security

Implementing Network Security

Implementing Network Security

In today's interconnected world, where technology reigns supreme, the need for robust network security measures has become paramount. This blog post aims to provide a detailed and engaging guide to implementing network security. By following these steps and best practices, individuals and organizations can fortify their digital infrastructure against potential threats and protect sensitive information.

Network security is the practice of protecting networks and their infrastructure from unauthorized access, misuse, or disruption. It encompasses various technologies, policies, and practices aimed at ensuring the confidentiality, integrity, and availability of data. By employing robust network security measures, organizations can safeguard their digital assets against cyber threats.

Before diving into the implementation process, assessing the vulnerabilities within your network is crucial. Conduct a comprehensive audit to identify potential weak points, such as outdated software, unsecured access points, or inadequate user authentication protocols. This initial step lays the foundation for tailored security measures.

Table of Contents

Highlights: Implementing Network Security

Network Visibility

Appropriate network visibility is critical to understanding network performance and implementing network security components. Much of the technology used in network performance, such as Netflow, is security-focused. There is a challenging landscape; workloads move to the cloud without monitoring or any security plan. We need to find a solution to have visibility over these clouds and on-premise applications without refuting the entire tracking and security stack.

Networking is Complex

Our challenge is that the network is complex and constantly changing. We have seen this with WAN monitoring and the issues that can arise from routing convergence. This may not come as a hardware refresh, but it constantly changes from a network software perspective and needs to remain dynamic. If you don’t have complete visibility while the network changes, this will result in different security blind spots.

Security Tools

Existing security tools are in place, but better security needs to be integrated. And here, we can look for the network and provide that additional integration point. In this case, we can use a network packet broker for sitting in the middle and feeding all the security tools with data that has already been transformed or, let’s say, optimized for that particular security device it is sending back to, reducing false positives.

Related: For pre-information, you may find the following post helpful:

  1. Technology Insight For Microsegmentation
  2. SASE Visibility
  3. Network Traffic Engineering
  4. Docker Default Networking 101
  5. Distributed Firewalls
  6. Virtual Firewalls



Implementing Network Security.

Key Implementing Network Security Discussion points:


  • The use of a network packet broker.

  • Monitoring and Observability.

  • The different hacking stages.

  • How to implement network security.

  • The issues with encrypted traffic.

Back to Basics: Implementing Network Security

The Role of Network Security

For sufficient network security to be in place, it is essential to comprehend its central concepts and the implied technologies and processes around it that make it robust and resilient to cyber-attacks. However, all of this is complicated when the visibility is blurred by not having a demarcation of the various network boundaries.

Moreover, network security touches upon multiple attributes of security controls that we need to consider, such as security gateways, SSL inspection, threat prevention engines, policy enforcement, cloud security solutions, threat detection and insights, and attack analysis w.r.t frameworks, to name a few.

implementing network security
Diagram: Implementing network security.

One of the fundamental components of network security is the implementation of firewalls and intrusion detection systems (IDS). Firewalls act as a barrier between your internal network and external threats, filtering out malicious traffic. On the other hand, IDS monitors network activity and alerts administrators of suspicious behavior, enabling rapid response to potential breaches.

Enforcing Strong Authentication and Access Controls

Unauthorized access to sensitive data can have severe consequences. Implementing robust authentication mechanisms, such as two-factor authentication (2FA) or biometric verification, adds an extra layer of security. Additionally, enforcing stringent access controls, limiting user privileges, and regularly reviewing user permissions minimize the risk of unauthorized access.

Regular Software Updates and Patch Management

Cybercriminals often exploit vulnerabilities in outdated software. Regularly updating and patching your network’s software, including operating systems, applications, and security tools, is crucial to prevent potential breaches. Automating the update process helps ensure your network remains protected against emerging threats whenever possible.

Data Encryption and Secure Communication

Protecting sensitive data in transit is essential to maintain network security. Implementing encryption protocols, such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS), safeguards data as it travels across networks. Additionally, using Virtual Private Networks (VPNs) ensures secure communication between remote locations and adds an extra layer of encryption.

Site to Site VPN

Assessing Vulnerabilities

Conducting a comprehensive assessment of your network infrastructure before diving into network security implementation is crucial. Identify potential vulnerabilities, weak points, and areas that require immediate attention. This assessment will serve as a foundation for developing a tailored security plan.

Building a Strong Firewall

One of the fundamental elements of network security is a robust firewall. A firewall acts as a barrier between your internal network and the external world, filtering incoming and outgoing traffic based on predefined rules. Ensure you invest in a reliable firewall solution with advanced features such as intrusion detection and prevention systems.

Firewall traffic flow
Diagram: Firewall traffic flow and NAT

Enforcing Access Controls

Controlling user access is vital to prevent unauthorized entry and data breaches. Implement strict access controls, including strong password policies, multi-factor authentication, and role-based access controls (RBAC). Regularly review user privileges to ensure they align with the principle of least privilege (PoLP).

Encrypting Data

Data encryption is critical to network security, mainly when transmitting sensitive information. Utilize industry-standard encryption algorithms to protect data at rest and in transit. Implement secure protocols like HTTPS for web communication and VPNs for remote access.

Monitoring and Intrusion Detection

Network security is an ongoing process that requires constant vigilance. Implement a robust monitoring and intrusion detection system (IDS) to detect and respond promptly to potential security incidents. Monitor network traffic, analyze logs, and employ intrusion prevention systems (IPS) to protect against attacks proactively.

Monitoring Observability

Increased enterprise security challenges demand new efforts and methods to stay ahead of threat actors. Therefore, monitoring the environment must be taken from multiple vantage points. Then, we can identify patterns that could be early indicators of attack. Finally, once we know there is an attack, we can implement a proactive response model, which will be crucial to success. 

