gateway deployment architecture

ref sophos training ZTNA pages 31 & 32

I am interested in community feedback about the 2 mentioned deployments in the training material:

page 31: direct internet connection on gateway external nic --> I feel this should not be recommended as an architecture, the public facing interface should be secured by fw services (ddos, allow only specific inbound ports)

page 32: gateway internal nic --> for me a minimum requirement would be to have this interface also firewalled, allowing only requests from gateway to internal services to pass (dns, http(s) to published web services, ...), who else will protect your internal network in case the ztna gateway gets breached.

so to summarize, I would only recommend following architecture:

  • Thanks for your feedback.

    Its about the concept and the architecture. In ZTNA concepts, there is something called SPA (Single packet authentication). This will make the ZTNA GW invisible for scanner and other techniques, as it only answer to a particular interface. Its not in the product in the EAP, but something important for the future to know. 

    The concept of the page 31 is more likely to be referenced to used in cloud technologies - i guess. In cloud technologies, its much more easier to attach a public IP to a ZTNA GW (any resource). To give the ZTNA GW a on premise IP, you have to bridge it to the ISP bridge. Most customer wont do this.