ZERO TRUST NETWORKING

Prepared by:

Junish Paduthala Varghese

PG.Diploma in IT

Whitireia New Zealand

ABSTRACT
A zero trust network architecture access controls to individual devices or users called
endpoints rather than corporate network perimeter. Zero trust network securing means that
not a single person is trusted by inside or outside of a corporate network perimeter. Through
this report we will be digging deep into enabling zero trust security by strict identity
verification for individuals and devices attempting to access resources on private networks.
This holistic approach of network security is utilizing different principles and technologies
rather than sticking on to one specific technology.

INTRODUCATION
Zero trust networking is a new network security model which is introduced by an analyst at
Forrester Research Inc. in 2010. Later on, Google has adopted and deployed the zero trust
networks at the beginning of 2017 into their production networks. It is an IT security model
that requires strict identity verification for each individual and gadget attempting to get to
access resources on a private network, regardless of whether they are sitting within or outside
of the network perimeter. The zero trust networks is not bounded to a specific technology
instead of that it is network security model that joins a few distinct protocols, principles and
advancements.

            Instead of using the legacy blacklist rules which is common in our security networks,
Zero Trust Network uses a White-list rule set. At first, everything is un-trusted. The key
technologies that zero trust projects using at the moment include micro-segmentation and
software-defined perimeters. Software-defined perimeter is an alternative to VPN
architecture, and micro-segmentation further divides networks to minimize and contain any
type of breach. One of the core values of zero trust networks is multi-factor authentication
(MFA). The zero trust networks is widely using on environments like BYOD, Internet of
Things (IoT), cloud, and Virtual Office Sites where it demands high level enterprise network
security model. Zero trust networking brings down all aspects of traditional firewalls. The
ZTN will only trust those who verified perfectly.  

Architecture and Design: Zero-Trust Network

The architecture of the zero-trust network basically originates from the disadvantages
regarded with the traditional network security system. The traditional concept can likewise be
thought of as "trust, but verify". It means, you can practically believe anyone whoever
attempting to gain access to your network are not hackers, but you have to confirm that they
have the correct credentials to get the access. Zero Trust network implies that nobody is
trusted by default either inside or outside a corporate network, so verification is required from
everyone who wants access to resources on the network (Fig.1). It verifies the user first, then
device and give limited privileges on network (Sande, 2019).
 Fig.1

Zero trust network security models are typically an approach to network security
incorporating various principles, protocols, and technologies. The modelling aspects of
architecture of the zero-trust network is completely depending upon the organization's needs
in terms of the location of users and data center, network traffic, connected devices,
applications, network architecture and, the threats being faced. The fact that it is, the zero-
trust network security model is an effective idea of network security which can be
customizable according to the platforms being used and the organization's needs. After the
deployment of the zero-trust network by Google in beginning of 2016, other giant
organizations such as Microsoft, Cisco, Oracle, etc., also introduced their model for zero-trust
network (Dyer, 2018).

The legacy network security models, dividing the network into different zones and
protecting them at boundaries by means of firewalls or other filtering mechanism based on
either IP addresses or MAC addresses are taken inside to the zero-trust network model. Zero-
trust architecture can solve the major disadvantages of the legacy models such as; reduced
traffic inspections and, lack of flexibility in physical & logical placement of hosts in a
network. The zero trust models are paranoid by design; it will assume that hackers or
attackers are everywhere, both internal and external, so no hosts or users are automatically
trusted. The main principles of the model are Microsegmentation and Software defined
perimeter (SDP). Microsegmentation is splitting the network into different segments and
placing network stoppages at every edge of network segments. SDP will act as central control
system and verify the users and its privileges by means of set white-list rules (Barth &
Gilman, 2017). In addition, Multi-factor authentication (MFA) is also a core piece of the
zero-trust network. According to Steve (2019), MFA is most generally found in 2-factor
confirmation (2FA) frameworks that can be utilized on numerous mainstream online
platforms, including iCloud, Facebook, Amazon and Google. A client demanding access first
enters a secret pas code, however then should likewise enter a code that is sent to another
device like a cell phone. By doing this, the client has given two types of proof that they are
who they guarantee to be. So, the architecture will become more secure in terms of both
application-centric and network-centric. By considering the segmentation policies and
applying zero-trust network principles, the basic architecture similar to the one shown in
figure 2.