We need good network observability tools to understand what is happening in your environment. Bad actors are always at work, going through new things and creating new ways to exploit. Consider how you gain complete network visibility when deciding on your monitoring solution. We must assume that the actor already has access to the zero-trust approach to security.

So we assume the threat already has access and authentication at all levels, along with having the correct security appliance in places such as the Web Application Firewalls (WAF), Intrusion Detection Systems (IDS), and Intrusion Prevention System (IPS). But the most crucial point is to assume we have a breach and the bad actor is already on our network.

Hacking Stages

♦ The hacking stages

There are different stages of an attack chain, and with the correct network visibility, you can break the attack at each stage. Firstly, there will be the initial recon, access discovery, where a bad actor wants to understand the lay of the land to determine the next moves. Once they know this, they can try to exploit it. 

network derived intelligence
Diagram: Network-derived intelligence.
    • Stage 1: Deter

You must first deter threats and unauthorized access, detect suspicious behavior and access, and automatically respond and alert. So, it would help if you looked at network security. We have our anti-malware devices, perimeter security devices, identity access, firewalls, and load balancers for the first stage, which deters.

    • Stage 2: Detect

The following dimension of security is detection. Here, we can examine the IDS, log insights, and security feeds aligned with analyses and flow consumption. Again, any signature-based detection can assist you here.

    • Stage 3: Respond

Then, we need to focus on how you can respond. This will be with anomaly detection and response solutions. Remember that all of this must be integrated with, for example, the firewall enabling you to block and then deter that access.

  • A key point: Red Hat Ansible Tower  

Ansible is the common automation language for everyone across your organization. Specifically, Ansible Tower can be the common language between security tools. This leads to repetitive work and the ability to respond to security events in a standardized way. If you want a unified approach, automation can help you here, especially with a Platform such as Ansible Tower. It would help if you integrated Ansible Tower and your security technologies. 

Example: Automating firewall rules. We can add an allowlist entry in the firewall configuration to allow traffic from a particular machine to another. We can have a playbook that first adds the source and destination I.P.s as variables. Then, when a source and destination object are defined, the actual access rule between those is defined. All can be done with automation.

Ansible vs Tower
Diagram: Ansible vs Tower. Source Red Hat.

Implementing Network Security

There is not one single device that can stop an attack. We need to examine multiple approaches that should be able to break the attack at any part of this attack chain. Whether the bad actors are doing their TCP scans, ARP Scans, or Malware scans. You want to be able to identify these before they become a threat. You must always assume threat access, leverage all possible features, and ensure every application is critical and protected. 

We must improve various technologies’ monitoring, investigation capabilities, and detection. This is where the zero-trust architecture can help you monitor and improve detection. In addition, we must look at network visibility, logging, and Encrypted Traffic Analyses (ETA) to improve investigation capabilities.

Network-derived intelligence

So, when implementing network security, you need to consider that the network and the information gleaned from it add a lot of value. This can still be done with an agent-based approach, where an agent collects data from the host and sends it back to, for example, a data lake where you set up a dashboard and query. However, an agent-based approach will have blind spots. It misses a holistic network view and can’t be used with unmanaged devices like far-reaching edge IoT.

The information gleaned from the host misses out on data that can be derived for the network. Especially with network-derived traffic analysis, you can look into unmanaged hosts such as IoT: any host and its actual data.

This is not something that can be derived from a log file. The issue we have with log data is if a bad actor gets internal to the network, the first thing they want to do to cover their footprints is log spoofing and log injections.

Agent-based and network-derived intelligence

An agent-based approach and network-derived intelligence’s deep packet inspection process can be appended. Network-derived intelligence allows you to pull out tons of metadata attributes, such as what traffic this is, what the characteristics of the traffic are, what a video is, and what the frame rate is.

The beauty is that this can get both north-south and east-west traffic and unmanaged devices. So, we have expanded the entire infrastructure by combining an agent-based approach and a network-derived intelligence.

Detecting rogue activity: Layers of security 

Now, we can detect new vulnerabilities, such as old SSL ciphers, shadow I.T. activity, such as torrent and crypto mining, and suspicious activities, such as port spoofing. Rogue activities such as crypto mining are a big concern. Many workflows get broken, and many breaches and attacks install crypto mining software.

This is the best way for a bad actor to make money. The way to detect this is not to have an agent but to examine network traffic and look for anomalies in the traffic. When there are anomalies in the traffic, the traffic may not look too different. This is because the mining software will not generate log files, and there is no command and control communication. 

We make the observability and SIEM more targeted to get better information. With the network, we have new capabilities to detect and invent. This adds a new layer of defense in depth and makes you more involved in the cloud threats that are happening at the moment. Netflow is used for network monitoring, detection, and response. Here, you can detect the threats and integrate them with other tools so we can see the network intrusion as it begins. It makes a decision based on the network. So you can see the threats as they happen.

layers of security
Diagram: Layers of security.

Security Principles: Monitoring and Observability

So, when implementing network security, we must follow security principles and best practices. Firstly, monitoring and observability. To set up adequate security controls on a zero-trust network, you need to have a clear picture of all the users and devices with access to a network and what access privileges they require to do their jobs.

Therefore, the comprehensive audit you must take should include up-to-date access lists and policies. We also need to ensure that network security policies are kept up to date. Testing their effectiveness regularly is an excellent idea to ensure that no vulnerabilities have escaped notice. Finally, monitoring. Zero-trust network traffic is constantly monitored for unusual or suspicious behavior.

You can’t protect what you can’t see.

The first step in the policy optimization process is how the network connects, what is connecting, and what it should be. You can’t protect what you can’t see. Therefore, everything desperately managed within a hybrid network must be fully understood and consolidated. Secondly, once you know how things connect, how do you ensure they don’t reconnect through a broader definition of connectivity?

zero trust environment

You must support different user groups, security groups, and IP addresses. You can’t just rely on IP addresses to implement security controls anymore. We need visibility at traffic flow, process, and contextual data levels. Without this granular application, visibility, mapping, and understanding normal traffic flow and irregular communication patterns is challenging.

