Problems with internet tech fads and tech youtubers.

[kelvinhall05]

6 minutes ago, The_russian said:

Increase in temps increases performance? Man I've been going about this all wrong! 

 

Ah lel cut me some slack, trying to forum while playing BeamNG is not a good idea

[Oshino Shinobu]

3 minutes ago, comander said:

I could see a NEED for a VPN if you're the person setting up the network or if you're trying to do some sort of mass migration of data... but scenario crafting like this gets out of my scope of knowledge. 

 

In my use case, it's a matter of needing full access to about 900+ various customer servers with administrator permissions. It's not a typical user workload as it's infrastructure config and maintenance, which includes taking down servers to perform routine security maintenance. 

 

I can easily see ZTN taking over from VPN for general end users, but for the people in big IT companies that are responsible for maintaining and configuring customer systems and require admin access to most of it including servers and hypervisors, I can't see how ZTN can take over from VPNs, though maybe I'm just used to the type of work I do and don't see the general end user stuff that the non-IT departments do. 

 

Still, to me it sounds like ZTNs don't really replace VPNs, other than end user to network access. I'm seeing constant mentioning of ZTNA being used for access to apps, but it doesn't mention anything about access to the root operating system or physical system iLO interfaces etc. which is an everyday part of my job. Maybe I'm just not in a position where it's applicable to my workload. I'll read up more on it though.

[AndreiArgeanu]

1 hour ago, JovanD said:

Now sure maybe 10% of people will get special case and modular power cables that work properly, but the other 90% are not doing them selves any favors with their oem cases and chinesium power supplies.

You don't need a special PSU or case to properly cable manage a case. And it helps improve airflow in the case. Even some the cheapest cases have a 'bulge' on the side panel that will cover the cables that are to be routed through that area. Personally with a non modular power supply and a 20-25$ case had no issue doing a little cable management without putting stress on the cables, just routed them through the back, tied them together in places with zip ties and placed the panel back on, no harsh force required or bending cables past what I feel comfortable doing.

 

Additionally the 90% of people with 'chinesium' power supplies are more like less than 10%, since those kind of power supplies either die on their own, or die and take components along with them to the grave.

[Helpful Tech Witch]

13 minutes ago, AndreiArgeanu said:

You don't need a special PSU or case to properly cable manage a case. And it helps improve airflow in the case. Even some the cheapest cases have a 'bulge' on the side panel that will cover the cables that are to be routed through that area. Personally with a non modular power supply and a 20-25$ case had no issue doing a little cable management without putting stress on the cables, just routed them through the back, tied them together in places with zip ties and placed the panel back on, no harsh force required or bending cables past what I feel comfortable doing.

So true!!

(This case is from early-mid 2000s, no back panel access)

Some time and effort took it a long way. And the temps were like 1c better.

[Mihle]

I am leaving this Tom Scott video here:

 

 

[LogicalDrm]

So most of the stuff here is not what tech-tubers "promote". Most of what you are listing are things that are more frequent in videos, what people see as "cool" and don't really research or listen beyond that point. Some are just pure marketing also.

 

Quote

"Liquid Metal Thermal Compound"

I have not seen or heard any popular tech-tuber promoting liquid metal. It has been tested, it has been noted to be good in some applications (and at this point general consumer goes "COOL!" and shuts their ears, calling it COOL-point from now on) and not something you want to run 24/7. I think Jay had one of his "fixing viewers PC" videos just about the danger of prolonged use of liquid metal.

 

Quote

"Gamer Chairs"

So this has roots way beyond tech-tubers getting sponsorships. The chairs are based on racing chairs, or rather actual racing seats used by sim-racers. Thats big enough group willing to spend big-enough cash for some company to offer solutions that could work as office chairs too. Long story short, as you say, they were cheap-ish chairs offering nice colors and materials for half of the price what similar office chair would cost. So ofc seeing those chairs used by your favorite streamers means COOL-point is activated. And after these chairs got more popular, they are then sent to tech-tubers for reviews. Not all of them are bad, but the good ones are closing in with price range of the actual office chairs (like mine which was €700 USED!).

 

Quote

Can you guys think of any other stuff to add to the list?

 

RGB

RGB and modding in general has long roots too. But since modding takes time and skills, brands offering easier ways to customize and "show-off" your build meant that after few gaming related peripherals were sold mostly on RGB factor, just adding RGB to anything was going to sell. No matter what quality or functionality. COOL-point achieved easily. We are still years away from RGB controls or connectors for internal stuff being standardized.