Fig.2

The architecture shown in figure 2 can be divided into two: the control plane and data plane.
The control plane referred as the heart of the zero-trust network models and builds with
different technologies such as ACL's (Access Control Lists), Content filtering, IPS
(Instruction prevention system), IDS ( Intrusion Detection System, Cryptography and,
advanced firewalls; which is responsible to give access to protected resources where the users
and devices need to be authenticated. It holds number of white-list rules or fine-grained
access control policies to administrating the remote employees and un-trusted clients (public
connections) in a network. Everything other than control plane is considered as data plane
where the data packets being transferred and communicated. The employees working from
remote location need to bypass the secure gateway in order to get into the organizational
network, and then also they need to satisfy the conditions to get into sub-divisional network.
But, in the case of an un-trusted client, it will face different stoppages as security check such
as location based (LB) access, app server and followed by PCI server or some other
validation techniques(Barth & Gilman, 2017).

A Zero Trust engineering changes access controls from the corporate network border
to individual gadgets and clients, called endpoints. A Zero Trust model focuses on protecting
the network edges or endpoints, instead of network security boundaries on the perimeter
network. The architecture proposed by Forrester (2013) includes concepts of secure access
regardless of location, least privilege strategy and incessant inspection and logging of the
network which is same as we discussed earlier. However, the architecture shown in figures 3
is an illustrative design of basic model with incorporating network monitoring segment for
continuous logging in packet control system.
 Fig.3

In this framework, the key architectural elements of the zero-trust network being clearly
illustrated; segmentation gateway as the SDP which having standalone security measures
along with active monitoring of the entire network perimeter, parallelly arranged micro-
segments such as database server and web-server and, centralized management server/system.
The entire packet forwarding is through the segmentation gateway to maintain least privilege
policies throughout the network perimeter (Alexander, 2018).

Now, we can discuss the application of zero-trust model in enterprise level which is
consists of most modern network platforms and monitoring tools. The architecture shown in
figure 4.A is the enterprise level zero-trust architecture model which is currently being
implemneted by different IT corporations and figure 4.B showing the summarised idea of
enterprise zero-trust security architecture with proper examples of components. As seen in
figure 4.A, the enterprise model is also having control plane called ‘Authorization Control
Plane’ and the data plane termed as ‘General Compute Zone’.
 Fig.4.A

Fig.4.B

The authorization control plane is same as what we discussed in basic model. In addition, in
the enterprise model, authorization control plane comprises security framework as well as
resource allocation management. Security framework includes: Policy Repository where all
the white-list & black-list rules and set parameters are stored; Trust & Policy Engines which
responsible to process the access request in terms of identity, access, and location context;
Authorization Servers which control and supervise the policy framework as well as
processing user credentials and Adaptive Authentication methods such as MFA, SAML,
OIDC, OAuth 2.0, and SCIM. The resource allocation along with policy repository can be
synchronising to an enterprise storage directories (e.g. Active Directory, AWS Managed
Microsoft AD and Azure AD). The general computing zone is divided into two major areas;
Premise-Based Infrastructure where the employees & other executives of an organization
being accommodated and Public Cloud IAAS (infrastructure-as-a-service) where the un-
trusted or public traffic being treated. Both the areas will go through the Microsegmentation,
which separates the micro-services or workload “systems” into even smaller subzones if
necessary. Finally, the network interconnection between these two areas are achieved by
means cloud interconnect such as Amazon Web Services (AWS), Microsoft Azure, or Google
Cloud Platform which are having advanced security measures at each intersection of network
(Blum, 2019).

REQUIREMENT ANALYSIS
The requirements of a zero trust network depends on different considerations of organizations
or company. The main key aspects that to considered while building zero trust network are
the size of the organization, number of employees, type of service provided, type of network
the organization currently having, network traffic, and locations. The main requirement of
zero trust networks is an authentication server. As we discussed earlier in design section, the
construction of control plane includes strong policy making and building of a trust engine,
this is what organizations are missing while using the traditional network security practices.
The implementation of network stoppages at every edges of the network requires modern
generation firewalls. The server setup which is needed for the MFA and following changes
should do in the programs or web-scripts. The bandwidth requirements as considering the
network traffic. The need of cloud platforms for better network connectivity is also main
requirement of zero trust networks (Namuduri, 2009).

