The no-bullshit ZTNA vendor directory

A curated, impartial and open-source directory of ZTNA vendors and architectures.

84

Vendors

6

Architectures

7

NIST tenets

1

Executive Orders

Show me the full list of ZTNA vendors

Security, at the edge

Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

Secure Service Access Edge (SASE) or Zero-Trust Edge (ZTE) is the concept of combining network security functions with WAN capabilities in such a way so as to align with Zero Trust principles. Implementations are primarily delivered as a Service and policy decisions are based on the identity of connecting entities, real time context and security posture. While SASE points to a larger amalgamation of existing tooling, Zero Trust Network Access (ZTNA) is a central component of the architecture.

Andrew Lerner, Gartner (2019) & David Holmes, Forrester (2021)
Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

The Seven Tenets of Zero Trust

NIST Special Publication 800-207

Zero Trust, defined: The United States National Institute of Standards and Technology (NIST) defines Zero Trust and a Zero Trust Architecture in terms of seven basic tenets. These tenets are the ideal goal, not all tenets need be fully implemented in their purest form for a given strategy. The British National Cyber Security Centre (NCSC) has also published guidance in which they define eight principles to help organizations adopt Zero Trust.

Zero Trust Architecture, NIST (2020) & Zero Trust Architecture Design Principles, NCSC (2021)

1. Everything is a Resource

3. Session-based access

5. Monitor security posture

7. Measure and Improve

NIST Special Publication 800-207

2. Secure all communications

4. Policies must be dynamic

6. Authenticate before connect

NIST Special Publication 800-207

1. Everything is a Resource

All data sources and computing services are considered resources

2. Secure all communications

All communication is secured regardless of network location

3. Session-based access

Access to individual enterprise resources is granted on a per-session basis

4. Policies must be dynamic

Access to resources is determined by dynamic policy and real-time security posture

5. Monitor security posture

No asset is inherently trusted

6. Authenticate before connect

Resource authentication and authorization is dynamic and strictly enforced before access is granted

7. Measure and Improve

Collect as much data as possible, monitor and measure the integrity and security posture of all assets and use it to improve security posture

Zero Trust Network Access

Approach meets architecture

Zero Trust Network Access

Zero Trust Network Access, or ZTNA is a Zero Trust approach to private networking which Gartner define, as "a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities."

Put simply, these principles are:

  • Applications are hidden from discovery, no public visibility
  • Access is restricted via a trust broker
  • The trust broker verifies the identity, context and policy
  • Lateral movement in the network is prohibited
  • There is a reduced surface area available for attack

Evolution of Private Access

Twenty-Five Years of Private Access Technology

1995
IPsec
1996-98
VPN
2001
MPLS
2003
802.1x
2007
SDP
2014
SD-WAN
2018
ZTON

1995

IPSec

IPsec traces its origins back to DARPA and NSA funded work in the last decades of the twentieth century, it continued to evolve for several years before arguably starting to enter mainstream use circa 2005 with the addition of AES and IKEv2. An open protocol most commonly used to construct network connections between hosts on the public Internet in either point-to-site or site-to-site network topologies.

1996-98

Virtual Private Network (VPN)

The workhorse of private networks with two major architectures: hub-and-spoke (also known as remote access or point-to-site) and site-to-site. VPNs are constructed from a plethora of protocols (IPsec, IKEv2, L2TP, PPTP, OpenVPN, SSL/TLS VPN, Cisco AnyConnect etc.) all trying to achieve the same thing: provide a secure, private network on top of the public Internet; either by extending one logical network into another or placing remote peers directly onto the local network.

2001

Multiprotocol Label Switching (MPLS)

First conceived in an era when bandwidth was expensive and high-speed broadband was not available widely or cheaply. MPLS helped to manage delivery of traffic using labels to indicate mission critical traffic, near real-time delivery or simple best effort delivery. The fastest, and lowest latency paths were reserved for the most important traffic. By enriching each packet with labels, carrier routers had additional information to help best route traffic most efficiently across the WAN.

