecureLink Commercial SaaS Not Published
9. DH2i DxOdyssey Commercial SaaS Not Published
10. Deep Cloud Technology Deep Cloud SDP Commercial SaaS Not Published
11. Duo Duo Beyond Commercial SaaS Published
12. Elisity Elisity Cognitive Trust Commercial SaaS Not Published
13. Ericom Software ZTEdge Commercial SaaS Not Published
14. Forcepoint Private Access Commercial SaaS Not Published
15. Forescout eyeSight Commercial SaaS Not Published
16. Fortinet FortiGate Commercial Self-hosted Published
17. Google BeyondCorp Enterprise Commercial SaaS Not Published
18. Hashicorp Boundary Open Source Self-hosted n/a
19. Infra Infra Open Source SaaS or Self-hosted n/a
20. InstaSafe Zero Trust Network Access Commercial SaaS Published
21. Ivanti Neurons Commercial Not Published
22. NetMotion Software Zero Trust Access Commercial SaaS Not Published
23. NetSkope Private Access Commercial SaaS Not Published
24. OPSWAT MetaAccess SDP Commercial SaaS Not Published
25. Perimeter81 Perimeter81 Commercial SaaS Published
26. Pritunl Pritunl Open Source Self-hosted n/a
27. Proofpoint Zero Trust Network Access Commercial SaaS Not Published
28. Pulse Secure Pulse SDP
29. Resiliant Resiliant Zero Trust E2E Commercial SaaS Not Published
30. SAIFE Continuum Commercial SaaS Not Published
31. Sangfor Technologies Sangfor Private Access
32. SecureLink SecureLink Enterprise Access Commercial SaaS or Self-hosted Not Published
33. Sophos Sophos ZTNA Commercial SaaS Not Published
34. Terrazone Perimeter Access
35. TransientX TransientAccess
36. Twingate Twingate Commercial SaaS Published
37. Unisys Stealth Commercial SaaS Not Published
38. VMWare Horizon Unified Access Gateway Commercial SaaS Published
39. Verizon Vidder Precision Access
40. Versa Networks Versa Secure Access Commercial SaaS or Self-hosted Not Published
41. Wavery Labs Panther SDP Open Source Self-hosted n/a
42. Zentry Security Zentry Trusted Access Commercial SaaS Not Published

Zero-Trust Overlay Network

Direct, peer to peer connectivity enabled by UDP or TCP hole punching.

Strengths

  • No ingress traffic, firewalls can be closed
  • No gateway devices or proxy servers
  • Universal protocol support
  • Incremental deployment
  • North-south (client-to-server) traffic
  • East-west (server-to-server) traffic
  • Removes complexity from the network
  • Resilient to temporary trust broker failures
  • No network changes to deploy

Weaknesses

  • Primarily agent-based deployment
  • Agent software requires patching
  • Trust properties not applied to peripherals
  • Not protocol aware

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Emerging technology

Zero-Trust Overlay Network Vendors (11)

# Company Product License Deployment Pricing
1. Ananda Networks Ananda Commercial SaaS Published
2. Defined Networking Nebula Open Source Self-hosted n/a
3. Enclave Networks Enclave Commercial SaaS Published
4. FireZone FireZone Open Source Self-hosted n/a
5. Gravitl Netmaker Open Source Self-hosted n/a
6. Husarnet Husarnet Open Source SaaS or Self-hosted Published
7. NetFoundry Ziti Open-source SaaS or Self-hosted (& SDK) Published
8. Netbird Netbird Open Source SaaS Published
9. Tailscale Tailscale Open Source SaaS Published
10. ZeroTier ZeroTier (& libzt) Open Source SaaS or Self-hosted (& SDK) Published
11. juanfont/headscale Headscale Open Source Self-hosted n/a

Identity Aware Proxy (IAP)

Connector appliance establishes connection out to vendor. Clients to connect to public address, vendor adds SSO to inbound traffic. Usually no endpoint agent is required. Proxies are often publicly visible. Applications are accessed through standard HTTPS protocols at the application layer.

Connector deploys and reaches out to vendor's cloud network to act as a reverse proxy, leaving the firewall closed to ingress.

