Miyaji Laboratory

In recent years, the proliferation of telework and the expansion of public cloud usage have made it difficult for traditional perimeter-based security models, which separate internal and external networks, to provide sufficient protection. The perimeter-based security model using traditional VPNs (Virtual Private Networks) had issues: once authenticated, it granted broad access to the internal network, and attacks on VPN devices directly exposed the connected network to risk. Against this backdrop, Zero Trust Network Access (ZTNA), based on the Zero Trust principle of not trusting any communication regardless of the presence of a perimeter, is gaining attention. ZTNA separates the Policy Enforcement Point (PEP), which controls communication, from the Policy Decision Point (PDP), which determines authorization. It verifies the legitimacy of each individual communication session. This enables least-privilege access, dynamically assigning users only the minimum necessary access rights to specific applications or resources, thereby resolving VPN challenges. However, since ZTNA requires queries to an authorization server for every communication, it faces challenges in large-scale network environments: increased processing load for access control and communication delays due to the rising number of queries. Discussions on ZTNA have primarily focused on its concept and security model, with insufficient evaluation from a network performance perspective. This study constructs a ZTNA verification environment using the network emulator Mininet to evaluate network performance. Specifically, in a configuration employing Envoy Proxy for the data plane and Open Policy Agent (OPA) for the authorization engine, the following two points are set as primary evaluation parameters: First, we measure the impact of the network distance (communication latency) between the PEP and PDP on the round-trip time (RTT) of packets during the authorization process. Second, we measure the change in throughput and system load when increasing the number of concurrent authorization requests (session count). Through this study, we aim to clarify scalability challenges associated with ZTNA implementation and gain insights for practical network design.