FLOW ANALYSIS
The packet or data flow in the zero trust networks is almost similar to the traditional
architecture. The data flow in the data plane of the zero trust architecture is much similar to
the traditional networks. The flow of access request or execution of the zero trust
enforcement is the only matters. The flow of zero trust authorization passes through dour
main stages: Enforcement, Policy engine, Trust engine and, Data stores. The entire network
flow in zero trust networks happening at data plane and control plane (Fig.5). The
enforcement stage is under data plane part, it confirms that the users or devices have gone
through the set rules of each flow/request to the policy engine. The rest of the stages are in
the control plane. The policy engine compares the request with set rules or context written in
the policy. Trust engine will analyze the request to calculate the risk score like spam score
and that can be used to make decisions regarding administrating un-known clients or users to
data stores (Barth & Gilman, 2017).
 Fig.5

IMPLEMENTATION AND DEPLOYMENT

Companies are reluctant to incorporate zero trust networks thinking that it is difficulty,
disruptive and cost effective when it comes to be deployed in legacy applications. But in
actual it is not necessary to rip & replace the entire legacy network to deploy zero trust. The
five step methodology described here will help to implement and deploy zero trust effectively
(Palo Alto Networks, 2019).

1. Defining the sensitive data ( Protect Surface)

Defining the sensitive data that is to be protected is the key step in this process. The protect
surface includes all critical data, applications, assets, or services (DAAS). This can be figured
out deploying next generation firewalls in the traffic path, so that it can log them without
disturbing the networks.

2. Map the flows

Zero trust is flow based architecture. Once you know the flow then only you can properly
insert the controls on the network. It is very critical to understand, how a system works in
order to design it. The traffic flow in a network specific to the data in protect surface
determine how to protect it. This comes from proper mapping & scanning the transaction
flows.
 3. Architecture a zero trust network.

Designing architecture for any network is very important. Using reference architectures one
can customize them to make it adaptable for their business. With the protect surface defined
and flows mapped designing network architecture for zero trust is apparent and easy task.
Again the architectural elements begin with deploying a next generation firewall to enforce
granular layer 7 to access the micro perimeter around the sensitive data.

4. Creating zero trust policy

Once the architecture is ready, it’s important to create a supporting zero trust policy
following the Kipling Method. This method makes use of granular layer 7 enforcement so
that only known allowed traffic is allowed in your network. This significantly reduces attack
surfaces and usage of traditional port based firewall rule enforcements. Following Kipling
method answering who, what, when, where, why and how the network policies is very easy.

5. Maintain and monitor the network

Zero trust security is an iterative process continuous looking into the internal& external log
and focusing on the operational aspect of zero trust is what it meant by monitoring &
maintenance. Sounding the system telemetry about the environment will help in giving an
insight to improve the network.

MONITORING AND PROTOCOLS

The usual network monitoring tools and conventional methods can be also applied in the zero
trust networks. Incessant monitoring is also a crucial part of the zero trust. Analysis and
reporting is also needed to evaluate the network functionality. In zero trust networks,
monitoring should be considered at data plane and control plane. For monitoring data plane,
we can make use of the existing network monitoring tools like wireshark, Nagios XI,
Datadog and other command line tools. Reporting of firewall incidents is also should done at
each network stoppages. Daily traffic monitoring is also done with available monitoring
tools. While considering the monitoring of control plane, the server monitoring,
authentication check up and analysis and testing should be done time to time. The server
monitoring can be through advance monitoring tools like Nagios, Cacti, Zabbix, Ntop Icinga
etc. In addition, the Intrusion Detection System (IDS) from Cisco also widely using in the
zero trust networks (Entertainment Close - Up, 2015).