Complete network visibility

We also need to identify when there is a threat easily. For this, we need a multi-dimensional security model and good visibility. Network visibility is integral to security, compliance, troubleshooting, and capacity planning. Unfortunately, custom monitoring solutions cannot cope with the explosive growth networks.

We also have reasonable solutions from Cisco, such as Cisco’s Nexus Dashboard Data Broker (NDDB).  Cisco’s Nexus Dashboard Data Broker (NDDB) is a packet brokering solution that provides a software-defined, programmable solution that can aggregate, filter, and replicate network traffic using SPAN or optical TAPs for network monitoring and visibility. 

What prevents visibility?

There is a long list of things that can prevent visibility. Firstly, there are too many devices and complexity and variance between vendors in managing them. Even CLI commands from the same vendor vary. Too many changes result in the inability to meet the service level agreement (SLA), as you are just layering on connectivity without fully understanding how the network connects.

This results in complex firewall policies. For example, you have access but are not sure if you should have access. Again, this leads to significant, complex firewall policies without context. More often, the entire network lacks visibility. For example, AWS teams understand the Amazon cloud but do not have visibility on-premise. We also have distributed responsibilities across multiple groups, which results in fragmented processes and workflows.

Security Principles: Data-flow Mapping

Network security starts with the data. Data-flow mapping enables you to map and understand how data flows within an organization. But first, you must understand how data flows across your hybrid network and between all the different resources and people, such as internal employees, external partners, and customers. This includes the who, what, when, where, why, and how your data creates a strong security posture. You are then able to understand access to sensitive data.

Data-flow mapping will help you create a baseline. Once you have a baseline, you can start implementing Chaos Engineering projects to help you understand your environment and its limits. One example would be a chaos engineering kubernetes project that breaks systems in a controlled manner.

Chaos Engineering

What prevents mapping sensitive data flows

What prevents mapping sensitive data flow? Firstly, there is an inability to understand how the hybrid network connects. Do you know where sensitive data is, how to find it, and how to ensure it has the minimum necessary access?

With many teams managing different parts and the rapid pace of application deployments, there are often no documents. No filing systems in place. There is a lack of application connectivity requirements. People don’t worry about documenting and focus on connectivity. More often than not, we have an overconnected network environment.

We often connect first and then think about security—also, the inability to understand if application connectivity violates security policy and lacks application-required resources. Finally, there is a lack of visibility into the cloud and deployed applications and resources. What is in the cloud, and how is it connected to on-premise and external Internet access?

network packet broker

Implementing Network Security and the Different Types of Telemetry

Implementing network security involves leveraging the different types of telemetry for monitoring and analysis. And for this, we have various kinds of packet analysis and telemetry data. Packet analysis is critical, involving new tools and technologies such as packet brokers. In addition, SPAN taps need to be installed strategically in the network infrastructure.

Telemetry, such as flow, SNMP, and API, is also examined. Flow is a technology similar to IPFIX and NETFLOW. We can also start to look at API telemetry. Then, we have logs that provide a wealth of information. So, we have different types of telemetry and different ways of collecting and analyzing it, and now we can use this from both the network and security perspectives. 

From the security presence, it would be for threat detection and response. Then, for the network side of things, it would be for network and application performance. So there are a lot of telemetries that can be used for security. These technologies were initially viewed as performance monitoring. However, security and networking have been merged to meet the cybersecurity use cases. So, in summary, we have flow, SNMP, and API for network and application performance, encrypted traffic analysis, and machine learning for threat and risk identification for security teams. 

The issues with packet analysis: Encryption.

The issue with packet analysis is that everything is encrypted, especially with TLS1.3. And at the WAN Edge. So how do you decrypt all of this, and how do you store all of this? Decrypting traffic can create an exploit and potential attack surface, and you also don’t want to decrypt everything.

Do not fully decrypt the packets.

One possible solution is not fully decrypting the packets. However, when looking at the packet information, especially in the header, which can consist of layer 2 and TCP headers. You can immediately decipher what is expected and what is malicious. You can look at the packers’ length and the arrival time order and understand what DNS server it uses.

Also, look at the round trip time and the connection times. There are a lot of understandings and features that you can extract from encrypted traffic without fully decrypting it. Combining all this information can be fed to different machine learning models to understand good and bad traffic.

You don’t need to decrypt everything.  So you may not have to look at the actual payload, but from the pattern of the packets, you can see with the right tools that one is a bad website, and another is a good website.

Key Points: Implementing network security

I have summarized how you might start implementing network security into four main stages. First, implementing network security begins with good visibility; this visibility must be combined with all our existing security tools. A packet broker can be used along with good automation. Finally, this approach must span all our environments, both on-premises and in the cloud.

Implementing network security
Diagram: A final note on implementing network security.
  • Stage 1: Know your infrastructure with good visibility

The first thing is getting to know all the traffic around your infrastructure. Once you know, they need to know this for on-premises, cloud, and multi-cloud scenarios. It would help if you had higher visibility across all environments. 

  • Stage 2: Implement security tools

With all environments, we have infrastructure that our applications and services ride upon. Several tools are used to protect. These tools will be placed in different parts of the network. As you know, we have firewalls, DLP, email gateways, and SIEM. We have other tools to carry out various security functions. These tools will not disappear or be replaced anytime soon but must be better integrated.

  • Stage 3: Network packet broker

You can introduce a network packet broker. So, we can have a packed brokering device that fetches the data and then sends the data back to the existing security tools you have in place. Essentially, this ensures that there are no blind spots in the network. Remember that this network packet broker should support any workload to any tools. 

