Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Products & Solutions

The Hybrid Hustle: Optimizing Traffic Forwarding for Managed Devices

image

Remember the Hollywood spy thrillers where a stereotypical hacker working from a dimly lit basement bypasses the mighty FIREWALL to hack into Evil Corp Inc. using a Nokia 6600 and a VPN?

Behind the dazzle lies a sobering truth—the failing perimeter-defense.

Not too far in the past, cybersecurity was a relatively simple, linear endeavor. Cut to the present day—a nomadic workforce on public networks, increased resilience on cloud services, BYOD boom, and what have you—security now is like riding a unicycle with a blindfold while juggling flaming swords.

Bad actors are no longer knocking on the front door; they're slipping in through every crack and crevice they can find, and just as you'd no longer protect a modern city with medieval walls, you can't secure a global, flexible team with a rigid, centralized network.

This need for enhanced connectivity coupled with the evolving user access security for a hybrid workforce explains the surging traction behind zero rust architectures—to the extent that a recent White House executive order mandates that all federal agencies adopt one by 2024.

Image

 

The Disparate Distributed Data Mesh

Let’s take a moment to decipher the complex tapestry of digital interactions between numerous traffic and data channels across the enterprise network in a hybrid setup.

The network traffic between remote workers, branch offices, and HQ—primarily dominated by VPNs. This traffic can further be distilled into RDP, FTP, DNS, remote access solutions, database traffic, and a dozen other formats.

With the likes of Gartner projecting almost 75% of organizations to go hybrid by the end of 2024, this flow will only multiply many fold. 

Then there’s the traffic originating from vendors, partners, and third parties. Did you know that in 2021, 33% of all attacks in the healthcare sector were linked to third parties? Also, the fact that almost 54% of businesses do not vet third-party vendors properly?

And how can we not mention the proliferation of cloud services and SaaS applications? With an average of 1,295 cloud services perenterprise, around 94% of all companies globally utilize cloud services in their operations. I’ll let you do the network traffic maths.

Overall, the enterprise network serves as a conduit for a diverse array of traffic and data, originating from a plethora of sources. Navigating this intricate web of connectivity requires the right blend of security and traffic forwarding capabilities.

 

Traffic Forwarding to The Zero Trust Exchange

Alright, so we know that perimeter bound security is obsolete and we know that we have data coming in from a magnitude of sources. Let’s come to the part where Zscaler can help.

The Zero Trust Exchange (ZTE) provides a centralized point for securing and managing network traffic, regardless of where the user is located or what device they are using.

Whether the traffic originates from users within the corporate network, remote workers, branch offices, or even mobile devices, Zscaler ZTE ensures that it is forwarded through the Zscaler cloud to enforce policies and protect against threats before reaching its destination.

Zero Trust Exchange

 

Traffic Forwarding from Managed Devices

Managed devices, including corporate laptops and mobile devices, can seamlessly connect to the ZTE using methods such as PAC files and Zscaler Client Connector.

ZCC further offers multiple tunneling options, including Tunnel 1.0, Tunnel with local proxy (TWLP), and Tunnel 2.0—each tailored to specific use cases and security requirements.

a. Proxy Auto-Configuration (PAC) Files

PAC files enable organizations to centrally control and distribute proxy settings to managed devices. By configuring endpoints to use PAC files, traffic can be routed through the ZTE, where it undergoes inspection and policy enforcement before reaching its destination.

A diagram of a service edge

Description automatically generated

When a user accesses a website or resource, their browser consults the PAC file to determine the suitable proxy server, following logic defined within the file. This selected proxy server, often a Zscaler enforcement node located in the cloud, acts as an intermediary, routing the HTTP or HTTPS traffic and enforcing security policies.

PAC files allow for dynamic updates, ensuring that traffic forwarding rules adapt to changes in network configuration or security policies in real time.

 

b. Zscaler Client Connector (ZCC)

ZCC serves as a lightweight client application installed on managed devices, facilitating secure connectivity to the ZTE.

A diagram of a network

Description automatically generated

When installed on a user’s device, for the ZIA use case, the user traffic is tunnelled directly to the nearest ZIA Service Edge for inspection (by default). ZCC uses geolocation information to find the closest ZIA Service Edge node and builds a lightweight Z-Tunnel to it.

The user traffic is then tunnelled to the ZIA Service Edge for inspection and policy enforcement. ZCC can also be set to disable itself temporarily when it detects that it is on a trusted network, or if a captive portal is blocking access to the internet.