2003

Network Access Control (NAC)

Network Access Control (802.1x) provides an authentication framework that allows for user authentication before access is granted to the network to help provide protection from rogue or unauthorized devices connecting to the LAN. 802.1x is particularly effective for flat or default-open internal networks in which lateral movement is possible, and for configurations in which devices and systems on the network had little or no endpoint protection software available.

2007

Software-Defined Perimeter (SDP)

Based on the concept of single packet authorization and port knocking before it and originally also referred to as Black Cloud, the SDP architecture evolved from work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Concepts of which were carried forwards by the Jericho Forum, and later in 2014 as part of Google's BeyondCorp Initiative. A front-runner to align with ZTNA principles, SDP is currently the most common ZTNA vendor implementation.

2014

Software-Defined Wide Area Network (SD-WAN)

SD-WAN solutions started to enter the market close to 2014 as an effort to bring Software Defined Networking (SDN) concepts to the WAN. Intended to achieve similar WAN optimization capabilities to MPLS for lower cost and less complexity, SD-WAN was positioned in the market as an alternative to predetermined MPLS routes on fixed circuits which were more complicated to provision in favour of policy-based routing using the open Internet.

2018

Zero Trust Overlay Network (ZTON)

A software-based overlay network aligned to with ZTNA principles in which devices and systems talk directly without the need for VPN servers. Entrance to the overlay network is governed by centralised policy-based management according to real-time security conditions on each endpoint. Notably, connectivity is achieved using techniques like UDP/TCP hole punching and traffic relays to operate transparently through NAT devices and not require firewalls to be opened for inbound traffic, dramatically reducing surface area available for attack.

Architecture

Many roads lead to ZTNA
Each architecture has strengths, weaknesses and trade-offs

Software Defined Perimeter

Appliance and proxy-based architecture. A reverse proxy appliance (the SDP connector) is deployed at the network edge and governed by a centralised policy-based controller.

Usually based on Single Packet Authorization (SPA). Often agentless for the client (initiating host). May not require a separate SDP connector appliance if the SDP Connector software is deployed directly to the target system(s).

View Vendors
Software Defined Perimeter

Zero-Trust Overlay Network

Agent based architecture. Devices talk directly to one another coordinated by centralised policy-based management.

Direct connections between cooperating systems are established using outbound-only traffic and a combination of device and user identity, UDP & TCP hole punching and NAT traversal techniques together create fast, end-to-end encrypted tunnels between connected systems from behind closed firewalls.

Some NAT configurations prevent the direct connection establishment, in such cases traffic relays are used to ensure a connection can be made.

View Vendors
Zero-Trust Overlay Network

Identity Aware Proxy

Agent-based architecture. Vendor's network acts as the default route for all devices. All traffic is routed via the vendor's network.

Agent connects out to vendor's network and opens a reverse proxy data channel. Any other traffic entering the vendors network can then be routed to the connected device.

End-user access may be agentless. Vendors commonly also provide Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) functions complimentary to ZTNA.

View Vendors
Identity Aware Proxy

Privileged Access Management

Agent-based architecture. Vendor's product centrally manages credentials for access to target servers.

Long-lived end-user credentials are authorized and authenticated before being transparently swapped out for unique, often single-use or limit-limited credentials which grant temporary access to target servers. Some vendors may offer protocol aware features like session recording and playback.

Products often assume different all areas of the network be connected and routable such that clients have a network pathway available to reach target servers.

View Vendors
Privileged Access Management

Host-based Firewall Control

Agent or remote-management based architecture. Vendor manages host-based firewalls built into device operating systems to control access. Centralised policy-based controller coordinates updates to each firewall.

Products often require different areas of the network be connected and routable for any kind of traffic, and ACLs are enforced by host-based firewalls instead of perimeter devices to micro-segment networks which might otherwise be flat.

