set up ZTNA using pfsense

rudra_raw

hello,

this is my first post, so if I don't respect some rules, please tell me

here's some background:
I work for a digital services company that wants to introduce ZTNA to its customers.
the idea is to master ZTNA on several platforms so that we can push it into certain customers' environments.

we chose 3 ways of doing it: cloud based (Cloudflare, Zscaler), forticlient and i pushed pfsense to have an opensource solution.
but despite a lot of research, i couldn't find the information needed to implement ZTNA using pfsense.

so i'm wondering if it's possible to implement ZTNA using pfsense, and if it is i'd like to know how to do it? even if it's not in detail, having an outline roadmap would help a lot.

I'd also like to point out that I'm by no means an expert in ZTNA. I've only been interested in this technology for a short time and I know I still have a lot to learn.
thank you in advance for your answers and comments.

stephenw10

It depends how you define ZTNA to a large extent.

johnpoz

@stephenw10 exactly.. You could setup a ZTNA with just normal vpn to be honest. Where you allow specific client only access to specific ports and IPs in the firewall rules you put on the vpn.. You don't have to allow a vpn client to everything.

If I limit a client to only the specific IPs and ports it needs, then that would be a zero trust setup.

rudra_raw

Hello @stephenw10 and @johnpoz,

Thank you for your reply. Actually, what we'd like to do is have an on-premise solution for those who prefer not to use a cloud-based solution (SASE).

For example, consider a customer with applications on an on-premise server and SAAS applications. Currently, they utilize a VPN connection for secure access to on-premise applications, while SAAS applications are accessed only via login credentials (and possibly MFA).

Our goal is to implement the principles of ZTNA primarily using pfSense (and possibly other hardware or software if necessary) to secure connections to applications through tunnels. We would, of course, check the predefined rules beforehand. According to ZTNA principles, these tunnels must be monitored and cut off as soon as a change is detected or if the predefined security rules are no longer adhered to.

As I'm new to ZTNA, I apologize for any approximations I may have made. If I've left something out, please let me know, and I'll provide additional information.

rudra_raw

@johnpoz In principle, I agree with what you say.

But is it enough to compensate for the VPN's limitations?

Especially when it comes to hardware verification and connection monitoring?

Elemer82

I think there are various meaning of Zero Trust Network Architecture.
From what I seen on some FortiGate courses, Zero Trust means that we don't even trust devices on the LAN.
Every device would need to report to the firewall about their OS version, patch status, logged in user(s) etc., and based on that the firewall would decide what level of access to give the specific device, like if it's not patched , it could allow enough access to get the patches and be up to date, but no connection to any intranet servers to avoid security concerns, and so on.
In some cases for this to work properly it is advisable to have not just the firewall but the switches as well from the same vendor.

But yeah, I would like to know as well if anything like the above is achievable with pfsense/opensense.

And if it is, would you have to but some additional licenses?

stephenw10

@Elemer82 said in set up ZTNA using pfsense:

Every device would need to report to the firewall about their OS version, patch status, logged in user(s) etc.

To achieve that you would need some client side application running. That's not, yet, available.

michmoor

@stephenw10 To be quite honest (and i posted about this in the non-support channel), Tailscale is quite wonderful for this. They do posture checking which you can make part of your tailnet policy. Integrating with an iDP of your choice along with ACL tags, makes using tailscale scalable and robust.

I have labbed up Tailscale over the last few months and happy to say rolled it out in a particular setting. Truthfully one of the best products i have used in a very long time. pfSense does have support for TS with additional feature sets such as being an exit-node or subnet routing (specific term within the tailscale env).

Would urge you to explore.

planedrop

Tailscale is a great option as @michmoor mentioned.

It also depends on your organizations goals and whether or not you are just going to do ZTNA or go with full SASE (which incorporates ZTNA but is far more expensive). The later is arguably better, but it's a lot more work and money and still has some limitations.