  • Stage 4: Cloud packet broker

In the cloud, you will have a variety of workloads and several tools, such as SIEM, IPS, and APM. These tools need access to your data. A packet broker can be used in the cloud, too. So, if you are in a cloud environment, you need to understand the native cloud protocols, such as VPC mirroring; this traffic can be brokered, allowing some transformation to happen before we move the traffic over. These transformant functions can include de-duplication, packet slicing, and TLS analyses.

This will give you complete visibility into the data set across VPC at scale, eliminating any blind spots and improving the security posture by sending appropriate network traffic, whether packets or metadata, to the tools stacked in the cloud. 

Implementing robust network security measures is of utmost importance in an era where cyber threats continue to evolve and become more sophisticated. Individuals and organizations can fortify their network security posture by assessing vulnerabilities, establishing firewalls and intrusion detection systems, enforcing strong authentication and access controls, conducting regular software updates, and implementing data encryption and secure communication protocols. Remember, network security is an ongoing process that requires continuous monitoring and adaptation to stay one step ahead of potential threats.

Network Security Components

Section 1: Firewalls – The First Line of Defense

Firewalls act as a barrier between your internal network and the outside world. They analyze incoming and outgoing network traffic and block potentially harmful data packets. By setting up firewalls properly, you can control access to your network and protect against unauthorized access attempts.

Section 2: Encryption – Securing Your Data

Encryption converts sensitive data into an unreadable format called ciphertext using cryptographic algorithms. This ensures that even if an attacker gains access to your data, they won’t be able to make sense of it. Implementing encryption protocols, such as SSL/TLS, for data transmission and using encryption algorithms for stored data adds an extra layer of protection.

Section 3: User Authentication – Verifying Legitimate Access

User authentication is vital to prevent unauthorized access to your network. Implementing strong password policies, multi-factor authentication, and regularly reviewing user privileges are effective measures to ensure that only authorized individuals can access your network resources.

Section 4: Intrusion Detection Systems – Detecting and Responding to Threats

Intrusion Detection Systems (IDS) monitor network traffic and identify suspicious activities or potential security breaches. IDS can be network- or host-based, providing real-time alerts and enabling swift response to mitigate potential risks.

Section 5: Network Monitoring – Keeping an Eye on Your Network

Network monitoring tools enable you to monitor network traffic, identify anomalies, and detect potential security incidents. You can proactively address any vulnerabilities by constantly monitoring your network, ensuring your system’s security and integrity.

Section 6: Best Practices for Network Security

To enhance your network security, it is essential to follow best practices. Some key recommendations include regularly updating software and firmware, conducting security audits, performing regular backups, educating employees on cybersecurity awareness, and staying informed about the latest security threats and solutions.

Summary: Implementing Network Security

In today’s interconnected world, where digital communication and data exchange are the norm, ensuring your network’s security is paramount. Implementing robust network security measures not only protects sensitive information but also safeguards against potential threats and unauthorized access. This blog post provided you with a comprehensive guide on implementing network security, covering key areas and best practices.

Section 1: Assessing Vulnerabilities

Before diving into security solutions, it’s crucial to assess the vulnerabilities present in your network infrastructure. Conducting a thorough audit helps identify weaknesses such as outdated software, unsecured access points, or inadequate user permissions.

Section 2: Firewall Protection

One of the fundamental pillars of network security is a strong firewall. A firewall is a barrier between your internal network and external threats, monitoring and filtering incoming and outgoing traffic. It serves as the first line of defense, preventing unauthorized access and blocking malicious activities.

Section 3: Intrusion Detection Systems

Intrusion Detection Systems (IDS) play a vital role in network security by actively monitoring network traffic, identifying suspicious patterns, and alerting administrators to potential threats. IDS can be network- or host-based, providing real-time insights into ongoing attacks or vulnerabilities.

Section 4: Securing Wireless Networks

Wireless networks are susceptible to various security risks due to their inherent nature. Implementing robust encryption protocols, regularly updating firmware, and using unique and complex passwords are essential to securing your wireless network. Additionally, segregating guest networks from internal networks helps prevent unauthorized access.

Section 5: User Authentication and Access Controls

Controlling user access is crucial to maintaining network security. Implementing robust user authentication mechanisms such as two-factor authentication (2FA) or biometric authentication adds an extra layer of protection. Regularly reviewing user permissions, revoking access for former employees, and employing the principle of least privilege ensures that only authorized individuals can access sensitive information.

Conclusion:

Implementing network security measures is an ongoing process that requires a proactive approach. Assessing vulnerabilities, deploying firewalls and intrusion detection systems, securing wireless networks, and implementing robust user authentication controls are crucial steps toward safeguarding your network. By prioritizing network security and staying informed about emerging threats, you can ensure the integrity and confidentiality of your data.

micro segmentation technology

Zero Trust Network Design

 

zero trust

 

Zero Trust Network Design

In today’s interconnected world, where data breaches and cyber threats have become commonplace, traditional perimeter defenses are no longer enough to protect sensitive information. Enter Zero Trust Network Design is a security approach that prioritizes data protection by assuming that every user and device, inside or outside the network, is a potential threat. In this blog post, we will explore the Zero Trust Network Design concept, its principles, and its benefits in securing the modern digital landscape.

Zero trust network design is a security concept that focuses on reducing the attack surface of an organization’s network. It is based on the assumption that users and systems inside a network are untrusted, and therefore, all traffic is considered untrusted and must be verified before access is granted. This contrasts traditional networks, which often rely on perimeter-based security to protect against external threats.

 

Highlights: Zero Trust Network Design

  • Never Trust, Always Verify

The core concept of zero trust network design and zero trust network segmentation is never to trust, always verify. This means that all traffic, regardless of its origin, must be verified before access is granted. This is achieved through layered security controls, including authentication, authorization, encryption, and monitoring.

