Understanding Components

To operate Genian ZTNA, various components are required. This chapter describes the role and installation location of each component.

Policy Server

The policy server is a central management system that stores all the data and settings of Genian ZTNA. The other components receive the configuration for their operation from the policy server, and then transmit the collected information. Typically, the policy server resides in the organization's data center and is installed on a physical server or virtual machine. The policy server may also be cloud hosted.

Another role of the policy server is to provide the administrator's management console through which all components are managed. You can view the collected information and establish your organization's security policies here.

Network Sensor

The network sensor is located in each network segment, monitors the network, detects nodes, collects information about them, and transmits it to the policy server.

The network sensor is connected to a regular network access port and does not require special settings such as port mirroring. However, when collecting information from several VLANs with one physical sensor, it should be configured as a trunk port through 802.1Q. In this case, a separate sensor node will be shown in the web console for each VLAN.

The network sensor monitors broadcast packets such as ARP or DHCP to detect that a new device is connected to the network. And it detects platform or acquires device information through various broadcast packets such as UPNP and NetBIOS.

Therefore, network sensors must be connected to every broadcast domain. If there are remote sites connected to the WAN, a separate network sensor is needed for each location. Other sensor deployments (Port Mirror (SPAN) , in-line) are supported, but do not provide all features. For more information see: Deployment Considerations

The network sensor functions mainly over a physical or emulated wired ethernet interface. The network sensor may be operated on the same system as the policy server or may be constituted by an independent system. Only one policy server is needed for all network sensors.

Wireless Sensor

The Wireless Sensor is a sub component of the network sensor. It monitors the radio signal through the wireless LAN network interface to detect the SSID and wireless clients around the sensor. This data is collected in real time around the clock, and logged on our policy server where it is cross referenced with node and user data. This allows for you to identify threats like rogue access points, connection issues like channel conflicts, and to keep detailed accounting of when and by whom your networks are being accessed.

The Wireless Sensor can be configured on the same system as the Network Sensor if a WLAN interface is present. The Wireless Sensor may also be configured on a separate device to better detect signals in different areas of the deployment site.

Wireless sensors may not be used depending on whether wireless related functions are used or not.

Note

Network Sensors installed onto a virtual machine typically will not have direct access to the wireless interface on the host hardware. As a result, a wireless sensor will not operate, even if the host machine uses a wireless network interface. Genian ZTNA will detect the hosts wireless interface as a wired sensor interface. In this case, an endpoint agent installed to a device with a wireless NIC can perform the functions of a wireless sensor. See: Controlling WLAN

Network Enforcer

The Network Enforcer is a sub-component of the network sensor that provides independent network access control for devices that violate an organization's policies. This makes it possible to isolate devices themselves without the help of existing network infrastructure. Like the network sensor itself, the Network Enforcer functions over a physical or emulated wired ethernet interface.

By enabling the Enforcer on the network sensor installed in each network segment, ARP-based Layer 2 Enforcement can be provided, which is the easiest way to provide network access control with network sensors without additional hardware.

Another Enforcer can be connected to the core switch with a SPAN Port (Mirroring) to terminate the session upon detection of unauthorized network access. This requires separate independent hardware capable of processing according to the amount of network traffic.

An Enforcer may be deployed as a ZTNA Gateway. With this option, the Enforcer is in-line with network traffic and only authorized traffic will be permitted. Both Cloud ZTNA Gateway and On-Prem ZTNA Gateway options are available.

See: Installing ZTNA Gateway

Agent

Agent is software installed in the user's desktop system. It periodically collects operating system, hardware, software and network related information and sends it to the policy server when a change is detected. It also provides desktop configuration management capabilities, making it easy to manage the required settings for your organization's security policies.

This is an optional component.

The agent provides its own security functions such as termination prevention and deletion prevention according to the administrator's setting.

Supported operating systems
Windows macOS
Windows XP (SP2) Apple OS X Mavericks
Windows Vista Apple OS X Yosemite
Windows 7 Apple OS X El Capitan
Windows 8 Apple macOS Sierra
Windows 8.1 Apple macOS High Sierra
Windows 10 Apple macOS Mojave

Updating Components

Genian Data

The Policy Server routinely updates CVE Information, Node Information, OS Update Information and Platform Information from the Genians Cloud.

Genian Software

Software Updates for the Policy Server, Network Sensor, and Agent can be downloaded and applied from the Genians Cloud in the System software section of the Web UI.

For Genians Cloud-managed subscribers, the Policy Server Software Updates are automatically installed.

For more configuration and update information, See: Deployment Considerations and Managing System Software