The no-bullshit ZTNA vendor directory

A curated, impartial and open-source directory of ZTNA vendors and architectures.

91

Vendors

6

Architectures

7

NIST tenets

1

Executive Orders

Show me the full list of ZTNA vendors

Security, at the edge

Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

Secure Service Access Edge (SASE) or Zero-Trust Edge (ZTE) is the concept of combining network security functions with WAN capabilities in such a way so as to align with Zero Trust principles. Implementations are primarily delivered as a Service and policy decisions are based on the identity of connecting entities, real time context and security posture. While SASE points to a larger amalgamation of existing tooling, Zero Trust Network Access (ZTNA) is a central component of the architecture.

Andrew Lerner, Gartner (2019) & David Holmes, Forrester (2021)
Gartner hails a SASE future. Forrester calls it Zero-Trust Edge.

The Seven Tenets of Zero Trust

NIST Special Publication 800-207

Zero Trust, defined: The United States National Institute of Standards and Technology (NIST) defines Zero Trust and a Zero Trust Architecture in terms of seven basic tenets. These tenets are the ideal goal, not all tenets need be fully implemented in their purest form for a given strategy. The British National Cyber Security Centre (NCSC) has also published guidance in which they define eight principles to help organizations adopt Zero Trust.

Zero Trust Architecture, NIST (2020) & Zero Trust Architecture Design Principles, NCSC (2021)

1. Everything is a Resource

3. Session-based access

5. Monitor security posture

7. Measure and Improve

NIST Special Publication 800-207

2. Secure all communications

4. Policies must be dynamic

6. Authenticate before connect

NIST Special Publication 800-207

1. Everything is a Resource

All data sources and computing services are considered resources

2. Secure all communications

All communication is secured regardless of network location

3. Session-based access

Access to individual enterprise resources is granted on a per-session basis

4. Policies must be dynamic

Access to resources is determined by dynamic policy and real-time security posture

5. Monitor security posture

No asset is inherently trusted

6. Authenticate before connect

Resource authentication and authorization is dynamic and strictly enforced before access is granted

7. Measure and Improve

Collect as much data as possible, monitor and measure the integrity and security posture of all assets and use it to improve security posture

Zero Trust Network Access

Approach meets architecture

Zero Trust Network Access

Zero Trust Network Access, or ZTNA is a Zero Trust approach to private networking which Gartner define, as "a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities."

Put simply, these principles are:

  • Applications are hidden from discovery, no public visibility
  • Access is restricted via a trust broker
  • The trust broker verifies the identity, context and policy
  • Lateral movement in the network is prohibited
  • There is a reduced surface area available for attack

Evolution of Private Access

Twenty-Five Years of Private Access Technology

1995
IPsec
1996-98
VPN
2001
MPLS
2003
802.1x
2007
SDP
2014
SD-WAN
2018
Overlay

1995

IPSec

IPsec traces its origins back to DARPA and NSA funded work in the last decades of the twentieth century, it continued to evolve for several years before arguably starting to enter mainstream use circa 2005 with the addition of AES and IKEv2. An open protocol most commonly used to construct network connections between hosts on the public Internet in either point-to-site or site-to-site network topologies.

1996-98

Virtual Private Network (VPN)

The workhorse of private networks with two major architectures: hub-and-spoke (also known as remote access or point-to-site) and site-to-site. VPNs are constructed from a plethora of protocols (IPsec, IKEv2, L2TP, PPTP, OpenVPN, SSL/TLS VPN, Cisco AnyConnect etc.) all trying to achieve the same thing: provide a secure, private network on top of the public Internet; either by extending one logical network into another or placing remote peers directly onto the local network.

2001

Multiprotocol Label Switching (MPLS)

First conceived in an era when bandwidth was expensive and high-speed broadband was not available widely or cheaply. MPLS helped to manage delivery of traffic using labels to indicate mission critical traffic, near real-time delivery or simple best effort delivery. The fastest, and lowest latency paths were reserved for the most important traffic. By enriching each packet with labels, carrier routers had additional information to help best route traffic most efficiently across the WAN.