Authentication is used to verify the identity of users and devices before allowing access to resources. Authorization is used to determine what resources a user or device is allowed to access. Encryption is used to protect data in transit and at rest. Monitoring is used to detect threats and suspicious activity.

  • Zero Trust Network Segmentation

Zero trust network design, including zero trust network segmentation, is becoming increasingly popular as organizations move away from perimeter-based security. By verifying all traffic rather than relying on perimeter-based security, organizations can reduce their attack surface and improve their overall security posture. With a zero-trust network segmentation approach, networks are segmented into smaller islands with specific workloads. In addition, each segment has its own ingress and egress controls to minimize the “blast radius” of unauthorized access to data.

 

For pre-information, you may find the following helpful:

  1. DNS Security Designs
  2. Zero Trust Access
  3. SD WAN Segmentation

 



Zero Trust Architecture

Key Zero Trust Network Design Discussion Points:


  • Zero Trust principles.

  • TCP weak connectivitiy model.

  • Develop a Zero Trust architecture.

  • Issues of the traditional perimeter.

  • The use of micro perimeters.

 

Back to basics with the Zero Trust Network Design

Challenging Landscape

The drive for a zero trust networking and software defined perimeter is again gaining momentum. The bad actors are getting increasingly sophisticated, resulting in a pervasive sense of unease in traditional networking and security methods. So why are our network infrastructure and applications open to such severe security risks? This Zero Trust tutorial will recap some technological weaknesses driving the path to Zero Trust network design and Zero Trust SASE.

We give devices IP addresses to connect to the Internet and signposts three pathways. None of these techniques ensures attacks will not happen. They are like preventive medicine. However, with bad actor sophistication, we need to be more at a total immunization level to ensure that attacks cannot even touch your infrastructure by implementing a zero trust security strategy and software defined perimeter solutions.

 

Understanding Zero Trust Network Design:

Zero Trust Network Design is a security framework that aims to prevent and mitigate cyber-attacks by continuously verifying and validating every access request. Unlike the traditional perimeter-based security model, Zero Trust Network Design leverages several core principles to achieve a higher level of security:

1. Least Privilege: Users and devices are granted only the minimum level of access required to perform their specific tasks. This principle ensures that the potential damage is limited even if a user’s credentials are compromised.

2. Micro-Segmentation: Networks are divided into smaller, isolated segments, making it more challenging for an attacker to move laterally and gain unauthorized access to critical systems or data.

3. Continuous Authentication: Zero Trust Network Design emphasizes multi-factor authentication and continuous verification of user identity and device health rather than relying solely on static credentials like usernames and passwords.

4. Network Visibility: Comprehensive monitoring and logging are crucial components of Zero Trust Network Design. Organizations can detect anomalies and potential security breaches in real time by closely monitoring network traffic and inspecting all data packets.

Benefits of Zero Trust Network Design:

Implementing Zero Trust Network Design offers numerous benefits for organizations seeking to protect their sensitive data and mitigate cyber risks:

1. Enhanced Security: By assuming that all users and devices are untrusted, Zero Trust Network Design provides a higher level of security against both internal and external threats. It minimizes the risk of unauthorized access and helps organizations detect and respond to potential breaches more effectively.

2. Improved Compliance: Many industries are subject to strict regulatory requirements regarding protecting sensitive data. Zero Trust Network Design addresses these compliance challenges by providing granular control over access permissions and ensuring that only authorized individuals can access critical information.

3. Reduced Attack Surface: Zero Trust Network Design reduces the attack surface for potential attackers by segmenting networks and implementing strict access controls. This proactive approach makes it significantly harder for cybercriminals to move laterally within the network and gain access to sensitive data.

4. Simplified User Experience: Contrary to common misconceptions, implementing Zero Trust Network Design does not have to come at the expense of user experience. With modern identity and access management solutions, users can enjoy a seamless and secure authentication process, regardless of location or device.

 

Highlighting zero trust network segmentation

Zero trust network segmentation is a process in which a network is divided into smaller, more secure parts. This can be done by using software firewalls, virtual LANs (VLANs), or other network security protocols. The purpose of Zero trust network segmentation, also known as microsegmentation is to decrease the attack surface of a network and reduce the potential damage caused by a network breach. It also allows for more granular control over user access, which can help prevent unauthorized access to sensitive data.

Microsegmentation also allows for more efficient deployment of applications and more detailed monitoring and logging of network activity. By leveraging the advantages of microsegmentation, organizations can increase their network’s security and efficiency while protecting their data and resources.

 

Zero Trust: Changing the Approach to Security

Zero Trust is about fundamentally transforming the underlying philosophy and approach to enterprise security—shifting from outdated and demonstrably ineffective perimeter-centric methods to a dynamic, identity-centric, and policy-based system. Policies are at the heart of Zero Trust—after all, its primary architectural components are Policy Decision Points and Policy Enforcement Points. In our Zero Trust world, policies are the structures organizations create to define which identities are permitted access to resources under which circumstances.

 

 

zero trust networking
Diagram: Define Zero Trust: The standard three pathways.

 

Introduction to Zero Trust Network Design

The idea behind the Zero Trust model and software-defined perimeter (SDP) is a connection-based security architecture designed to stop attacks. It doesn’t expose the infrastructure and its applications. Instead, it enables you to know the authorized users by authenticating, authorizing, and validating the devices they are on before connecting to protected resources.

A Zero Trust architecture allows you to operate while vulnerabilities, patches, and configurations are in progress. Essentially, it cloaks applications or groups of the application so they are invisible to attack.

zero trust network design
Diagram: Zero Trust Network Design. The Principles. Source cimcor.

 

Zero Trust principles

Zero Trust Network ZTN and SDP are a security philosophy and set of Zero Trust principles, which, taken together, represent a significant shift in how security should be approached. Foundational security elements used before Zero Trust often achieved only coarse-grained separation of users, networks, and applications.