View Vendors
Host-based Firewall Control

Identity Defined Network

Agent based architecture. All traffic traverses network relays coordinated by centralised policy-based management.

Some vendors offer hardware devices to transparently connect devices to the network.

View Vendors
Identity Defined Network

Zero Trust Network Access Vendors

Filter by Architecture

Software Defined Perimeter (SDP)

Appliance and proxy-based architecture. A reverse proxy appliance (the SDP connector) is deployed at the network edge and governed by a centralised policy-based controller.

Usually based on Single Packet Authorization (SPA). Often agentless for the client (initiating host). May not require a separate SDP connector appliance if the SDP Connector software is deployed directly to the target system(s).

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • North-South traffic
  • Layer-7 traffic visibility

Weaknesses

  • Connector deploys as VM or appliance
  • Connector appliance requires patching
  • Connector availability determines uptime
  • East-West traffic
  • Lacks universal protocol support
  • Must be reconfigured if network changes
  • High availability requires multiple appliances

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Deploys alongside existing systems

Software Defined Perimeter Vendors (44)

# Company Product License Deployment Pricing
1. AWS Verified Access Commercial SaaS Published
2. AppGate Secure Access Commercial SaaS Not published
3. Appaegis Appaegis Commercial SaaS Published
4. Banyan Security Banyan Security Commercial SaaS Published
5. Barracuda CloudGen Access Commercial SaaS Not Published
6. Broadcom Secure Access Cloud Commercial SaaS Not Published
7. Check Point Harmony Connect Remote Access Commercial SaaS Not Published
8. Cisco Cisco+ Secure Connect Commercial SaaS Published
9. Citrix Secure Private Access Commercial SaaS Published
10. Cyolo SecureLink Commercial SaaS Not Published
11. DH2i DxOdyssey Commercial SaaS Not Published
12. Deep Cloud Technology Deep Cloud SDP Commercial SaaS Not Published
13. Duo Duo Beyond Commercial SaaS Published
14. Elisity Elisity Cognitive Trust Commercial SaaS Not Published
15. Ericom Software ZTEdge Commercial SaaS Not Published
16. FerrumGate FerrumGate Open Source Self-hosted n/a
17. Forcepoint Private Access Commercial SaaS Not Published
18. Forescout eyeSight Commercial SaaS Not Published
19. Fortinet FortiGate Commercial Self-hosted Published
20. Google BeyondCorp Enterprise Commercial SaaS Not Published
21. Hashicorp Boundary Open Source Self-hosted n/a
22. Infra Infra Open Source SaaS or Self-hosted n/a
23. InstaSafe Zero Trust Network Access Commercial SaaS Published
24. Ivanti Ivanti Neurons Commercial SaaS Not Published
25. NetMotion Software Zero Trust Access Commercial SaaS Not Published
26. NetSkope Private Access Commercial SaaS Not Published
27. OPSWAT MetaAccess SDP Commercial SaaS Not Published
28. Perimeter81 Perimeter81 Commercial SaaS Published
29. Pritunl Pritunl Open Source Self-hosted n/a
30. Proofpoint Zero Trust Network Access Commercial SaaS Not Published
31. Resiliant Resiliant Zero Trust E2E Commercial SaaS Not Published
32. SAIFE Continuum Commercial SaaS Not Published
33. Sangfor Technologies Sangfor Private Access Commercial SaaS Not published
34. SecureLink SecureLink Enterprise Access Commercial SaaS or Self-hosted Not Published
35. Sophos Sophos ZTNA Commercial SaaS Not Published
36. Terrazone ZoneZero Perimeter Access Commercial SaaS Not Published
37. Timus Networks Timus Networks Commercial SaaS https://www.timusnetworks.com/plans/
38. TransientX TransientAccess Commercial SaaS Not Published
39. Twingate Twingate Commercial SaaS Published
40. VMWare Horizon Unified Access Gateway Commercial SaaS Published
41. Verizon Vidder Precision Access Commercial SaaS Not Published
42. Versa Networks Versa Secure Access Commercial SaaS or Self-hosted Not Published
43. Wavery Labs Panther SDP Open Source Self-hosted n/a
44. Zentry Security Zentry Trusted Access Commercial SaaS Not Published

Zero-Trust Overlay Network

Agent based architecture. Devices talk directly to one another coordinated by centralised policy-based management.

