Back

@Jaffa I’m not sure why a VPN would require breaking TLS. Zscaler and friends do usually require MITM TLS proxies to make their DPI lives easier.

Zscaler is a security travesty. It has caused more infosec disasters than it has solved. Stay very far away from it.

@teotwaki Yeah, that was my thinking.

I'd've thought one can do split tunneling and traffic routing without TLS-breaking MITM proxies.

#Zscaler obviously has the hype, but is something I've been gut-feel nervous about. Any suggestions for things to run to?

@Jaffa I think that question can only be answered by someone who properly understands your needs. What problem are you trying to solve by gathering all your connections through a single exit node?

Are you looking for threat detection by analysing outbound connection patterns? Do you need DPI for regulatory compliance? Just know that as long as you allow random outbound connections (ie SSH, VPN, any UDP), someone can trivially bypass the DPI/analysis. In addition, many additional threats become

@Jaffa viable by having all your connections come out on a single set of IPs. Firstly, unless you pay ZScaler collosal amounts of money your public IPs will be shared with other ZScaler clients. Many employees will be confused and whitelist ZScaler's IPs. Now any spook with a CC can start talking to your backend services. I've seen it 20 times in 3 years at a client. People don't get ZeroTrust.

If you do get dedicated IPs, now your traffic can be monitored to see which technologies you're using

@Jaffa internally. I could imagine many LLM-generated blogs actually be honeypots to see which enterprise is actually affected by a specific CVE.

I frankly don't understand how anyone is taking this tech seriously. Is it just because they solved some corpo VPN scaling headaches during the pandemic? Maybe COVID was an opsec to finally get everyone off Cisco AnyConnect and decrypting all their data at a random Dutch datacentre.

At least Verisign is making bank selling corpo root CAS...

@teotwaki I think I know what problems _I'm_ trying to solve; but there's a meeting next week where I'll work out what problems the team think they're trying to solve

@Jaffa You might actually have prompted me to write a longer essay on why I believe ZTNA, in the current form offered by all the main vendors and as commonly implemented by enterprises might be diametrically opposed to ZeroTrust at its core.

We've demonised split tunnelling, and introduced ZTNA with implicit authentication and authorization in the same breath, improving absolutely nothing.