On the other hand, Zero Trust enhances this, effectively requiring that all identities and resources be segmented from one another. Zero Trust enables fine-grained, identity-and-context-sensitive access controls driven by an automated platform. Although Zero Trust started as a narrowly focused approach of not trusting any network identities until authenticated and authorized.

 

  • A key point: Traditional security boundaries

Traditionally, security boundaries were placed at the edge of the enterprise network in a classic “castle wall and moat” approach. However, a significant issue with this was the design and how we connected. Traditional non-zero Trust security solutions have been unable to bridge the disconnect between network and application-level security. Traditionally, users (and their devices) obtained broad access to networks, and applications relied upon authentication-only access control.

 

Issue 1 – We Connect First and Then Authenticate

Connect first, authenticate second.

TCP/IP is a fundamentally open network protocol facilitating easy connectivity and reliable communications between distributed computing nodes. It has served us well in terms of enabling our hyper-connected world but—for various reasons—doesn’t include security as part of its core capabilities.

 

TCP has a weak security foundation

Transmission Control Protocol (TCP) has been around for decades and has a weak security foundation. When it was created, security was out of scope. TCP can detect and retransmit error packets but leave them to their default; communication packets are not encrypted, which poses security risks. In addition, TCP operates with a Connect First, Authenticate, Second operation model, which is inherently insecure. It leaves the two connecting parties wide open for an attack. When clients want to communicate and access an application, they first set up a connection.

Then only once the connect stage has been carried out successfully can the authentication stage occur. And once the authentication stage has been carried out, we can only begin to pass the data. 

zero trust network design
Diagram: Zero Trust security. The TCP model of connectivity.

 

From a security perspective, the most important thing to understand is that this connection occurs purely at a network layer with no identity, authentication, or authorization. The beauty of this model is that it enables anyone with a browser to easily connect to any public web server without requiring any upfront registration or permission. This is a perfect approach for a public web server but a lousy approach for a private application.

 

The potential for malicious activity

With this process of Connect First and Authenticate Second, we are essentially opening up the door of the network and the application without knowing who is on the other side. Unfortunately, with this model, we have no idea who the client is until they have carried out the connect phase, and once they have connected, they are already in the network. Maybe the requesting client is not trustworthy and has bad intentions. If so, once they connect, they can carry out malicious activity and potentially perform data exfiltration. 

 

Developing a Zero Trust Architecture

A zero-trust architecture requires endpoints to authenticate and be authorized before obtaining network access to protected servers. Then, real-time encrypted connections are created between requesting systems and application infrastructure. With a zero-trust architecture, we must establish trust between the client and the application before the client can set up the connection. Zero Trust is all about trust – never trust, always verify.

The trust is bi-directional between the client and the Zero Trust architecture ( that can take forms ) and the application to the Zero Trust architecture. It’s not a one-time check; it’s a continuous mode of operation. Once sufficient trust has been established, we move into the next stage, authentication. Once authentication has been set, we can connect the user to the application. Zero Trust access events flip the entire security model and make it more robust. 

  • We have gone from connecting first, authenticating second to authenticate first, connect second.
zero trust model
Diagram: The Zero Trust model of connectivity.

 

Example of a zero-trust network access

Single Pack Authorization ( SPA)

The user cannot see or know where the applications are located. SDP hides the application and creates a “dark” network by using Single Packet Authorization (SPA) for the authorization.

SPAs’ goal, also known as Single Packet Authentication, is to overcome the open and insecure nature of TCP/IP, which follows a “connect then authenticate” model.  SPA is a lightweight security protocol that validates a device or user’s identity before permitting network access to the SDP. The purpose of SPA is to allow a service to be darkened via a default-deny firewall.

The systems use a One-Time-Password (OTP) generated by algorithm 14 and embed the current password in the initial network packet sent from the client to the Server. The SDP specification mentions using the SPA packet after establishing a TCP connection. In contrast, the open-source implementation from the creators of SPA15 uses a UDP packet before the TCP connection.

single packet authorization

 

Issue 2 – Fixed perimeter approach to networking and security

Traditionally, security boundaries were placed at the edge of the enterprise network in a classic “castle wall and moat” approach. However, as technology evolved, remote workers and workloads became more common. As a result, security boundaries necessarily followed and expanded from just the corporate perimeter.

 

The traditional world of static domains

The traditional world of networking started with static domains. Networks were initially designed to create internal segments separated from the external world by a fixed perimeter. The classical network model divided clients and users into trusted and untrusted groups. The internal network was deemed trustworthy, whereas the external was considered hostile.

The perimeter approach to network and security has several zones. We have, for example, the Internet, DMZ, Trusted, and then Privileged. In addition, we have public and private address spaces that separate network access from here. Private addresses were deemed more secure than public ones as they were unreachable online. However, this trust assumption that all private addresses are safe is where our problems started. 

zero trust architecture
Diagram: Zero Trust security meaning. The issues with traditional networks and security.

 

The fixed perimeter 

The digital threat landscape is concerning. We are getting hit by external threats to your applications and networks from all over the world. They also come internally within your network, and we have insider threats within a user group and internally as insider threats across user group boundaries. These types of threats need to be addressed one by one.

One issue with the fixed perimeter approach is that it assumes trusted internal and hostile external networks. However, we must assume that the internal network is as hostile as the external one.

Over 80% of threats are from internal malware or malicious employees. The fixed perimeter approach to networking and security is still the foundation for most network and security professionals, even though a lot has changed since the inception of the design. 

zero trust network
Diagram: Traditional vs zero trust network. Source is thesslstore

 

 

We get hacked daily!