Direct connections between cooperating systems are established using outbound-only traffic and a combination of device and user identity, UDP & TCP hole punching and NAT traversal techniques together create fast, end-to-end encrypted tunnels between connected systems from behind closed firewalls.

Some NAT configurations prevent the direct connection establishment, in such cases traffic relays are used to ensure a connection can be made.

Strengths

  • No ingress traffic, firewalls can be closed
  • No gateway devices or proxy servers
  • Universal protocol support
  • Incremental deployment
  • North-South traffic
  • East-West traffic
  • Removes complexity from the network
  • Resilient to temporary trust broker failures
  • No network changes to deploy

Weaknesses

  • Primarily agent-based deployment
  • Agent software requires patching
  • Trust properties not applied to peripherals
  • Not protocol aware

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Emerging technology

Zero-Trust Overlay Network Vendors (12)

# Company Product License Deployment Pricing
1. Ananda Networks Ananda Commercial SaaS Published
2. Defined Networking Nebula Open Source Self-hosted n/a
3. Enclave Enclave Commercial SaaS Published
4. FireZone FireZone Open Source Self-hosted n/a
5. Gravitl Netmaker Open Source Self-hosted n/a
6. Husarnet Husarnet Open Source SaaS or Self-hosted Published
7. Netbird Netbird Open Source SaaS Published
8. NordVPN Meshnet Commercial SaaS n/a
9. Tailscale Tailscale Open Source SaaS Published
10. Zero Networks Zero Networks Connect Commercial SaaS n/a
11. ZeroTier ZeroTier (& libzt) Open Source SaaS or Self-hosted (& SDK) Published
12. juanfont/headscale Headscale Open Source Self-hosted n/a

Identity Aware Proxy (IAP)

Agent-based architecture. Vendor's network acts as the default route for all devices. All traffic is routed via the vendor's network.

Agent connects out to vendor's network and opens a reverse proxy data channel. Any other traffic entering the vendors network can then be routed to the connected device.

End-user access may be agentless. Vendors commonly also provide Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) functions complimentary to ZTNA.

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • Protocol aware
  • Session recording and playback
  • Vendor may bundle complimentary services

Weaknesses

  • Business network depends on vendor uptime
  • Limited protocol support
  • East-West traffic

Trade-offs

  • Vendor becomes the new target
  • Internal network traffic routed via vendor
  • Vendor terminates your TLS sessions
  • Vendor applies security on their platform

Identity Aware Proxy Vendors (12)

# Company Product License Deployment Pricing
1. Agilicus Agilicus Commercial SaaS or Self-hosted Published
2. Axis Security Atmos ZTNA Commercial SaaS Not Published
3. BlackBerry CylanceGATEWAY Commercial SaaS Not Published
4. Cato Networks Secure Remote Access Commercial SaaS Not Published
5. Cisco Cisco+ Secure Connect Now Commercial SaaS Not Published
6. CloudFlare Access SaaS SaaS Published
7. Genians Genian ZTNA Commercial SaaS Not Published
8. Microsoft Entra Commercial SaaS Published
9. Pomerium Pomerium Commercial Self-hosted Not Published
10. Todyl Todyl Commercial SaaS Not Published
11. ZScaler Private Access Commercial SaaS Not Published
12. iBoss iBoss Commercial SaaS Not Published

Privileged Access Management (PAM)

Agent-based architecture. Vendor's product centrally manages credentials for access to target servers.