 

For me having lights is always functionality first type of thing. In keyboard they are just to help me locate keys I use rarely. On mouse they only show which profile I have active. Rest are power LEDs. So seeing those SC2 themed periphrals with RGB didn't have COOL-effect on me.

 

Tempered glass, PSU shroud and other case things

This could be attributed to tech tubers. Showing off full custom loop builds with RGB and big glass panes. Need I say more? COOL-point activated before people even think about downsides. Which for most part are airflow, and cases being made-for-purpose. Now, this is mainly something I have noticed in Air Cooling section where we talk about airflow (negative and positive pressure are one myth too). People come with the sleak cases, big glass panels and 0 airflow and then start to ask how to make things better. They come with small stock coolers in big cases meant for custom loops.

 

Overclocking

Ok, so. This problem has roots way back. Its currently used as buzzword (until lately!). The problem is that tech-tubers seem to think their audience checks things, doesn't follow anything word-by-word or are veterans in field. But when you say "more performance for free", the COOL-point gets instantly activated and people don't think beyond that. Which means that this buzzword has caused so much confusion, misunderstandings etc. that its not funny anymore.

 

Prices

This last part is not entirely tech-tubers fault. Its consumer culture in general. Not talking about scalping here, since its not cause, its result. The cause is general consumers allowing hype to effect them. The hardware prices have gone up in 10+ years I've bought hardware myself (or rather I'm aware of what things cost). Same goes with game prices. Midrange GPU I last bought retail in 2012 cost €250. Even before the current crisis, it had doubled in price. Now people are willing to pay even more at retail prices. Which leads to point where kids coming to scene aren't asking for gaming PCs for $1000 which was the common price point (or $700-1000) when forum was created, but $2000 because they think thats what they need to click heads in pixel worlds.

 

***

PS. Comments promoting or justifying piracy were removed. I don't think they are relevant for this topic, and promoting piracy in general is frowned upon.

[Mark Kaine]

14 hours ago, HelpfulTechWizard said:

makes something looks good. also, it will improve temps over just a jumble all over.

he's making some good points, this one is definitely debatable, there are pros and cons, what it generally doesn't do is influence temps in any noticeable way (unless it's blocking a fan from moving) 

 

And all the cable extensions and risers make a pc unnecessarily more expensive, and in many case function worse for obvious reasons. 

 

I'm not totally opposed to it, I do it too, I have a small case, I don't want cables dangling around in my fans, but I definitely see the downsides to it as well. 

 

13 hours ago, comander said:

These days I go for "good enough" when it comes to aesthetics and "pretty good" when it comes to accessibility. Everything needs to be easy to get to. 

this is honestly why I'm planning on getting a bigger case (only slightly) because my current case is not only small, some things, like the psu, are just very difficult to reach due to not well thought out design. 

 

14 hours ago, HelpfulTechWizard said:

Ohno! people cant want to have their data private!!!! 

I've never used a vpn - I would under certain circumstances, but generally I don't see a need for it and I think it's generally not safe, ironically, I rather have my isp have my data than some unknown 3rd party with unknown motives that may just disappear at any point.

 

 

14 hours ago, JovanD said:

Not to be confused with actual cable management

really the only good reason is not having the cables touch the fans, which in some cases (lol) makes cable management a necessity. 

 

 

14 hours ago, JovanD said:

maybe 10% of people will get special case and modular power cables that work properly,

I'd say most 'enthusiast' builds use modular psu, so while the 10% maybe is right overall, the percentage in the target audience of those videos is probably much higher. 

 

Also personally I think fully modular PSUs are stupid and make it actually harder to build because you'd need at least the main power cable anyway, I see the use case for those as well though (use of custom cables) 

 

 

Generally you made a good list I mostly agree with. 

[akio123008]

13 hours ago, The_russian said:

which as far as I can tell would achieve the same thing for your use case. If I misunderstand how DoH works, feel free to correct me

I'm not too sure about this, but I suspect although it would certainly make it harder to see what site you visit, it doesn't make it impossible.

 

An example;

 

I try to connect to linustechtips.com and I use some encrypted DNS service; they won't be able to see the query because it's encrypted, therefore they won't be able to see the domain name I'm trying to connect to. However, once I have received the correct IP address of linustechtips.com from the DNS server, I will then use this IP to connect to the site. If someone's listening in, they could still see the destination address of the packets I send.