2003

Network Access Control (NAC)

Network Access Control (802.1x) provides an authentication framework that allows for user authentication before access is granted to the network to help provide protection from rogue or unauthorized devices connecting to the LAN. 802.1x is particularly effective for flat or default-open internal networks in which lateral movement is possible, and for configurations in which devices and systems on the network had little or no endpoint protection software available.

2007

Software-Defined Perimeter (SDP)

Based on the concept of single packet authorization and port knocking before it and originally also referred to as Black Cloud, the SDP architecture evolved from work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Concepts of which were carried forwards by the Jericho Forum, and later in 2014 as part of Google's BeyondCorp Initiative. A front-runner to align with ZTNA principles, SDP is currently the most common ZTNA vendor implementation.

2014

Software-Defined Wide Area Network (SD-WAN)

SD-WAN solutions started to enter the market close to 2014 as an effort to bring Software Defined Networking (SDN) concepts to the WAN. Intended to achieve similar WAN optimization capabilities to MPLS for lower cost and less complexity, SD-WAN was positioned in the market as an alternative to predetermined MPLS routes on fixed circuits which were more complicated to provision in favour of policy-based routing using the open Internet.

2018

Mesh Overlay Network

A software-based overlay network aligned to with ZTNA principles in which devices and systems talk directly without the need for VPN servers. Entrance to the overlay network is governed by centralised policy-based management according to real-time security conditions on each endpoint. Notably, connectivity is achieved using techniques like UDP/TCP hole punching and traffic relays to operate transparently through NAT devices and not require firewalls to be opened for inbound traffic, dramatically reducing surface area available for attack.

Architecture

Many roads lead to ZTNA
Each architecture has strengths, weaknesses and trade-offs

Software Defined Perimeter

Appliance and proxy-based architecture. A reverse proxy appliance (the SDP connector) is deployed at the network edge and governed by a centralised policy-based controller.

Usually based on Single Packet Authorization (SPA). Often agentless for the client (initiating host). May not require a separate SDP connector appliance if the SDP Connector software is deployed directly to the target system(s).

View Vendors
Software Defined Perimeter

Mesh Overlay Network

Agent based architecture. Devices talk directly to one another coordinated by centralised policy-based management. Direct connections between cooperating systems are established using outbound-only traffic and a combination of device and user identity, UDP & TCP hole punching and NAT traversal techniques together create fast, end-to-end encrypted tunnels between connected systems from behind closed firewalls.

Some NAT configurations prevent the direct connection establishment, in such cases traffic relays are used to ensure a connection can be made.

View Vendors
Mesh Overlay Network

Reverse Proxy

Agent-based architecture. Vendor's network acts as the default route for all devices. All traffic is routed via the vendor's network.

Reverse Proxy application connects out to vendor's network, opening a reverse proxy data channel. Any other traffic entering the vendors network can then be routed to the connected device.

End-user access may be agentless. Vendors commonly also provide Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) functions complimentary to ZTNA.

View Vendors
Reverse Proxy

Privileged Access Management

Agent-based architecture. Vendor's product centrally manages credentials for access to target servers.

Long-lived end-user credentials are authorized and authenticated before being transparently swapped out for unique, often single-use or limit-limited credentials which grant temporary access to target servers. Some vendors may offer protocol aware features like session recording and playback.

Products often assume different all areas of the network be connected and routable such that clients have a network pathway available to reach target servers.

View Vendors
Privileged Access Management

Host-based Firewall Control

Agent or remote-management based architecture. Vendor manages host-based firewalls built into device operating systems to control access. Centralised policy-based controller coordinates updates to each firewall.

Products often require different areas of the network be connected and routable for any kind of traffic, and ACLs are enforced by host-based firewalls instead of perimeter devices to micro-segment networks which might otherwise be flat.

View Vendors
Host-based Firewall Control

Identity Defined Network

Agent based architecture. All traffic traverses network relays coordinated by centralised policy-based management.

Some vendors offer hardware devices to transparently connect devices to the network.

