Impressed with the latest security features (Shield needs work)
What do you like best about the product?
All in all, lately there have been quite a few improvements (beta features), especially around security. As a customer, it gives a lot of confidence that the service is being actively improved.
Specific features I really like:
- Location Context. If you only operate from certain countries, this is a quick no-brainer to turn on. You can customise with access groups to further limit (e.g., all your devs are based in the UK, whilst the sales team is based in the US).
- Device Posture. It's easy to create policies like "only allow Windows 11+, with Defender, and Full Disk Encryption" to connect to the VPN or to specific subnets.
- "Device Verification with Learn and Enforce" + "Device allowances number" + "device posture" makes sure that only the devices you want are allowed on the VPN.
- "DNS Logs" paired with "Log Streaming" is great for forwarding vpn logs to a centralized SIEM for alerting and investigations.
- It integrates well with Google as the IDP with SAML. Also, the mapping of IdP groups to OpenVPN Groups, which you can then use to restrict access to specific subnets (e.g., members of devs@company.com have access to subnets X & Z, whilst members of admins@company.com can access subnets X, Z, & Y).
- Shield, which does some filtering even with split tunneling turned on. More on improvements later.
- Good how-to guides and great & prompt support from the engineers!
Specific features I really like:
- Location Context. If you only operate from certain countries, this is a quick no-brainer to turn on. You can customise with access groups to further limit (e.g., all your devs are based in the UK, whilst the sales team is based in the US).
- Device Posture. It's easy to create policies like "only allow Windows 11+, with Defender, and Full Disk Encryption" to connect to the VPN or to specific subnets.
- "Device Verification with Learn and Enforce" + "Device allowances number" + "device posture" makes sure that only the devices you want are allowed on the VPN.
- "DNS Logs" paired with "Log Streaming" is great for forwarding vpn logs to a centralized SIEM for alerting and investigations.
- It integrates well with Google as the IDP with SAML. Also, the mapping of IdP groups to OpenVPN Groups, which you can then use to restrict access to specific subnets (e.g., members of devs@company.com have access to subnets X & Z, whilst members of admins@company.com can access subnets X, Z, & Y).
- Shield, which does some filtering even with split tunneling turned on. More on improvements later.
- Good how-to guides and great & prompt support from the engineers!
What do you dislike about the product?
At the moment, "Shield" seems to be targeting metrics more than security. Domains and traffic only show aggregated data, useful for stats and trends, but it lacks the granularity that would make it useful during an incident response.
For example: Shield > Overview > Blocked traffic: only shows the category "Vulnerability/Exploits" and, when double-clicked, it shows the device name (useful), a percentage (useful for stats but not for investigations), a count (marginally useful for investigations as you can determine how many users hit it), but the most important aspects are missing: which domain was being resolved and when it was visited (or resolved). I'd like better visibility of which specific domains each user/device has visited, with timestamps, which would greatly help incident responses. Ideally, you would have:
{
timestamp (currently missing),
domain (currently missing),
reason for blocking/flagging/severity/class (present but needs improvements),
device_id (present),
user_id (present)
}
And I'd love those entries to then be forwardable to an external SIEM via the Log Forwarding.
For example: Shield > Overview > Blocked traffic: only shows the category "Vulnerability/Exploits" and, when double-clicked, it shows the device name (useful), a percentage (useful for stats but not for investigations), a count (marginally useful for investigations as you can determine how many users hit it), but the most important aspects are missing: which domain was being resolved and when it was visited (or resolved). I'd like better visibility of which specific domains each user/device has visited, with timestamps, which would greatly help incident responses. Ideally, you would have:
{
timestamp (currently missing),
domain (currently missing),
reason for blocking/flagging/severity/class (present but needs improvements),
device_id (present),
user_id (present)
}
And I'd love those entries to then be forwardable to an external SIEM via the Log Forwarding.
What problems is the product solving and how is that benefiting you?
It's a VPN, so grants users remote access to (cloud) infra. It's easy to deploy, seems to consistently improve its security features, great (human!) support, and it's quite cost-effective