 

Then they could figure out what site that IP address is by doing a reverse DNS lookup or simply trying to connect to that same IP address themselves and seeing what site pops up.

 

So it makes it harder for sure, because the domain name is no longer in the open, but it can still be done.

[PlayerLorenzo]

Quote

"Cable Management"

This actually is very important. Not only for aesthetic reasons, but also for airflow, and preventing dust from reigning in the computer. For example, my PC gained a lot of dust when it did not have cable management. But after I rerouted the cables to the back, the dust production was significantly reduced

 

Quote

"Gamer Chairs"

People are waking up around this lately so i don't have to explain it in deep, they are expensive, ugly and just bad as chairs.

 
I agree with this one though. "Gamer chairs" are just cheap seats from Pep Boys with wheels put into them. They aren't really comfortable, and most of the time it is mostly for the looks instead of the comfort.

 

 

15 hours ago, JovanD said:

"PCIe Extenders"

PCI interface is vary complex and operates in high frequencies, it's designed for specific trace length. Going out of spec for "aestetics" is just bad.

That depends on the quality of the PCIe riser cable. And even then, the performance sacrifices are not that significant to actually be considered a limiting factor.

 

 

15 hours ago, JovanD said:

"Liquid Metal Thermal Compound"

Brand may say "Polar bear Fr000z0r 3000" but its just Gallium, while not toxic to us it is reactive when in contact with other metals, some reactions are slower than others, just google gallium vs aluminum. While applied properly it can yield good results, but one accidental spill and IT WILL ruin your graphics card or motherboard if it touches any of the solder joints even for a split second. 

Those are designed for enthusiasts who overclock and know how to put thermal paste safely. 

 

 

15 hours ago, JovanD said:

"Using VPN"

Seriously what the hell, im loosing faith in humanity. Unless content you want to acess is geoblocked or you wan to dodge a ban, there is absolutley no reason to use a vpn PERIOD. Any other point youtubers are payed to read is nonsense, you're just paying to add latency to you connection for no good reason what is wrong with people for christ's sake. Also SoftEther VPN Gate is free and open source, no need to pay any subscriptions. Only reason there are so many VPN companies is because gcloud (and i assume most other cloud services) don't charge for bandwidth usage.

Quality of VPN speeds varies, as some services are fast enough to be usable, and some have latency. They also can be helpful if the country you're traveling to has internet censorship of some form too. Remember when Turkey banned Wikipedia? People in Turkey used VPNs to access Wikipedia when it was blocked. They're effective tools to access the entire internet if the country you're visiting to has some websites blocked.

[LAwLz]

14 hours ago, comander said:

I'm going to preface this with - I know enough networking to be considered a guru by normal people and to be considered a novice by the network engineers I used to sit next to... 

https://www.techradar.com/news/businesses-are-replacing-vpns-with-zero-trust-network-access

 

The general idea is that you NEVER let people in. With ZTN you're giving individual users as little access as possible. 

 

For 95% of office workers... a protected "cloud drive" (MS One Cloud, Google Drive, Dropbox, etc.) with additional protections check the box. Even if your'e writing production code... it's a bunch of text. Some other service can scoop it up and integrate it into the stack. This conceptually scales... finance systems work with it... HR systems work... the scenario of someone VPNing in with an infected system and then infecting servers is BAD. Keeping people out of the network is better than wide open access, which is what VPNs do. 

 

I could see a NEED for a VPN if you're the person setting up the network or if you're trying to do some sort of mass migration of data... but scenario crafting like this gets out of my scope of knowledge. 

 

It seems like you have read one or two sponsored blog posts and now are making very wild assumptions about VPNs and stuff. 

VPNs are not outdated. VPNs are necessary. VPN and ZTNA are not mutually exclusive.

I kind of agree with OP that the VPN services that Youtubers and other influencers often shill are mostly a waste of money however.

 

 

  

1 hour ago, akio123008 said:

I'm not too sure about this, but I suspect although it would certainly make it harder to see what site you visit, it doesn't make it impossible.

 

An example;

 

I try to connect to linustechtips.com and I use some encrypted DNS service; they won't be able to see the query because it's encrypted, therefore they won't be able to see the domain name I'm trying to connect to. However, once I have received the correct IP address of linustechtips.com from the DNS server, I will then use this IP to connect to the site. If someone's listening in, they could still see the destination address of the packets I send.

 

Then they could figure out what site that IP address is by doing a reverse DNS lookup or simply trying to connect to that same IP address themselves and seeing what site pops up.