We are now at a stage where 45% of US companies have experienced a data breach. The 2022 Thales Data Threat Report found that almost half (45%) of US companies suffered a data breach in the past year. But this could be higher due to the potential for undetected breaches.

We are getting hacked daily, and major networks with skilled staff are crashing. Unfortunately, the perimeter approach to networking has failed to provide adequate security in today’s digital world. It works to an extent by delaying an attack. However, a bad actor will eventually penetrate your guarded walls with enough patience and skill.

If a large gate and walls guard your house, you would feel safe and think you are fully protected while inside the house. However, the perimeter protecting your home may be as large and thick as possible. There is still a chance that someone can climb the walls, access your front door, and enter your property. However, if a bad actor cannot even see your house, they cannot take the next step and try to breach your security.

 

Issue 3 – Dissolved perimeter caused by the changing environment

The environment has changed with the introduction of the cloud, advanced BYOD, machine-to-machine connections, the rise in remote access, and phishing attacks. We have many internal devices and a variety of users, such as on-site contractors, that need to access network resources.

There is also a trend for corporate devices to move to the cloud, collocated facilities, and off-site to customer and partner locations. In addition, it is becoming more diversified with hybrid architectures.

zero trust network design
Diagram: Zero Trust concept.

 

These changes are causing major security problems with the fixed perimeter approach to networking and security. For example, with the cloud, the internal perimeter is stretched to the cloud, but traditional security mechanisms are still being used. But it is an entirely new paradigm. Also, remote workers: abundant remote workers work from various devices and places.

Again, traditional security mechanisms are still being used. As our environment evolves, security tools and architectures must evolve. Let’s face it the network perimeter has dissolved as your remote users, things, services, applications, and data are everywhere. In addition, as the world moves to the cloud, mobile, and the IoT, the ability to control and secure everything in the network is longer available.

 

Phishing attacks are on the rise.

We have witnessed increased phishing attacks that can result in a bad actor landing on your local area network (LAN). Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure, like ransomware. The term “phishing” was first used in 1994 when a group of teens worked to obtain credit card numbers from unsuspecting users on AOL manually.

Phishing attacks
Diagram: Phishing attacks. Source is helpnetsecurity

 

Hackers are inventing new ways.

By 1995, they had created a program called AOHell to automate their work. Since then, hackers have continued to invent new ways to gather details from anyone connected to the internet. These actors have created several programs and types of malicious software still in use today.

Recently, I was a victim of a phishing email. Clicking and downloading the file is very easy if you are not educated about phishing attacks. In my case, the particular file was a .wav file. It looked safe, but it was not.

 

Issue 4 – Broad-level access

So, you may have heard of broad-level access and lateral movements. Remember, with traditional network and security mechanisms, when a bad actor lands on a particular segment, i.e., a VLAN, known as zone-based networking, they can see everything on that segment. So, this gives them broad-level access. But, generally speaking, when you are on a VLAN, you can see everything in that VLAN, and VLAN-to-VLAN communication is not the hardest thing to do, resulting in lateral movements.

 

The issue of lateral movements

Lateral movement is the technique attackers use to progress through the organizational network after gaining initial access. Adversaries use lateral movement to identify target assets and sensitive data for their attack. Lateral movement is the tenth step in the MITRE Att&ck framework. It is the set of techniques attackers use to move in the network while gaining access to credentials without being detected.

 

No intra-VLAN filtering

This is made possible as, traditionally, a security device does not filter this low down on the network, i.e., inside of the VLAN, known as intra-VLAN filtering. A phishing email can easily lead the bad actor to the LAN with broad-level access and the capability to move laterally throughout the network. 

For example, a bad actor can initially access an unpatched central file-sharing server; they move laterally between segments to the web developers’ machines and use a keylogger to get the credentials to access critical information on the all-important database servers.

They can then carry out data exfiltration with DNS or even a social media account like Twitter. However, firewalls generally do not check DNS as a file transfer mechanism, so data exfiltration using DNS will often go unnoticed. 

zero trust network design
Diagram: Zero trust application access. One of the many security threats is lateral movements.

 

Issue 5 – The challenges with traditional firewalls

The limited world of 5-tuple

Traditional firewalls typically control access to network resources based on source IP addresses. This creates the fundamental challenge of securing admission. Namely, we need to solve the user access problem, but we only have the tools to control access based on IP addresses.

As a result, you have to group users, some of whom may work in different departments and roles, to access the same service and with the same IP addresses. The firewall rules are also static and don’t change dynamically based on levels of trust on a given device. They provide only network information.

Maybe the user moves to a more risky location, such as an Internet cafe, its local Firewall, or antivirus software that has been turned off by malware or even by accident. Unfortunately, a traditional firewall cannot detect this and live in the little world of the 5-tuple.  Traditional firewalls can only express static rule sets and not communicate or enforce rules based on identity information.

TCP 5 Tuple
Diagram: TCP 5 Tuple. Source is packet-foo.

 

 

Issue 6 – A Cloud-focused environment

Upon examining the cloud, let’s compare a public parking space. A public cloud is where you can put your car compared to your vehicle in your parking garage. In a public parking space, we have multiple tenants who can take your area and don’t know what they can do to your car.

Today, we are very cloud-focused, but when moving applications to the cloud, we need to be very security-focused. However, the cloud environment is less mature in providing the traditional security control we use in our legacy environment. 

So, when putting applications in the cloud, you shouldn’t leave security to its default. Why?? Firstly, we operate in a shared model where the tenant after you can steal your encryption keys or data. There have been a lot of cloud breaches. We have firewalls with static rulesets, authentication, and key management issues in cloud protection.

 

Control point change

One of the biggest problems is that the perimeter has moved when you move to a cloud-based application. Servers are no longer under your control. Mobile and tablets exacerbate the problem as they can be located everywhere. So, trying to control the perimeter is very difficult. More importantly, firewalls only have access to and control network information and should have more content.