Long-lived end-user credentials are authorized and authenticated before being transparently swapped out for unique, often single-use or limit-limited credentials which grant temporary access to target servers. Some vendors may offer protocol aware features like session recording and playback.

Products often assume different all areas of the network be connected and routable such that clients have a network pathway available to reach target servers.

Strengths

  • Protocol aware
  • Session recording and playback
  • Credentials never exposed to end-user

Weaknesses

  • Proxy servers are public on the Internet
  • East-West traffic
  • Limited protocol support

Trade-offs

  • Trust broker becomes the new target
  • Assumes network reachability

Privileged Access Management Vendors (7)

# Company Product License Deployment Pricing
1. Cyber Ark Privileged Access Commercial Self-hosted Not Published
2. Delinea Server Suite Commercial Self-hosted Not Published
3. Gravitational, Inc Teleport Commercial SaaS or Self-hosted Published
4. Okta Advanced Server Access Commercial SaaS Published
5. Silverfort Silverfort Commercial SaaS Not Published
6. Smallstep Smallstep Open Source SaaS or Self-hosted Published
7. StrongDM StrongDM Commercial SaaS Published

Host-based Firewall Control

Agent or remote-management based architecture. Vendor manages host-based firewalls built into device operating systems to control access. Centralised policy-based controller coordinates updates to each firewall.

Products often require different areas of the network be connected and routable for any kind of traffic, and ACLs are enforced by host-based firewalls instead of perimeter devices to micro-segment networks which might otherwise be flat.

Strengths

  • No appliances to deploy
  • Universal protocol support
  • North-South traffic
  • East-West traffic
  • Resilient to temporary trust broker failures

Weaknesses

  • Primarily agent-based deployment
  • Non-manageable devices not serviced
  • Assumes network reachability
  • Inconsistent per-OS firewall capabilities
  • Legacy systems may not be manageable

Trade-offs

  • Trust broker becomes the new target
  • Network can remain fundamentally flat
  • Built on IP addresses and ACLs

Host-based Firewall Control Vendors (3)

# Company Product License Deployment Pricing
1. Colortokens XAccess Commercial SaaS Not Published
2. Illumio Illumio Edge Commercial SaaS or Self-hosted Not Published
3. Unisys Stealth Commercial SaaS Not Published

Identity Defined Network (IDN)

Agent based architecture. All traffic traverses network relays coordinated by centralised policy-based management.

Some vendors offer hardware devices to transparently connect devices to the network.

Strengths

  • North-South traffic
  • Universal protocol support
  • Incremental deployment
  • No ingress traffic, firewalls can be closed

Weaknesses

  • Business network depends on relay uptime
  • All network traffic traverses relays
  • Appliances require patching
  • Agents require patching
  • Must be reconfigured if network changes
  • East-West traffic

Trade-offs

  • Trust broker becomes the new target
  • High availability requires multiple appliances

Identity Defined Network Vendors (6)

# Company Product License Deployment Pricing
1. Intrusion Inc Intrusion Shield Endpoint Commercial SaaS Not Published
2. Narrowlink Narrowlink Open-source Self-hosted n/a
3. NetFoundry CloudZiti (& OpenZiti) Open-source & commercial SaaS or Self-hosted (& SDK) Published
4. Tempered Networks Airwall Commercial SaaS or Self-hosted Not Published
5. Zentera CoIP Access Platform Commercial SaaS or Self-hosted Not Published
6. greymatter.io Enterprise Microservices Platform Commercial SaaS or Self-hosted Not Published
Thank you!

Thank you!

Wonderful, thanks for subscribing. Please check your email and click on the confirmation link to verify your subscription.

We'll keep you updated

We'll keep you updated

Thanks for helping to support this project by subscribing, we'll let you know when new vendors or content are added.

Something went wrong

Something went wrong

Sorry, we encountered a problem trying to add you to our mailing list. Please try again!