 

So it makes it harder for sure, because the domain name is no longer in the open, but it can still be done.

In the case of LTT, it is hosted by Cloudflare so you can't just do a reverse DNS lookup.

[RoseLuck462]

Yesh, what a bad topic lol

 

These things aren't fads for tech or youtubers, they're tech tips for performance and cool asthmatics.

 

"Cable Management"

 

Your example reeks of user error and laziness. Haven't you actually seen how youtubers like Linus do cable management? They aren't simply shoving the cables to the back like a rats nest with the back cover shoved back on to the point that it bends. 

 

Proper cable management requires effort to neatly roll and zip tie the cables so they fit.

"PCIe Extenders"

 

Don't get some Chinese cheapest option and you'll be fine. No one ever complains that an extender messes with their specs anyway.

 

"Liquid Metal Thermal Compound"

 

Again, just be careful to avoid user error. Linus already made a video comparing liquid metal with standard thermal pastes which gives superior results.

 

"Gamer Chairs"

 

On average they cost around $150, that's pretty average for what they really are, an office chair just with some color.

 

"Using VPN"

 

To a very casual person with not much at risk, than yea a VPN to you would only mean defeating bans and geo-restrictions lol

[LAwLz]

15 hours ago, comander said:

I will admit I am not an infosec person. I know enough to be dangerous and I can parrot off a few points my previous manager touched on... which is largely what I'm doing. I'm taking his word at face value. 

Making bold claims because you heard someone else make them without understanding why is often a bad idea.

You might misinterpret what that someone else said, or maybe that person is wrong and you end up spreading misinformation.

I am not saying that's what is happening here but that's general advice. Don't parrot things you heard someone else say if you yourself don't have a deep understanding about the subject.

 

15 hours ago, comander said:

The work laptop that I'm typing this on does not have a VPN. I'm able to push code to prod and to the extent of my understanding the entire system is architected (and there's a lot of overengineering, think tens of billions of dollars) it ends up safer that way. 

Just because you don't need a client VPN on your machine does not mean VPNs as a whole are outdated and bad.

 

15 hours ago, comander said:

For a very well architected system, one that is designed on the assumption of multiple-billions of users and constant security targeting, pushing many things to the perimeter can be safer. A VPN is certainly necessary for some functions. It has not been required at all in the last few years while I've been at my current company. At all. 

Ehm... multiple billions of users? What company do you work at that has multiple billions of users that need remote access to your corporate resources?

And again, just because you don't need it doesn't mean everyone else who uses it are behind, or that it is never useful.

 

 

15 hours ago, comander said:

The ability for me to reign havoc on the network is much reduced. At my previous company, I had the power to bring down a server affecting something like 100M people. I should never have had that capacity. I also remember it being a pain when I moved from one corp network to another (mergers are fun)

That was not because you used a VPN, and switching to something like Citrix would not have solved that automatically.

 

 

 

15 hours ago, comander said:

Seriously, name your use cases that strictly require a VPN...

Anything that requires site-to-site VPN for example. Not every machine is a Windows PC. 

Let's say I have a firewall at a remote location that only has access to traditional Internet access. I want to collect logs from this firewall. How do I do it? I set up a VPN tunnel and send syslog through that.

Another example. The garbage trucks here in Sweden runs a DMVPN network over 4G. They have a computer on them that reads the power meters from houses when they drive past, and sends that data over the VPN tunnel back to a server. How would you do that with something from ZScalar? It's an embedded system.

Or how about an AD domain hosted at an MSP. The client computers need access to the domain controller before the user has even logged in and can access their browser.

Or if you want to talk about client VPNs rather than site-to-site VPNs, configuring a VPN is hell of a lot cheaper than buying something like a ZScalar. Especially if it's just for simpler stuff like maybe remote management of switchen. It would be hard to convince a company of 10 people to buy a ZScalar just so that I can login and patch their switches like once ever year, especially if nobody else needs remote access to their network.

 

I got plenty of other scenarios if you want but my point is that when it comes to security, you typically can't generalize things and think there is a "one solution fits all", even though a lot of marketing material would want you to believe that's the case.

 

 

15 hours ago, comander said:

I'm not denying that there aren't use cases, just that the first thing done shouldn't be "let 30,000 people of varying levels of sophistication have relatively unrestricted access to the corp network and pray every firewall is perfectly configged"

Client VPN doesn't mean you give everyone that logs on the same permissions or unrestricted access. If that's how you think it works then I understand that you are against it. You can apply firewall policies to VPNs if you want (and you probably should). 