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • Protocol aware
  • Session recording and playback
  • Vendor may bundle complimentary services

Weaknesses

  • Business network depends on vendor uptime
  • Limited protocol support
  • East-west (server-to-server) traffic

Trade-offs

  • Vendor becomes the new target
  • Internal network traffic routed via vendor
  • Vendor terminates your TLS sessions
  • Vendor applies security on their platform

Identity Aware Proxy Vendors (8)

# Company Product License Deployment Pricing
1. Agilicus Agilicus Commercial SaaS or Self-hosted Published
2. Axis Security Atmos ZTNA Commercial SaaS Not Published
3. BlackBerry CylanceGATEWAY Commercial SaaS Not Published
4. Cato Networks Secure Remote Access Commercial SaaS Not Published
5. CloudFlare Access SaaS SaaS Published
6. Pomerium Pomerium Commercial Self-hosted Not Published
7. Todyl Todyl Commercial SaaS Not Published
8. ZScaler Private Access Commercial SaaS Not Published

Privileged Access Management (PAM)

Vendor's product controls access to end systems. End-user credentials are transparently swapped for ephemeral credentials which grant temporary access. Some vendors may offer session recording and playback. Assumes client has network access to target system.

Vendor assumes client has a network pathway available to reach target server

Strengths

  • Protocol aware
  • Session recording and playback
  • Credentials never exposed to end-user

Weaknesses

  • Proxy servers are public on the Internet
  • East-west (server-to-server) traffic
  • Limited protocol support

Trade-offs

  • Trust broker becomes the new target
  • Assumes network reachability

Privileged Access Management Vendors (7)

# Company Product License Deployment Pricing
1. Cyber Ark Privileged Access Commercial Self-hosted Not Published
2. Delinea Server Suite Commercial Self-hosted Not Published
3. Gravitational, Inc Teleport Commercial SaaS Published
4. Okta Advanced Server Access Commercial SaaS Published
5. Silverfort Silverfort Commercial SaaS Not Published
6. Smallstep Smallstep Open Source SaaS or Self-hosted Published
7. StrongDM StrongDM Commercial SaaS Published

Host-based Firewall Control

Requires different all areas of the network be connected, and routable for any kind of traffic and uses host-based firewalls instead of perimeter devices to enforce ACLs.

Vendor manages firewalls on the host OS to control access

Strengths

  • No appliances to deploy
  • Universal protocol support
  • North-south (client-to-server) traffic
  • East-west (server-to-server) traffic
  • Resilient to temporary trust broker failures

Weaknesses

  • Primarily agent-based deployment
  • Non-manageable devices not serviced
  • Assumes network reachability
  • Inconsistent per-OS firewall capabilities
  • Legacy systems may not be manageable

Trade-offs

  • Trust broker becomes the new target
  • Network can remain fundamentally flat
  • Relies on IP addresses

Host-based Firewall Control Vendors (2)

# Company Product License Deployment Pricing
1. Colortokens XAccess Commercial SaaS Not Published
2. Illumio Illumio Edge Commercial SaaS or Self-hosted Not Published

Identity Defined Network (IDN)

All traffic flows through a cloud relay. This is a L2/L3 (routed via) or L4 (proxied via)?

All traffic traverses network relays. Implementation of the HIP protocol

Strengths

  • North-south (client-to-server) traffic
  • Universal protocol support

Weaknesses

  • Business network depends on relay uptime
  • High-availability requires multiple appliances
  • All network traffic traverses relays
  • Appliances require patching
  • Agents require patching
  • Must be reconfigured if network changes
  • East-west (server-to-server) traffic

Trade-offs

  • Trust broker becomes the new target

Identity Defined Network Vendors (2)

# Company Product License Deployment Pricing
1. Tempered Networks Airwall Commercial SaaS or Self-hosted Not Published
2. Zentera

Customer Stories

Customer satisfaction is our major goal. See what our customers are saying about us.

"Sed posuere consectetur est at lobortis. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis mollis, est non commodo luctus, nisi erat. "

Cornelia Gibson

Cornelia Gibson

Financial Analyst

"Vivamus sagittis lacus vel augue laoreet rutrum faucibus dolor auctor. Vestibulum id ligula porta felis euismod semper. Cras justo odio, dapibus. "

Coriss Ambady

Coriss Ambady

Marketing Specialist

"Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget. "

Barclay Widerski

Barclay Widerski

Sales Manager

"Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget. "

Barclay Widerski

Barclay Widerski

Sales Manager

"Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget. "

Jackie Sanders

Jackie Sanders

Sales Specialist

Thank you!

Thank you!

Please check your email and click on the link to confirm your subscription

Subscription successfully completed!

Subscription successfully completed!

Thank you for your subscription!

Something went wrong

Something went wrong

Oops, we encountered a problem trying to add you to our mailing list. Please try again!