Defining this perimeter is what ZTNA architecture and software-defined perimeter are doing. Cloud users now manage firewalls by moving their applications to the cloud, not the I.T. teams within the cloud providers.

So when moving applications to the cloud, even though cloud providers provide security tools, the cloud consumer has to integrate security to have more visibility than they have today.

zero trust cloud
Diagram: ZTNA. Zero Trust cloud security.

 

Before, we had clear network demarcation points set by a central physical firewall creating inside and outside trust zones. Anything outside was considered hostile, and anything on the inside was deemed trusted.

 

1. Connection-centric model

The Zero Trust model flips this around and considers everything untrusted. To do this, there are no longer pre-defined fixed network demarcation points. Instead, the network perimeter initially set in stone is now fluid and software-based.

Zero Trust is connection-centric, not network-centric. Each user on a specific device connected to the network gets an individualized connection to a particular service hidden by the perimeter.

Instead of having one perimeter every user uses, SDP creates many small perimeters purposely built for users and applications. These are known as micro perimeters. Clients are cryptographically signed into these microperimeters.

security micro perimeters
Diagram: Security micro perimeters.

 

2. Micro perimeters: Zero trust network segmentation

The micro perimeter is based on user and device context and can dynamically adjust to environmental changes. So, as a user moves to different locations or devices, the Zero Trust architecture can detect this and set the appropriate security controls based on the new context.

The data center is no longer the center of the universe. Instead, the user on specific devices, along with their service requests, is the new center of the universe.

Zero Trust does this by decoupling the user and device from the network. The data plane is separated from the network to remove the user from the control plane. The control plane is where the authentication happens first.

Then, the data plane, the client-to-application connection, transfers the data. Therefore, the users don’t need to be on the network to gain application access. As a result, they have the least privilege and no broad-level access.

 

  • Concept: Zero trust network segmentation

The concept of zero-trust network segmentation is gaining traction in cybersecurity due to its ability to provide increased protection to an organization’s network. This method of securing networks is based on the concept of “never trust, always verify,” meaning that all traffic must be authenticated and authorized before it can access the network.

This is accomplished by segmenting the network into multiple isolated zones accessible only through specific access points, which are carefully monitored and controlled.

Network segmentation is a critical component of a zero-trust network design. By dividing the network into smaller, isolated units, it is easier to monitor and control access to the network. Additionally, segmentation makes it harder for attackers to move laterally across the network, reducing the chance of a successful attack.

Zero-trust network design segmentation is essential to any organization’s cybersecurity strategy. By utilizing segmentation, authentication, and monitoring systems, organizations can ensure their networks are secure and their data is protected.

 

A final issue 7 – The I.P. address conundrum

Everything today relies on I.P. addresses for trust, but there is a problem: I.P. addresses lack user knowledge to assign and validate the device’s trust. There is no way for an I.P. address to do this. I.P. addresses provide connectivity but do not get involved in validating the trust of the endpoint or the user.

Also, I.P. addresses should not be used as an anchor for network locations as they are today because when a user moves from one place to another, the I.P. address changes. 

 

security flaws
Diagram: Three main network security flaws.

 

Can’t have security related to an I.P. address.

But what about the security policy assigned to the old IP addresses? What happens with your change I.P.s? Anything tied to I.P. is ridiculous, as we don’t have a good hook to hang things on for security policy enforcement. When you examine policy, there are several facets. For example, the user access policy touches on authorization, the network access policy touches on what to connect to, and user account policies touch on authentication.

With either one, there is no policy visibility with I.P. addresses. This is also a significant problem for traditional firewalling, which displays static configurations; for example, a stationary design may state that this particular source can reach this destination using this port number. 

 

Security-related issues to I.P.

  1. This has no meaning. There is no indication of why that rule exists and under what conditions a packet should be allowed from one source to another.
  2. There is no contextual information taken into consideration. When creating a robust security posture, we must look at more than ports and IP addresses.

For a robust security posture, you need complete visibility into the network to see who, what, when, and how they connect with the device. Unfortunately, today’s Firewall is static and only contains information about the network.

On the other hand, Zero Trust enables a dynamic firewall with the user and device context to open a firewall for a single secure connection. The Firewall remains closed at all other times, creating a ‘black cloud’ stance regardless of whether the connections are made to the cloud or on-premise. 

 

The rise of the next-generation firewall?

Next-generation firewalls are more advanced than traditional firewalls, and they use the information in layers 5 through 7 (session layer, presentation layer, and application layer) to perform additional functions. They can provide advanced features such as intrusion detection, prevention, and virtual private networks.

Today, most enterprise firewalls are “next generation” and typically include IDS/IPS, traffic analysis and malware detection for threat detection, URL filtering, and some degree of application awareness/control.

Like the NAC market segment, vendors in this area began a journey to identity-centric security around the same time Zero Trust ideas began percolating through the industry. Today, many NGFW vendors offer Zero Trust capabilities, but many operate with the perimeter security model.

 

Still, IP-based security systems

They are still IP-based systems offering limited identity and application-centric capabilities. In addition, NGFWs are still static firewalls. Most do not employ zero trust segmentation, and they often mandate traditional perimeter-centric network architectures with site-to-site connections and don’t offer flexible network segmentation capabilities. Similar to conventional firewalls, their access policy models are typically coarse-grained, providing users with broader network access than what is strictly necessary.

Conclusion:

Zero Trust Network Design represents a paradigm shift in network security, recognizing that traditional perimeter defenses are no longer sufficient to protect against the evolving threat landscape. By implementing this approach, organizations can significantly enhance their security posture, minimize the risk of data breaches, and ensure compliance with regulatory requirements. As the digital landscape evolves, Zero Trust Network Design offers a robust framework for safeguarding sensitive information in an increasingly interconnected world.