 

15 hours ago, comander said:

I want to emphasize ALL of the big cloud players (Amazon, MS, Google, etc.) are doing ZTNA these days to varying degrees. Minimizing attack surface is a VERY GOOD strategy for not ending up on the news. When is the last time you heard about Amazon's corp network being hacked?

And all of them most likely also use VPNs to some degree. Those two are not mutually exclusive.

[Ash_Kechummm]

On 2/22/2021 at 6:56 AM, Oshino Shinobu said:

 

There's a Youtuber who did a sponsor for a VPN that actually called out others for this and explained it in a better fashion, but I can't remember their name off the top of my head

That's Tom Scott, isn't it?

[Oshino Shinobu]

Just now, Ash_Kechummm said:

That's Tom Scott, isn't it?

I believe so, yes

[LAwLz]

1 hour ago, comander said:

I was told that for most use cases VPNs are 10 years out of date by someone with deep technical expertise. For what it's worth, I'd guestimate that he makes around 500k a year in a mostly technical role. 

And that's his opinion. I don't agree with it but since it's not even your argument I don't think we will have a meaningful conversation about it.

I don't care how much money he makes either.

 

 

 

1 hour ago, comander said:

Most "business cases" are. 

There's almost 0 reason for 99% of people at a major corporation to strictly NEED a VPN. 

That's probably true, but the same is probably true for ZTNA as well. Especially now that cloud services are getting more and more common, the need to access corporate resources that are hosted on-prem is on the decline. 

 

 

1 hour ago, comander said:

Facebook, Amazon, Google, Netflix, Microsoft... I might be missing a few. But basically giants that power nearly every facet of the internet. 

 

For context, I can theoretically spin up a cluster on AWS and in theory have a production system servicing multiple millions of users without having to VPN into Amazon's infra. I have 0 need to be on the network to push changes to prod in such a case. 

I don't see your point. What does VPNs or even ZTNA have to do with you being able to spin up an AWS instance? You don't need ZTNA to do that either.

 

1 hour ago, comander said:

Is there any technical reason why those logs don't HAVE to be pushed to a log server and made accessible outside of the network?

Assume a data breach costs $10 billion before citing costs. 

Ever heard of SIEM?

Also, cost is most certainly a factor. Not everyone lives in a fantasy world where you can throw money around. Not all data breaches costs 10 billion dollars either.

Cost is always a factor.

 

1 hour ago, comander said:

In the context of this thread, it's about a product that's used by a human for something... 

That narrows it down a lot. Like I said site-to-site VPNs are still necessary and can't always be replaced by ZTNA. That's why, even in marketing material, ZTNA vendors will usually only ever talk about client VPNs.

 

1 hour ago, comander said:

If you're a 10 person shop, it's probably faster, cheaper, easier and safer to use cloud systems... 

Not always.

 

1 hour ago, comander said:

For most people you don't NEED a VPN for business. 

True, and most people don't NEED some ZTNA system either.

 

1 hour ago, comander said:

Isn't a VPN a closer to a one size fits all approach than restricting access on a per application basis? If you 'need' to access something with a VPN you get a lot more access than just the one thing. 

It depends on what you mean and how other parts of the network looks.

But no, a VPN is not a one size fits all. Not even close, if you configure it properly. 

 

 

1 hour ago, comander said:

It's letting someone onto a network segment. 

And this is bad... How? All computers, even those using some ZTNA setup, is on some network segment. You could even call the Internet a network segment. 

Someone being on a network segment is not inherently bad.

 

1 hour ago, comander said:

If there are 0 day exploits and/or misconfigurations, it's not far from carte blanche access

Again, depends on how your network is set up. But I mean, do you think ZTNA is completely immune to security issues? That as soon as you implement some ZTNA solution then you will never ever have any security issues, no exploits can be found nor can it be misconfigured?

 

1 hour ago, comander said:

at least if you're assuming state actors as adversaries instead of the local middle school chess club

Are you serious? Let's see how this conversation has gone down.

OP: I don't like that tech youtubers advertise VPNs.

Shinobu: You can't generalize it like that and VPNs are useful for things like site-to-site connections.

You: ZTNA is replacing VPNs. If you use a VPN then you are behind the curve.

Shinobu: <talks about site to site VPNs, how VPNs can fit into ZTNA architectures, how you can't generalize it like that, etc>

You: ZTNA good, VPNs bad, bla bla bla.