Zero trust network, since it is security model which is been applied in the advanced
network, it holds all the protocols being used in organization networks. The security oriented
protocols like UDP, TCP, SSH and other secured version protocols plays important role in
zero trust network. The delivery protocols like HTTPS are also play an important part in data
processing.
 EXAMPLE PROJECTS
Google BeyondCorp

It’s a zero trust network model framed by Google that emphasis on individual devices and
users rather than perimeter. The benefit of this model is that the users can access the
application anytime anywhere without using the traditional VPN. Beyondcorp dispels
network segmentation as the primary mechanism for protecting sensitive data. All the
applications are deployed on a individual devices and users through authentication &
authorization work flow (Dyer, 2018). The working diagram shown in figure 6 is the
Beyondcorp model of zero trust.

Fig.6

Meta Networks' SDP solution

Meta network’s SDP is an effective way to connect users or employees to application in data
center and cloud. It eliminates the limitations of traditional VPN, overlay connections,
slowness. Meta Naas delivers segmented, verified and audited access for every type of users.
With help of zero trust networks, the users are able to access only those which are authorized
by policy rest are isolated. It verifies fixed, unique identity for every single packet. This
system is designed to support millions of users, cloud native, encrypted overlay network to
reduce last-mile latency and optimize routing (Meta Networks, 2019). Refer the figure 7 for
the architecture model of Meta network’s SDP.
 Fig.7

SUMMARY
Zero trust network is a security model based on strict access principle and trusting no one
even those who are within the perimeter. Attackers can be found both inside and outside the
network, so as per zero trust security no one is trusted automatically. One of the most
important principle of this method is the least privilege access, which helps in securing
sensitive data. Multi segmentation and multi factor authentication (MFA) are core factors of
zero trust security. Implementation of this security model along with the tools like Advanced
Malware Protection (AMP), next – generation firewall, Umbrella, Email security, Any
Connect, Application-Centric infrastructure (ACI) helps in securing sensitive data and protect
surface. Any organization can be easily and quickly protected using zero trust security
system.

References:

Alexander, Z. (2018, April 17). Zero trust security model. Retrieved September 13, 2019,

from https://www.zubairalexander.com/blog/zero-trust-security-model/

Barth, D., & Gilman, E. (2017). Zero Trust Networks. Retrieved from

https://www.oreilly.com/library/view/zero-trust-networks/9781491962183/ch01.html

Blum, D. (2019, February 13). Network segmentation in the zero trust era. Retrieved

September 13, 2019, from Security Architects Partners website: https://security-

architect.com/net-segmentation-in-the-zero-trust-era/
Dyer, S. (2018, October 3). How to start applying google’s “Zero Trust” model. Retrieved

September 13, 2019, from The New Stack website: https://thenewstack.io/how-to-

start-applying-googles-zero-trust-model/

Entertainment Close - Up. (2015). Pertino engineers zero-trust networking for wide area

network. Entertainment Close - Up; Jacksonville. Retrieved from

http://search.proquest.com/docview/1673904187/abstract/9136D04430724A68PQ/1

Forrester. (2013). Developing a Framework to Improve Critical Infrastructure Cybersecurity.

Retrieved from

https://www.nist.gov/sites/default/files/documents/2017/06/05/040813_forrester_rese

arch.pdf

Meta Networks. (2019). Zero-trust network access. Retrieved September 15, 2019, from Meta

Networks website: https://www.metanetworks.com/platforms/zero-trust-network/

Namuduri, K. (2009). An active trust model based on zero knowledge proofs for airborne

networks. Proceedings of the 5th Annual Workshop on Cyber Security and

Information Intelligence Research: Cyber Security and Information Intelligence

Challenges and Strategies, 38:1–38:4. https://doi.org/10.1145/1558607.1558650

Palo Alto Networks. (2019). Simplify zero trust implementation with a five-step methodology.

Retrieved from https://start.paloaltonetworks.com/5-steps-to-zero-trust.html

Sande, S. (2019, May 17). Networking and security series: Zero Trust, a new way to look at

network security. Retrieved September 13, 2019, from Rocket Yard—The OWC Blog

website: https://blog.macsales.com/48549-zero-trust-a-new-way-to-look-at-network-

security/

***