Not All Tunnels Are Created Equally

With IPSec, SSL, TLS, VPN, SDP, and ZTNA tunnels, it may sometimes become confusing to figure when to use which. IPSec was mostly used for site-to-site VPN and we’re going to focus on remote access. Clearly, there are different types of tunnels and different ways these tunnels are being configured.

With most organizations looking at Zero Trust Network Access (ZTNA), we’ll focus there specifically and do a quick comparison of first-gen ZTNA versus next-gen ZTNA like the Banyan Security Platform. First-gen ZTNA vendors like Zscaler incorrectly dismiss any type of tunnel. First-gen ZTNA is all about application access, which may be okay for most users in the organization. However, there will always be use cases where some type of tunneling is needed for super-users. For those organizations that move to a first-gen ZTNA vendor, they still need to have their legacy VPN running for these super users. The only other path these first-gen ZTNA vendors can offer is to make resources public-facing and hope for the best which is obviously not recommended.

Let’s look at the different ways these tunnels are typically employed. Workers commonly need to access internal applications, and often it’s a requirement that some of those workers are third-party contractors or vendors rather than employees. For third-parties especially, we want to make certain that the principle of least privilege is applied and the rules around their access are as narrowly defined as possible. For example, a manufacturing customer wanted to allow maintenance workers from their PLC (programmable logic controller) vendor Siemens to access their industrial automation system SIMATIC for a very specific amount of time during scheduled maintenance windows. Another use case is employees or third-parties accessing a specific module within a SaaS application. Again, first-gen ZTNA vendors handle this by making resources public-facing – a risky approach that Banyan would never recommend.

Why Banyan’s Tunnel is different

Banyan’s Service Tunnel is a modern approach which helps an organization quickly migrate away from legacy VPN or first-gen ZTNA while upgrading their usability and security at the same time. Let’s take a look at how:

  • Discover and Publish – our solution finds all resources on-premises and in your cloud provider(s) allowing your IT team to quickly and easily create granular policies. This is especially important when going from full, layer 3 access to a zero trust model.
  • Tunnel Discovery – this functionality also finds resources that are being accessed, however, this is specifically for traffic that is being tunneled. These resources may be those not deployed by central IT, but by specific lines of business. Again, once discovered, a policy can be published to lock down the tunnel further.
  • Public domain support over Service Tunnel – when SaaS applications allow for source IP validation for connectivity, all traffic to that domain or SaaS application should be tunneled. This feature lets you quickly configure a domain and not worry about changing IP addresses or updating a list of hundreds of IPs globally. Ensure that only your authorized users are able to access third-party SaaS applications and your data.
  • Decision-less access – unlike a VPN with many gateways, end users with Service Tunnel configured never have to decide which gateway to connect to. In fact, most of them may not know or even care about all the gateways. With a modern solution like Banyan’s, a single login allows your users to access authorized resources regardless of where they are or how you’ve deployed them. Your IT team can add sites without ever interrupting or needing to train your end user.
  • Simple on-click access – users that are trying to optimize productivity want to get their work done quickly and without having to jump through hoops. With passwordless, stealth-mode access, the end user can do their job without having to first remember to enable the tunnel or connect to the right place. Imagine accessing a web application by just opening a browser and clicking on a bookmark. It really can’t get easier than that.

To learn more about upgrading and modernizing your legacy VPN, visit

The post Not All Tunnels Are Created Equally first appeared on Banyan Security.

*** This is a Security Bloggers Network syndicated blog from Banyan Security authored by Ashur Kanoon. Read the original post at: