How Networks Can Support A Zero Trust Architecture

With more people working from home, companies have started to rely on VPNs to grant secure access to users. However, VPNs aren’t the only way for businesses to guarantee a secure connection for workers. Network World mentions a protocol known as zero trust architecture, which only grants users the bare minimum of access to a network. Whatever access a user’s job requires is what the zero-trust architecture will allow the user to have.

Zero trust works by verifying every single device’s connection to the network. It uses an identity-management system that only allows specific access to certain parts of the network for particular devices. Authorized users no longer have access to any and all parts of the network. They can only get into the specific locations they need to perform their jobs. Zero-trust is an overarching architecture, but certain elements apply to networks, specifically. This article intends to demystify those elements and show how networks can be used to support zero trust.

The Principle of Least Privilege

Beyond Trust tells us that the principle of least privilege states that access rights for every account, user, or device accessing the network has limited access based on what they need to perform their duties. One way that networking professionals can ensure least-privilege access is via network segmentation. When a device or a user logs into a network, he or she is granted access only to the segment of the system where pertinent data is stored.

Networks can quickly implement this using a simple switching technique. By placing different segments in areas that are unreachable from each other, they limit the incidence of a breach. If a user or device is compromised, their limited access reduces the damage to the overall organization. Any applications or data on the compromised machine is limited to where the user or device has access.

Network segmentation can also be performed physically. Different networks can be located in different locations or separate server points, each with their own dedicated server. Suppose the malicious user is trying to hijack a central server. In that case, this setup ensures that only one of the company’s servers become compromised with the rest of the business’s systems intact and safe.

Layer-2 Segmentation

Layer-2 segmentation introduces inline security, isolating end-users, and their devices from the network traffic. While this can be accomplished using switches, implementing hardware on such a scale can be costly. A more convenient method would be using port-based network access, which relies on virtual LAN (VLAN) addresses based on their authentication credentials and their supplicant certificate. Both wired and wireless networks typically use this method of segmentation. The drawback to implementing Layer-2 segmentation is that businesses may not leverage the full suite of available roles, authentication credentials, and traffic filtering to get the system to work reliably. Most vendors provide a swathe of filtering options, but without proper categorization, layer-2 segmentation is not a viable methodology.

Layer-3 Segmentation

Like the previous entry, this method also relies on inline security, but through filtering. The network is split up into several VLANs, each on different subnets. Access is then granted to users inline using filtering, usually through a switch that exists on the network. Another approach that network admins can look at is network slicing. In this case, the system is split into “slices” with routing and forwarding done to each based on the credentials and role of the user.

One intuitive way this can be done is by assigning each server a unique IPv4 or IPv6 address, then having them advertise their availability to each of their subnets. Since the servers are local to the subnet, there’s no way that external users could detect the server’s presence. Any infiltration within the host would not be able to access the subnet, keeping data located on it safe.

Overlay tunnels provide another new method of layer-3 segmentation. These tunnels exist over the IP network and encapsulate traffic from specific users or classes of users within them. There are several ways that network admins could implement these overlay tunnels, including through TCP segmentation overload or by using a virtual extensible LAN (VXLAN).

Packet tagging is another way that networks can create trust between interfaces to provide full coverage painting & flooring. Packet tagging includes an internal identifier with each packet sent. The end-user can only decrypt packages that it has the access level to unpack. In modern networks, this can be accomplished using segment routing. A routing header is included with an IPv6 packet to control the communications path for each package that comes after.

NIST Suggestions

The National Institute of Standards and Technology (NIST) recently updated its guidelines for zero trust architecture implementation in August of 2020. Some of the suggestions have meshed with what the Cloud Security Alliance calls a Software Defined Perimeter (SDP). Using authentication and validation as users present themselves to the network based on policy decision points and policy enforcement points defines this perimeter.

There are myriad segmentation, isolation, and zero-trust networking protocols that administrators can implement. From those that impact the host operating system to those that reside on client machines, segmentation is just a matter of determining how a particular subset of users should access the network. Network security isn’t like physical security. A network admin needs to understand zero trust as an architecture. If it isn’t implemented network-wide, then it’s liable to fail.