ZCC offers multiple tunnelling options, each tailored to specific use cases and security requirements:

1. Tunnel 1.0: Tunnel 1.0 provides a secure tunnel between the client device and the ZTE, ensuring confidentiality and integrity of data in transit. This tunnelling option is well-suited for traditional remote access scenarios, offering robust security without compromising performance.

There are different Tunnel forwarding modes that can be selected within the Zscaler App Forwarding profile and are also dependent on the windows driver type, i.e., route-based or packet filter-based.

Z-tunnel 1.0 forwards traffic to the Zscaler cloud via connect requests—much like a traditional proxy it sends all proxy-aware traffic or port 80/443 under TCP, depending on the forwarding profile configuration. The forwarding profile also depends on OS driver type, i.e., route-based or packet filter-based.

With Tunnel 1.0 there are different tunnel forwarding modes that can be selected within ZCC. Also, it is a non-persistent tunnel—created on demand and for every new request a new tunnel is established.

2. Tunnel with Local Proxy (TWLP): TWLP leverages a proprietary protocol optimized for low-latency and high-performance connectivity. By encapsulating traffic at the transport layer, TWLP minimizes overhead and ensures efficient utilization of network resources, making it ideal for latency-sensitive applications and real-time communication.

3. Tunnel 2.0: Tunnel 2.0 has a tunnelling architecture that uses DTLS or TLS to send all endpoint traffic to the Zscaler cloud—regardless of port or protocols.

Tunnel 2.0 supports non-web traffic in addition to web traffic and offers enhanced features such as application-aware routing, per-app tunnelling, and advanced threat protection. By dynamically steering traffic based on application characteristics and security policies, Tunnel 2.0 optimizes performance and minimizes exposure to cyberthreats.

Forwarding Methods

 

So Which Traffic Forwarding Method Works Best For You?

Image

Tunnel 1.0

  • Suitable for forwarding standard web traffic securely
  • Enables transparent forwarding, even for non-proxy aware applications
  • Implements unified authentication, including non-SAML aware apps
  • Adapts to environments lacking a default route
  • Effectively secures TCP port 80/443 traffic
  • Compatible with firewall filter applications and other proxies

Consider TWLP or Tunnel 2.0 if:

  • Stream conversion is needed
  • You need to enforce inbound firewall rules
  • Higher visibility into non-web traffic and logs is required

 

Tunnel With Local Proxy (TWLP)

  • Efficiently forwards standard web traffic, including non-standard ports
  • Implements unified authentication, accommodating non-SAML aware apps
  • Supports environments without a default route
  • Seamlessly coexists with the default route VPN on macOS
  • Ensures security for all HTTP/HTTPS traffic, even on non-standard ports
  • Utilizes lightweight tunnels without stream conversions
  • Interoperates with VPN with minimal issues

Consider Tunnel 2.0 if:

  • More than traffic proxying is needed
  • Browser enhancement protection is required
  • Higher log visibility is needed

 

Tunnel 2.0

  • Efficiently forwards all standard web traffic, including non-standard ports
  • Enables transparent forwarding, even for non-proxy aware applications
  • Implements unified authentication, even for non-SAML aware apps
  • Manages client local IP policies, bypasses, exclusions, and inclusions
  • Adapts to environments without a default route
  • Ensures security for all IP unicast traffic
  • Employs tunnel encryption, validation, and integrity measures
  • Provides flexible include/exclude options
  • Establishes a real-time control channel for efficient management
  • Delivers excellent end-user visibility

 

PAC Forwarding

  • Lightly forwards all standard web traffic
  • Facilitates forwarding web traffic on non-standard ports
  • Supports environments without a default route
  • Serves as a lightweight proxy-only solution
  • Proxy settings enforced by client connector
  • Provides reasonable end-user visibility

Limitations

  • Limited to proxying traffic only
  • Requires user authentication in the browser
  • Log visibility may be limited

Closing Thoughts

Picking the right traffic forwarding method is like choosing the right dance partner for your network—you want someone who's nimble, flexible, and won't step on anyone's toes.

Whether it's prioritizing low-latency connections for real-time applications or optimizing bandwidth allocation to accommodate a diverse workforce, the chosen forwarding method directly impacts productivity and user experience.

Look at the Traffic Forwarding options available to you on our help portal. Our Best Practices guide helps you along the journey of deciding on the best traffic forwarding mechanism to use.

Ready to start a conversation? www.zscaler.com/company/contact

form submtited
Obrigado por ler

Esta postagem foi útil??

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.