Zscaler for Web Security

Zscaler has disrupted web security technology market over the last few years. Large enterprises are embracing Zscaler technology to expand their perimeter security beyond their on premise network boundaries. It is noteworthy to mention the vision when Zscaler was founded in early 2000 s. This is a product that has challenged all traditional web security vendors and disrupted the market. It has almost become to the point that traditional on premise web proxy devices are no longer enough to protect network users. Boundaries of the perimeter has expanded and applications are now hosted in Azure, GCP & AWS. These developments have automatically extended the corporate network boundaries beyond the traditional on-premise.

As part of a larger project, a trial was performed with Zscaler. This trial was providing direct internet access from local branch offices and remote locations. Zscaler was deployed to small Test network and used as the web security gateway for end users. This piece is written based on that experience and share a few benefits of Zscaler, securing web access and going beyond traditional on premise web security solutions.

Zscaler offers a few products including a secure web gateway, a cloud firewall, data loss prevention and cloud application control (CASB). There are three main ways to implement the secure web gateway - Zscaler client on end user devices, route via GRE or IPSec tunnels to the Zscaler cloud or by using a PAC file. Out of the three options trial was conducted with Zscaler client, which seems the most flexible and easiest method. It is a lightweight client and installation was straightforward. No impact to the performance of the PC was noticed. Once the client installation was done it activated instantly. Client communication to Zscaler cloud started immediately and policies were pushed down and enforced. This was within a matter of a few minutes.

Setting up the policies, enforcing policies, managing clients are easy as well. Zscaler portal is easy to navigate and control. Options of creating new policies from scratch or using built-in policies with customisation to individual needs is available. Dashboard has a few different parts to navigate through, such as policies section and Zscaler App configuration section. It is easy to navigate through these sections and work through.

In traditional setup of organisational networks internet traffic is routed via a central internet connection or a central data center. It requires the organisation to maintain an adequate size of an internet connection, web security appliances and perimeter security devices etc. This model is not sustainable anymore and becoming obsolete for a few reasons. One of the game changers at present is networks are being built over the internet using technologies such as SD-WAN. High speed internet connections are becoming highly available and economically attractive compared to private networks such as MPLS . Corporate compute workloads are moving to public hosting services such as Azure, GCP and AWS, making applications available and accessible over the internet. Under these circumstances it is sensible to have internet access at the branch level and have split routes. Zscaler's capabilities as a secure internet gateway is useful in this scenario.

Zscaler Private Access (ZPA) is a beneficial feature delivered by Zscaler. This allows networks to control user access to internal applications. Whether they are hosted on premises or public hosted infrastructure ZPA can control who can access what application, while hiding application's visibility from unauthorised users. For this feature, Zscaler App & Zscaler connectors are required. Zscaler connector is a lightweight virtual appliance that needs to run at the front of the network. This appliance does the brokering between the Zscaler cloud, application servers and users. They block inbound connections completely to your applications and mask from unwanted and unauthorised access attempts.

Zscaler has partnered with many SD-WAN technology providers and has an option built in to integrate Zscaler easily. Velocloud and Silverpeak are two of them that offers the capability to enable and configure tunnels, into Zscaler cloud directly. With a few simple clicks and selections from SD-WAN dashboards tunnels are built to Zscaler enforcement nodes to route traffic through Zscaler. This type of integration is beneficial to the customer in terms of simplicity and flexibility. Sometimes manual maintenance of GRE & IPSec tunnels can become a management overhead, especially between two different organisations with different types of end point technologies.

Guest WiFi access is an integral part of networks nowadays. Most companies provide free WiFi access to their customers and visitors. Managing security for these guest networks can become another overhead for network teams. Zscaler's Guest WiFi Protection solution can help overcome these barriers easily. It is as easy as pointing DNS servers for guest network to Zscaler servers. Zscaler will determine if the traffic is good or suspicious. If traffic is suspicious it will intelligently route them to Zscaler inline inspection to scan and analyse. Policies such as content filtering rules are configured in the Zscaler cloud and will be enforced to client easily. It provides the ability to enforce policies based on location as well. If a customer requires to route all guest traffic via a GRE or an IPSec tunnel, the option is available too.

Zscaler for O365 is another feature that is handy for O365 deployments. Zsclaer has direct peering between their cloud nodes and Microsoft's O365 clouds, to provide fast connectivity. Zscaler will not inspect O365 traffic and will differentiate that traffic from the rest of it. It will directly route O365 to Microsoft giving users a better experience and reduce response times. Ability to differentiate and identify O365 will also ensure that it will get prioritised over the rest of the internet traffic such as video streaming etc.

Above mentioned are only a few key benefits in brief. Products such as Zscaler certainly has challenged the traditional web security products and methods. Networks are evolving and end user device landscape is changing. Perhaps it is time to redesign the network and security infrastructure for companies with newer technologies like Zscaler. It certainly is time to look beyond traditional methods and consider new ways of securing networks.