View Vendors
Identity Defined Network

Zero Trust Network Access Vendors

Filter by Architecture

Software Defined Perimeter (SDP)

Appliance and proxy-based architecture. A reverse proxy appliance (the SDP connector) is deployed at the network edge and governed by a centralised policy-based controller.

Usually based on Single Packet Authorization (SPA). Often agentless for the client (initiating host). May not require a separate SDP connector appliance if the SDP Connector software is deployed directly to the target system(s).

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • North-South traffic
  • Layer-7 traffic visibility

Weaknesses

  • Connector deploys as VM or appliance
  • Connector appliance requires patching
  • Connector availability determines uptime
  • East-West traffic
  • Lacks universal protocol support
  • Must be reconfigured if network changes
  • High availability requires multiple appliances

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Deploys alongside existing systems

Software Defined Perimeter Vendors (45)

# Company Product License Deployment Pricing
1. AWS Verified Access Commercial SaaS Published
2. Absolute Absolute ZTNA Commercial SaaS Not Published
3. AppGate Secure Access Commercial SaaS Not published
4. Appaegis Appaegis Commercial SaaS Published
5. Banyan Security Banyan Security Commercial SaaS Published
6. Barracuda CloudGen Access Commercial SaaS Not Published
7. Broadcom Secure Access Cloud Commercial SaaS Not Published
8. Check Point Harmony Connect Remote Access Commercial SaaS Not Published
9. Cisco Cisco Secure Access Commercial SaaS Not Published
10. Citrix Secure Private Access Commercial SaaS Published
11. Cyolo SecureLink Commercial SaaS Not Published
12. DH2i DxOdyssey Commercial SaaS Not Published
13. Deep Cloud Technology Deep Cloud SDP Commercial SaaS Not Published
14. Duo Duo Beyond Commercial SaaS Published
15. Elisity Elisity Cognitive Trust Commercial SaaS Not Published
16. Ericom Software ZTEdge Commercial SaaS Not Published
17. FerrumGate FerrumGate Open Source Self-hosted n/a
18. Forcepoint Private Access Commercial SaaS Not Published
19. Forescout eyeSight Commercial SaaS Not Published
20. Fortinet FortiGate Commercial Self-hosted Published
21. Google BeyondCorp Enterprise Commercial SaaS Not Published
22. Hashicorp Boundary Open Source Self-hosted n/a
23. Infra Infra Open Source SaaS or Self-hosted n/a
24. InstaSafe Zero Trust Network Access Commercial SaaS Published
25. Ivanti Ivanti Neurons Commercial SaaS Not Published
26. Menlo Security Secure Application Access Commercial SaaS n/a
27. NetSkope Private Access Commercial SaaS Not Published
28. OPSWAT MetaAccess SDP Commercial SaaS Not Published
29. Perimeter 81 Perimeter 81 Commercial SaaS Published
30. Pritunl Pritunl Open Source Self-hosted n/a
31. Proofpoint Zero Trust Network Access Commercial SaaS Not Published
32. Resiliant Resiliant Zero Trust E2E Commercial SaaS Not Published
33. SAIFE Continuum Commercial SaaS Not Published
34. Sangfor Technologies Sangfor Private Access Commercial SaaS Not published
35. SecureLink SecureLink Enterprise Access Commercial SaaS or Self-hosted Not Published
36. SonicWall Cloud Edge Secure Access Commercial SaaS n/a
37. Sophos Sophos ZTNA Commercial SaaS Not Published
38. Terrazone ZoneZero Perimeter Access Commercial SaaS Not Published
39. TransientX TransientAccess Commercial SaaS Not Published
40. Twingate Twingate Commercial SaaS Published
41. VMWare Horizon Unified Access Gateway Commercial SaaS Published
42. Verizon Vidder Precision Access Commercial SaaS Not Published
43. Versa Networks Versa Secure Access Commercial SaaS or Self-hosted Not Published
44. Wavery Labs Panther SDP Open Source Self-hosted n/a
45. Zentry Security Zentry Trusted Access Commercial SaaS Not Published

Mesh Overlay Network

Agent based architecture. Devices talk directly to one another coordinated by centralised policy-based management. Direct connections between cooperating systems are established using outbound-only traffic and a combination of device and user identity, UDP & TCP hole punching and NAT traversal techniques together create fast, end-to-end encrypted tunnels between connected systems from behind closed firewalls.