Shinobu: I don't even get how ZTNA could replace a VPN in scenario X, Y and Z.

You: Me neither, but someone told me VPNs are bad and ZTNA are good so I believe that and will argue for it!

Me: VPNs and ZTNA are not mutually exclusive and there are lots of good reasons to use VPNs.

You: In my case I don't need a VPN so therefore companies that use them are outdated. Name me some scenarios where you need a VPN.

Me: But what about situation1, situation2 and situation3? Just because you personally don't need a VPN doesn't mean it is a bad or outdated solution in every case.

You: If you have a system with billions of users and let's say a data breach would cost 10 million US dollars then it makes sense! Also, let's assume you are constantly being attacked by foreign governments!

Me: But not every network is like that. Stop trying to push a narrative that one thing is good and another is bad when it depends on many factors.

[LAwLz]

12 minutes ago, comander said:

I'll go through your responses a bit more thoroughly but if you have ZTNA more or less fully baked into just about everything, users with a verified laptop and a USB security key and a password can pretty much touch the side of their laptop (or phone) and pretty much be off to the races for everything with better security than most traditional VPN set ups. Single sign on. It's WAY WAY WAY more convenient than the BS that I put up with while in eng-ops at ATT/Verizon/TMo. And you don't necessarily NEED to be connecting to applications hosted by say AWS or Azure, you can have it on your own HW. 

But exactly the same can be said about VPNs...

SSO, YubiKey or other hardware authentication devices, even automatic logon (with always-on) can be implemented with VPNs too.

 

 

Also, as Shinobu said earlier, ZTNA is not a thing in and of itself. It's a design. I feel like you are applying your experience with a particular ZTNA design to ZTNA as a whole, and liekwise applying your experience with VPNs to VPNs as a whole, when both of them can vary greatly in how they work.

[artuc]

On 2/22/2021 at 7:58 AM, JovanD said:

Not to be confused with actual cable management like if you're making an arduino project and you're making sure all the ground cables are black and different color for signal, power cables, cutting them to length exactly as they are needed, etc.

 

Actual cable management...  ?

 

Colour codes don't really have anything to do with cable management. There can be reasons for and against. In vehicles you get completely illogical colour codes where you have I dunno, the left speaker might be white/orange trace and pink/brown trace and the right speaker uses completely different colours again. In a car though it is extremely useful to have unique colours to trace and for on the schematics. Other times can be unnecessary. For electrical and comms, colour codes are set in stone in standards and must be adhered to, you know straight away which is active/neutral or what core it is on a fibre. Other times when you say have a complete cable assembly in front of you, a colour code may not be needed at all.

 

Cutting to length can depend. I quite often fit off longer so wires can be reterminated, moved or you can test or asemble/disassemble more easily.

 

Same goes for cable management. I'd imagine most LTT members would go for a mix of function and aesthetics, you can get a logical layout that is easier to work on, trace out and understand and better temps. Had a rig in a tight case and just having cables everywhere when testing it was a lot hotter than once I tucked the excess away, nothing fancy, just practical.

 

 

[JovanD]

I'll just leave this here.

[leadeater]

On 2/24/2021 at 2:25 AM, comander said:

I'll stick to "VPNs aren't really all THAT much a business NEED". This is being pedantic.

Unless you want to pay mega bucks to cloud providers for network connectivity like ExpressRoute (which isn't always a feasible option anyway) the only supported method to join corporate local network to the cloud provider network is VPN. We have Site-to-Site VPN connections to Azure and AWS, because that's just how it works. If you do not need to join the networks then you don't need to do this but there is very few things in a large enterprise where you can run purely in the cloud 100% and only require access to it through public internet.

 

Hardware accelerated SSL and IPSEC security appliances are a really huge deal in the enterprise market. Go have a look at how expensive it is to get 100+Gbps IPSEC throughput, now buy 12 of them.

 

Also even for user VPN, using a VPN itself doesn't prevent ZTNA at all anyway. Everything should be default blocked anyway with user based authenticated firewall rules that only allow the VPN connected user to connect to the specific things they are allowed to on the specific ports and services they are allowed to use, with the VPN itself MFA required and device health/posture assessment checked by the local VPN client application that evaluated the status of the device and informs the VPN service if the device has a functioning client firewall and has latest security updates, if not VPN connection is blocked. This is currently how our user SSL VPN works.

 

@LAwLzJust FYI for you too.