• United States

Zero-trust security adds necessary ingredients

Nov 20, 201810 mins
Network SecurityNetworkingVPN

Let's face it: VPNs are no longer in vogue. Users do not want to spend the time setting them up, and network admins are increasingly moving to a zero-trust model, which ensures a high level of security while empowering users to work from anywhere.

networking background
Credit: Thinkstock

Today’s threat landscape consists of skilled, organized and well-funded bad actors. They have many goals including exfiltrating sensitive data for political or economic motives. To combat these multiple threats, the cybersecurity market is required to expand at an even greater rate.

The IT leaders must evolve their security framework if they want to stay ahead of the cyber threats. The evolution in security we are witnessing has a tilt towards the Zero-Trust model and the software-defined perimeter (SDP), also called a “Black Cloud”. The principle of its design is based on the need-to-know model.

The Zero-Trust model says that anyone attempting to access a resource must be authenticated and be authorized first. Users cannot connect to anything since unauthorized resources are invisible, left in the dark. For additional protection, the Zero-Trust model can be combined with machine learning (ML) to discover the risky user behavior. Besides, it can be applied for conditional access.

Essentially, the Zero-Trust one-to-one segmentation ensures least privilege access and reduces the attack surface to an absolute minimum. It prevents any lateral movements within the network, thereby, eliminating many well-known network-based attacks including server scanning, denial of service, SQL injection, operating system, application vulnerability exploits, and man-in-the-middle to name a few. The one-to-one segmentation is not just IP address to IP address, but also to services (ports) and applications.

Lateral movement is a common technique that bad actors use to navigate between or within segments with the intention of compromising valuable assets. They move with care and often go unnoticed for months, if not years.  A hacker would discover, identity, and then target devices on a network. Typically a hacker would target and easily compromise the devices (un-patched servers) and then make way to more valuable assets. While “the front door” of a server can be secured, there exist many backdoors that must also be secured in terms of management, logging, and other traffic uses.

When we examine our past, we find we have made significant steps in the evolution of our thinking related to security. For example, we have moved from single-factor authentication to two-factor authentication and now to multi-factor authentication. We have also moved from non-encrypting traffic in motion to encrypting traffic in motion, which results in a high percentage of the applications being transport layer security (TLS) encrypted. 

Zero-Trust is that next big megatrend that enables us to defend against internal and external cybercriminals. The technological market has emerged steadily. If you examine the previous security architectures, you could say that we have had no option but to arrive here. Business objectives must meet security solutions and just because you have a hammer, does not mean everything is a nail. It is a common assumption that many breaches have an internal vector where a user or malware enables an external actor to gain access.

Previous obsolete architectures

Traditional architectures with network admission control (NAC) and virtual private network (VPN) types of access are laid on the assumption that the outside world is evil and the inside is good; with no threats.

The reality is that there has been a rapid increase in successful attacks that have a malicious component, whether that is a user on the inside or a device that has been compromised. So we no longer have a trusted network and clear demarcation points. It is quite unfortunate and saddening to say that users inside a network are no more trustworthy than those outside the network. 

The perimeter while it still exists is more fluid than it was in the past. The premise of traditional architecture was to have a fixed perimeter. The perimeter would only become more fluid, not only with the introduction of new technologies but with the advances of new business models, such as having a number of APIs to various suppliers. The demarcation points of the business and their solutions have become a lot fuzzier than in the past.

Zero-Trust is a reality, not just a PowerPoint presentation. There are real products such as SDP, which is a working group and proposed architecture bringing Zero-Trust to the market.

Software-defined perimeter (SDP)

The group SDP is pushing Zero-Trust security. Their goal is to develop a solution to prevent network attacks against the application. Initially, it was the work carried out at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative during 2007.

Their initial concepts relied on an overlay network and a software client, not fundamentally integrating Identity and Access Management (IAM) with the underlying IP network. However, they advocate a lot of principles that are used in the Zero-Trust model.

The commercial product consists of a number of components such an SDP client, controller and gateway.

The SDP client handles a wide range of functions that vary from verifying device and user identity to routing whitelisted local applications, to authorized protected remote applications. It is configured in real time to ensure that the certificate-based mutual TLS VPN only connects to services that the user has authorized for.

The SDP controller functions as a trust broker between the client and backend security controls. The controller carries certificate authority (CA) and the identity provider (IP) carries functions. Upon client validation, the controller setups both; the SDP client and gateway in real time to establish a mutual TLS connection.

The termination on the controller is similar to the concept of signaling on voice networks. Today in phone networks, initially we receive the signal and a call is set up before we permit the media to go through.

