You can live without your remote access VPN; and you should
VPNs have become a nightmare for your IT team and a significant opportunity for cybercriminals. In a world that is increasingly, and often too late, becoming “zero trust” minded, VPNs hold on to the notion of “trust” via “privacy.” Once a VPN is established, the attached endpoint is “trusted.” Attached devices can access anything permitted via the VPN policies. All one has to do is establish this connection and <queue 90s hacker movie music>, “I’m in.”
What if you were able to provide access to internal resources only for users that have authenticated with MFA, computers you control, that meet your security standards and access is only granted to the resources you specify for the users you authorize? That’s where FortiSASE, part of Fortinet’s ZTNA (Zero Trust Network Access) offering, comes in.
FortiSASE’s Secure Internet Access
But before we get there, let’s talk about FortiSASE’s secure Internet access (SIA). A common headache when dealing with hybrid users is what to do with their traffic that isn’t going to internal resources? Traditionally, you could enable split-tunneling, where traffic not going to internal resources bypassed the tunnel. Or you could not enable split-tunneling, where all traffic goes over the tunnel. In some cases, remote user Internet access traversed the company firewall and adhered to those policies. This accomplished at the cost of extra bandwidth on your local Internet connection. OR, you could just specify ONLY traffic to internal resources is allowed when connected to the VPN (a headache to be sure in 2026).
With FortiSASE, the first thing you set up is SIA. Users with devices on-boarded to FortiSASE tunnel all traffic through FortiSASE. This Firewall as a Service (FWaaS) functionality serves as your hybrid users’ “firewall in the sky” that is always with them. This solves the common challenge of understanding and securing user activity when employees are working remotely. All of the network security features you are used to (web filtering, application control, etc) is available in FortiSASE.
Zero Trust Access to Your Internal Resources
Now that your users have secure access to the Internet, let’s get them connected to your on-prem resources. If they need access to that internal web app, you can configure your FortiGate to publish it to only your FortiSASE managed & verified endpoints. If your users need more access you can configure Secure Private Access (SPA).
With SPA, you configure your on-prem FortiGate as an SD-WAN hub that connects to your FortiSASE instance. You configure ZTNA policies to allow appropriate endpoints access to your on-premises network with FortiSASE acting as the intermediary.
Device Posture and ZTNA Policies: Controlling Who Gets In
So what is preventing the bad guys from just stealing credentials and connecting to your FortiSASE instance and accessing your network? Unlike traditional VPNs, it’s not that simple.
For starters, in order to even try connecting, your endpoint must be running a registered instance of FortiClient. In order to register, your end user must use a unique, one-time code to connect their endpoint to your FortiSASE instance. No published hostname, no published unique IP address. Upon attempting to register and on-board, the end users must authenticate to your SSO (Microsoft Entra, etc.) with your MFA policies.
When setting up policies to allow access to resources you can assign ZTNA tags to endpoints. These tags can be assigned to endpoints from a range of criteria from OS version, management status, domain membership, patch level, user group.
Instead of simple firewall policies to allow based on source and destination IP address, you add ZTNA tags to the mix. Let’s say you designate ‘secure’ and ‘at-risk’ tags where ‘secure’ means: up to date, av running, firewall on and ‘at-risk’ means any of those are not true. Your ZTNA policies can designate that only ‘secure’ computers can access resources while ‘at-risk’ computers are limited to the resources required for remediation.
Once you have this infrastructure in place, not only are you securing hybrid users and internal resources, you are positioned to protect cloud resources and defend against shadow IT.
Stay tuned for part two in this series. If you need to elevate your cybersecurity and secure networking, reach out to us and we’d be happy to discuss how you can use Fortinet products and solutions to amplify your cybersecurity posture.