Some NAT configurations prevent the direct connection establishment, in such cases traffic relays are used to ensure a connection can be made.

Strengths

  • No ingress traffic, firewalls can be closed
  • No gateway devices or proxy servers
  • Universal protocol support
  • Incremental deployment
  • North-South traffic
  • East-West traffic
  • Removes complexity from the network
  • Resilient to temporary trust broker failures
  • No network changes to deploy

Weaknesses

  • Primarily agent-based deployment
  • Agent software requires patching
  • Trust properties not applied to peripherals
  • Not protocol aware

Trade-offs

  • Trust broker becomes the new target
  • Replaces multiple (separate) layers of protection
  • Emerging technology

Mesh Overlay Network Vendors (15)

# Company Product License Deployment Pricing
1. Ananda Networks Ananda Commercial SaaS Published
2. Cyberhive CyberHive Connect Commercial SaaS n/a
3. Defined Networking Nebula Open Source Self-hosted n/a
4. Enclave Enclave Commercial SaaS Published
5. FireZone FireZone Open Source Self-hosted n/a
6. Gravitl Netmaker Open Source Self-hosted n/a
7. Husarnet Husarnet Open Source SaaS or Self-hosted Published
8. Netbird Netbird Open Source SaaS Published
9. NordVPN Meshnet Commercial SaaS n/a
10. Tailscale Tailscale Open Source SaaS Published
11. XplicitTrust XplicitTrust Network Access Commercial SaaS Published
12. Zero Networks Zero Networks Connect Commercial SaaS n/a
13. ZeroTier ZeroTier (& libzt) Open Source SaaS or Self-hosted (& SDK) Published
14. juanfont/headscale Headscale Open Source Self-hosted n/a
15. webmeshproj/webmesh Webmesh Open Source Self-hosted n/a

Reverse Proxy

Agent-based architecture. Vendor's network acts as the default route for all devices. All traffic is routed via the vendor's network.

Reverse Proxy application connects out to vendor's network, opening a reverse proxy data channel. Any other traffic entering the vendors network can then be routed to the connected device.

End-user access may be agentless. Vendors commonly also provide Cloud Access Security Broker (CASB) and Secure Web Gateway (SWG) functions complimentary to ZTNA.

Strengths

  • No ingress traffic, firewalls can be closed
  • Agentless deployment for clients
  • Protocol aware
  • Session recording and playback
  • Vendor may bundle complimentary services

Weaknesses

  • Business network depends on vendor uptime
  • Limited protocol support
  • East-West traffic

Trade-offs

  • Vendor becomes the new target
  • Internal network traffic routed via vendor
  • Vendor terminates your TLS sessions
  • Vendor applies security on their platform

Reverse Proxy Vendors (14)

# Company Product License Deployment Pricing
1. Agilicus Agilicus Commercial SaaS or Self-hosted Published
2. Akamai Akamai Enterprise Application Access Commercial SaaS Not Published
3. BlackBerry CylanceGATEWAY Commercial SaaS Not Published
4. Cato Networks Secure Remote Access Commercial SaaS Not Published
5. CloudFlare Access SaaS SaaS Published
6. Exium Secure Private Access Commercial SaaS Not Published
7. Genians Genian ZTNA Commercial SaaS Not Published
8. HPE Atmos ZTNA Commercial SaaS Not Published
9. Microsoft Entra Commercial SaaS Published
10. Palo Alto Prisma Access Commercial SaaS Not Published
11. Pomerium Pomerium Commercial Self-hosted Not Published
12. Todyl Todyl Commercial SaaS Not Published
13. ZScaler Private Access Commercial SaaS Not Published
14. iBoss iBoss Commercial SaaS Not Published

Privileged Access Management (PAM)

Agent-based architecture. Vendor's product centrally manages credentials for access to target servers.