This is equivalent to having a session initiation protocol (SIP) and a transmission control protocol (TCP) session. We carry out the signaling to make sure that we are authenticated and authorized. Only then are we allowed to communicate with the remote end.

Then we have the SDP gateway. It is recommended to have the SDP gateway deployed topologically, closer to the protected application.

The SDP architecture provides a number of valued security properties when combined together:

  • Information Hiding: With VPNs, you use a DNS name of the VPN server, but with SDP you never get to see the DNS name of the endpoint as the SDP controller sits in the middle, acting as the tunnel broker.
  • Accessibility: No DNS information or visible ports of protected application are accessible. Essentially, SDP protected assets are considered “dark,” meaning they cannot be detected.
  • Pre-authentication: SDP pre-authenticates and validates the connections. Device identity is verified before connectivity is granted. This can be determined via an MFA token embedded in the TCP or TLS connection set up.
  • Pre-authorization: Users are granted access only to applications that are appropriate for their role while in sync with policy assignment.
  • Application layer access: It’s a one-to-one connection between the users and resources. The users are only granted access at an application layer and not to the entire network the lays underneath.
  • Extensibility: SDP is built on proven, standards-based components, such as mutual TLS, SAML, and X.509 Certificates. Standards-based technology ensures ease of integration with other security systems, such as data encryption.

For Zero-Trust, other real-world use cases come in the form of point of sales segmentation and granting third party access to your network infrastructure.

Use case: point of sale segmentation

Today’s network segmentation technologies are limited due to their open systems interconnection model (OSI) layer 2 & 3 dependencies. VxLAN is the segmentation choice within the data center. Hence, virtual LANs (VLANs) are in offices and virtual routing and forwardings (VRFs) over the wide area network (WAN). However, the problem with these layer 2 and 3 segmentation mechanisms is that they only use the media access control address (MAC) or IP addresses and not more intelligent variables for policymaking.

The problem today with, for example, VLAN segmentation is that you only segment down to a specific device. However, if you have a payment card industry (PCI) server, you might want to keep PCI traffic separate from the other traffic, example directory or Office 356, Fundamentally, ZT lets you future segment traffic within a device at the service/application level.

ZT is one-to-one segmentation of user device and service/application. It picks a device and does a one-to-one mapping of a service and not an application. It can segment network traffic not only based on the device MAC or IP address but is also able to segment traffic based on user service and application.

Use case: third-party access

For example, let’s say we have a 3rd party carrying out technical support for an organization. A bank may have an Oracle database running key applications, which they are having trouble with. Thence, an external partner is needed to access the situation. How do you do this in a way that the external support member cannot see or do anything else in the data center?

With the Zero-Trust model, that person can access that server at a specific time with a specific MFA and specific trouble ticket number. Therefore, if they come back in 4 hours, they are not granted access.

This is in comparison to today’s common 3rd party access. Once you have VPN access to LAN, you can see and go to everything else. Zero-Trust allows you to isolate down to one specific server with one IP address and port number from a specific source port and IP address.

Besides, there are so many other variables that it can take into account. Zero-Trust is multivariable that is dynamic and not static. It gives users one-time access to a requested application while all other resources are cloaked without granting access to the entire network.

Google’s BeyondCorp project

Google’s BeyondCorp initiative is moving to a model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location.

All access to the enterprise resources is fully authenticated, authorized, and encrypted, based upon device state and user credentials. As a result, all employees can work from any network and without the need for a traditional VPN connection.

There are three primary benefits of moving to a Zero-Trust. The first is the elimination of public and private network borders and treating all private and public IP networks with the same Zero-Trust policy. This is the world we live in today, hence, we need to act accordingly.

The second is the decoupling of security from the underlying IP network and adding the OSI layer 5 intelligence to the very edge of networks. This architecture is a move in the right direction to fight cybercriminals. However, it requires us to rethink how we could implement security today. Just like NG-Firewalls are moving further up the stack, similarly, the next generation routers need to do the same.

Realistically, VPNs are no-longer in vogue. Users do not want to spend the time setting them up, moreover, the security administrators are moving to a Zero-Trust model. Google, for example, has facilitated all its employees to be able to work from anywhere without the need for VPNs. They have had this accessibility feature in place for a couple of years and it has been very successful in ensuring a high level of security while empowering users to work from anywhere.


Matt Conran has more than 19 years of networking industry with entrepreneurial start-ups, government organizations and others. He is a lead Architect and successfully delivered major global greenfield service provider and data center networks. Core skill set includes advanced data center, service provider, security and virtualization technologies. He loves to travel and has a passion for landscape photography.

The opinions expressed in this blog are those of Matt Conran and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.