How the Network Supports Zero Trust

[[354213]]

Building a zero-trust architecture typically requires granting sufficient access to network resources so that users can complete their job tasks and the network itself can assist.

Simply put, Zero Trust requires authenticating every user and device attempting to access the network and implementing strict access control and identity management measures so that authorized users can only access the resources they need to do their jobs.

There are many potential solutions to choose from for Zero Trust as an architecture, but this is just one solution that applies to the networking world.

Least privilege

Least privilege is a principle of zero trust, which is to allow users just enough resources to do their jobs. One way to achieve this is network segmentation, which divides the network into disjointed parts based on authentication, trust, user roles, and topology. If implemented effectively, it isolates hosts on a segment and minimizes their east-west communications, limiting the scope of collateral damage if a host is compromised. Because hosts and applications can only access the limited resources they are authorized to access, segmentation prevents network attackers from compromising the rest of the network.

Organizations are granted access rights and are authorized to access resources based on context: who the user is, what device they are using to access the network, where the network is located, how they communicate, and why access is needed.

There are other ways to enforce segmentation. One of the most traditional methods is physical isolation, which is to physically separate the network using dedicated servers, cables, and network equipment to achieve different security levels. While this is an effective method, it can be cost-prohibitive to build completely separate network environments for each user's trust level and role.

Layer 2 segmentation

Another approach is Layer 2 segmentation, which isolates end users and their devices through inline security filtering between the device and the access switch. But the cost of installing a firewall between each user and the switch can be very expensive. Another approach is port-based network access control, which grants access based on authentication or requester certificates and assigns each node to a Layer 3 virtual LAN (VLAN).

These methods are often used on wired and wireless access networks through the 802.1x standard and Extensible Authentication Protocol. However, organizations may not be able to take advantage of the vendor's more comprehensive capabilities such as end-user roles, authentication credentials, device profiles and advanced traffic filtering, and segment users based on their trustworthiness level.

Layer 3 segmentation

Common methods for creating application isolation zones include separating access cables and ports into Layer 3 subnets (VLANs) and performing inline filtering. Filtering can be performed by network devices (such as routers) or by firewalls or proxy servers that have knowledge of user identities and roles. A typical example is a standard three-tier web application architecture where web servers, application servers, and database servers are located in different subnets.

One approach is network slicing, which is a software-defined networking approach where the network is logically divided into multiple parts, similar to a virtual routing and forwarding scenario.

The current main practice is to assign each server its own IPv4 subnet or IPv6/64 prefix and have it announce its subnet to the network router. All traffic on that server subnet is local to that server, and no other penetration occurs on the virtual network within that host.

Encapsulating traffic in an overlay tunnel running on top of an IP network can also separate network segments, which can be achieved in a variety of ways. These include virtual extensible LANs, network virtualization using generic routing encapsulation, generic network virtualization encapsulation, stateless transport tunnels, and TCP segmentation offload.

Packet tagging (marking packets with an internal identifier) ​​can be used to establish trust between interfaces and isolate packets for end-user devices based on their identity and authorization. Organizations can add tags in protocols including MPLS, 802.1ad Q-in-Q, 802.1AE MACsec, and Cisco TrustSec. Another method is segment routing, which uses a special routing header in IPv6 packets to control the communication path on the MPLS or IPv6 network.

Recommendations from the National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) enumerates the logical components of a zero-trust architecture and provides definitions of some deployment styles. This includes validating and authenticating users based on policy decision points and policy enforcement points. Similar to the software-defined perimeter (SDP) originally conceived by the Cloud Security Alliance.

This approach uses a software-defined perimeter (SDP) controller that authenticates the user and then notifies the software-defined perimeter (SDP) gateway to allow access to specific applications based on the user's role and authorization. The process can use traditional usernames and passwords or multi-factor authentication (MFA) methods with one-time passwords, software tokens, hard tokens, mobile apps, or text messages. There is also an alternative method called single-packet authorization or port disconnection, which uses the client browser or application to send a set of packets to the software-defined perimeter (SDP) controller to identify the user and their device.

There are also various micro-segmentation, host isolation and zero-trust network approaches. Some are implemented in network devices, servers, and in identity and access control systems or in middleboxes such as proxy servers and firewalls. Zero-trust approaches are varied and can be implemented in the host operating system, software container virtual networks, hypervisors or virtual cloud infrastructures with software-defined perimeters (SDP) or IAP.

Many zero-trust approaches also include software agents on end-user nodes as well as X.509 certificates, mutual TLS (mTLS), single packet authentication (SPA), and multi-factor authentication (MFA). Not all of these can be implemented entirely by network or server or security administrators themselves. To achieve a robust zero-trust network architecture, these technologies can be implemented through collaboration with interdisciplinary IT teams.