Agentless ZTNA may seem appealing, but it has significant limitations despite its advantages in deployment, management, and training. As an administrator responsible for ensuring top-notch security and optimal user experience, it is crucial to comprehend these trade-offs when determining if an agentless method should be employed for staff members or external parties.
Four Limitations of Agentless ZTNA
1. Restrictions on App and Resource Usage
The first limit to think about is if you can accept restrictions on what apps and resources you can use. Some resources are a natural fit for agentless or browser-based connectivity.
Internal web applications are a prime example. However, more interactive web applications may not work terribly well on smaller form-factor devices like mobile phones or tablets. Moreover, the agentless delivery method may also affect the performance of web applications that have Java applets or other older technologies after reformatting them. Other resources such as RDP or VNC may be practically impossible to use on mobile or tablet devices, with browser-based on-screen keyboards or other methods of input.
2. Limitations of Browser-Based Solutions
Also, limitations exist to what you can do from a browser-based solution. The end user device cannot use thick applications, as it cannot communicate with the back end through the web browser. Local drive mapping to external data stores is not possible if the only connection is through a browser.
While it is common to have multiple monitors for a physical system, most agentless solutions cannot support this option. As such, there becomes unproductive limits on the end user’s work environment and their productivity.
3. Device Identity and Device Posture Assessments
The next limitation to be considered is the limited or unavailable device identity and device posture assessments. Since agentless methods are using the browser, the only reportable system information available to the browser is source IP and user-agent string. This fails any reasonable expectation of non-repudiation as both bits of information can be easily faked by the average user.
The Source IP can be tweaked by using a browser like Tor or by using a VPN service to hide your real location. Geo-location based on IP addresses is often wrong since some organizations, like hotels, centralize their traffic for inspection purposes.
Furthermore, user-agent strings can be easily modified using a browser’s built-in development tools. Both methods can be easily used to bypass security policies. Beyond limited device posture assessment, most agentless methods don’t allow for a quick fix once an issue is discovered that bring a device out of compliance, which may result in more calls to the IT Helpdesk.
4. Scale and Performance Limitations
Last, most agentless methods have scale and performance limitations since they are likely built around HTML5 rendering of tools like RDP and SSH sessions. Often this HTML5 rendering, sometimes called brokering, is done using open-source software like Guacamole.
These types of solutions require lots of memory and CPU to be allocated to the virtual machines and typically do not scale up linearly – so more users will require the creation of more virtual instances. Users will have to be load-balanced across these instances, which means yet another layer of appliances to deploy and manage.
Also, each user’s specific activity and bandwidth use directly impacts the scale and performance experienced by others. For example, resource-intensive functionality such as video and audio rendering reduce performance greatly. In today’s world, 4K displays are common and many of these systems cannot handle many users at that resolution level.
The Importance of Flexible Options
As with many things, having flexible options is ideal. A ZTNA vendor that offers both client and clientless options, along with clientless workflows, means being able to take advantage of the benefits of both. This means being able to use different solutions based on the device, devices connected, and user type. It also means being able to use these solutions on a large scale.
Visit the product editions section to learn more about Banyan Security’s flexible feature set.