Long-lived end-user credentials are authorized and authenticated before being transparently swapped out for unique, often single-use or limit-limited credentials which grant temporary access to target servers. Some vendors may offer protocol aware features like session recording and playback.

Products often assume different all areas of the network be connected and routable such that clients have a network pathway available to reach target servers.

Strengths

  • Protocol aware
  • Session recording and playback
  • Credentials never exposed to end-user

Weaknesses

  • Proxy servers are public on the Internet
  • East-West traffic
  • Limited protocol support

Trade-offs

  • Trust broker becomes the new target
  • Assumes network reachability

Privileged Access Management Vendors (7)

# Company Product License Deployment Pricing
1. Cyber Ark Privileged Access Commercial Self-hosted Not Published
2. Delinea Server Suite Commercial Self-hosted Not Published
3. Gravitational, Inc Teleport Commercial SaaS or Self-hosted Published
4. Okta Advanced Server Access Commercial SaaS Published
5. Silverfort Silverfort Commercial SaaS Not Published
6. Smallstep Smallstep Open Source SaaS or Self-hosted Published
7. StrongDM StrongDM Commercial SaaS Published

Host-based Firewall Control

Agent or remote-management based architecture. Vendor manages host-based firewalls built into device operating systems to control access. Centralised policy-based controller coordinates updates to each firewall.

Products often require different areas of the network be connected and routable for any kind of traffic, and ACLs are enforced by host-based firewalls instead of perimeter devices to micro-segment networks which might otherwise be flat.

Strengths

  • No appliances to deploy
  • Universal protocol support
  • North-South traffic
  • East-West traffic
  • Resilient to temporary trust broker failures

Weaknesses

  • Primarily agent-based deployment
  • Non-manageable devices not serviced
  • Assumes network reachability
  • Inconsistent per-OS firewall capabilities
  • Legacy systems may not be manageable

Trade-offs

  • Trust broker becomes the new target
  • Network can remain fundamentally flat
  • Built on IP addresses and ACLs

Host-based Firewall Control Vendors (4)

# Company Product License Deployment Pricing
1. Akamai Akamai Guardicore Segmentation Commercial SaaS or Self-hosted Not Published
2. Colortokens XAccess Commercial SaaS Not Published
3. Illumio Illumio Edge Commercial SaaS or Self-hosted Not Published
4. Unisys Stealth Commercial SaaS Not Published

Identity Defined Network (IDN)

Agent based architecture. All traffic traverses network relays coordinated by centralised policy-based management.

Some vendors offer hardware devices to transparently connect devices to the network.

Strengths

  • North-South traffic
  • Universal protocol support
  • Incremental deployment
  • No ingress traffic, firewalls can be closed

Weaknesses

  • Business network depends on relay uptime
  • All network traffic traverses relays
  • Appliances require patching
  • Agents require patching
  • Must be reconfigured if network changes
  • East-West traffic

Trade-offs

  • Trust broker becomes the new target
  • High availability requires multiple appliances

Identity Defined Network Vendors (6)

# Company Product License Deployment Pricing
1. Intrusion Inc Intrusion Shield Endpoint Commercial SaaS Not Published
2. Narrowlink Narrowlink Open-source Self-hosted n/a
3. NetFoundry CloudZiti (& OpenZiti) Open-source & commercial SaaS or Self-hosted (& SDK) Published
4. Tempered Networks Airwall Commercial SaaS or Self-hosted Not Published
5. Zentera CoIP Access Platform Commercial SaaS or Self-hosted Not Published
6. greymatter.io Enterprise Microservices Platform Commercial SaaS or Self-hosted Not Published
Thank you!

Thank you!

Wonderful, thanks for subscribing. Please check your email and click on the confirmation link to verify your subscription.

We'll keep you updated

We'll keep you updated

Thanks for helping to support this project by subscribing, we'll let you know when new vendors or content are added.

Something went wrong

Something went wrong

Sorry, we encountered a problem trying to add you to our mailing list. Please try again!