You heard it right, “Zero Trust”. Unlike human being who can innately identify stranger from friend and appropriately facilitate trust, network infrastructure is incapable of distinguishing friend from foe. It requires well planned initiatives, tools and mechanisms to enable anomaly detection capability in a network infrastructure.
In traditional deployment, an innate trust is applied to users of intranet while increase scrutiny reserved for external traffic. Such concept is fundamentally flawed. In many cases, attacks are originating internally from malware plagued user endpoints than directly from outside. Lockheed martin Cyber Kill Chain® framework explains this phenomenon very well. The framework identifies 7 steps adversaries take to achieve their objective in cyber intrusion.
Figure 1. Lockheed Martin Cyber Kill Chain® Depicting how hacker gain access to network resources (Lockheed Martin, 2019)
Collectively these 7 steps comprise of APT (Advanced Persistent Threats) technique that hackers use to gain access to network resources and stay undetected for a period of time:
- Reconnaissance: This is first step in hacking which involves information gathering about people, host and network. Hacker may scan press release, internet, social networks and other media to learn about people of a targeted organization, next step is discovering possible victim (s). Hacker may use tool such as nmap and ping scan etc to gain an understanding of networks and hosts involved.
- Weaponization: In this phase, hacker uses information gathered previously to prepare for attack It may involve creating believable Spear Phishing e-mails which is look alike of e-mails that can be potentially received from a known vendor or other business contact. Victim may be then directed to a fake web page identical to vendor’s website through a technique called “Watering Holes”. The sole purpose is to capture your username and password, or to offer you a free download of a document or something else of interest. The process will help hacker gain required credential gain access to the network in order to successfully exploit any vulnerabilities that they may find.
- Delivery: Now, hacker starts the attack that may include a series or things e.g. Phishing e-mails with weaponized attachment or redirection to fake web page where user credential is collected. If the Phishing e-mail contains a malware as attachment, then attacker waits for someone to open the attachment and for the malware to call back.
- Exploitation: In this phase, hacker uses victim’s credential e.g. username and password to access the network. If victim opened the malware laced attachment, then hacker remotely accesses to computer.
- Installation: In order to keep sustain access in the network, hacker install code for backdoor access, possibly launch attack to other computers and may create admin accounts and turn off firewall rules etc.
- Command & Control: Now, hacker may have access of other computers, an understanding of network and even better credentials to gain uninterrupted access to data and applications. At this point hacker is in control of network infrastructure.
- Action on Objectives: With control of network, hacker now have upper hand to achieve their objectives. They could be stealing product design, user data and other confidential information to either monetize the data or use it to cause harm to targeted organization.
As evident from the steps of APT (Advance Persistent Threat), hacker may use a computer of an internal user to launch attack to the network. Same can be done through network devices and Wi-Fi or IOT gateways. According to ZDNET, thousands of Wi-Fi gateway including Huawei HG532 and Realtek RTL81XX were exploited by Gafgyt malware that takes advantage of known vulnerabilities to rope these devices into a botnet for the purpose of setting Distributed Denial of Service (DDOS) attack (ZDNET, 2019). This brings us to the very question of “Trust” for devices and users that are inside or outside of network perimeter and trying to connect to network.
What is Zero Trust?
The first step towards protecting internal attacks is to treat internal devices and users same as you would treat external users and devices. Essentially considering all devices and users, external or internal as potential source for adversaries to launch attack. Rooted in this concept of “Zero Trust” is a security concept that organizations should not automatically “trust” anything inside or outside its network perimeter instead verify everything trying to gain access to its network resources. The term “Zero Trust” first coined by John Kindervag, a former principal analyst of Forrester Research and currently serving as Field CTO at Palo Alto Networks. The first example of such network was deployed by Google through its “BeyondCorp” initiative. The guideline set forth by Google helps the path for other organizations to formulate and realize their own implementation of “Zero Trust network”.
The concept of BeyondCorp dismisses traditional perimeter defense security model and the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, it advises that all applications and resources can be only accessible through a user and device-centric authentication and authorization workflow.
Implementation of Zero Trust Network Security Model
Moving towards “Zero Trust” IT security model is an expensive undertaking but it can be implemented in phases. Rather than depending on vendors to dictate the term and tell you how to do it. A simple but effective mechanism of implementing zero trust is to start with some basics such as Identity and access management (IAM), Micro-segmentation and SDP (software Defined Perimeter).
Many would suggest you that traditional notion of network segmentation and firewalls are ineffective. We would suggest against it. Rather than removing your existing install base and starting with a fresh approach, it is better to take the thought that “Zero Trust” is a framework for IT security and there is no better way to do it than understanding your objectives and breaking those objectives in bite size pieces to achieve overall goal of “Zero Trust” security. Hence, we can begin our journey following through the discussion of APT. If you are considering reducing the risk of APT as one objective to create “Zero Trust Networks” than IAM could be the first approach you will take.
Identity and Access Management (IAM)
The IAM also known as Identity Management is a framework of business policies, processes and technologies that collectively enables the management of digital identities of users and devices. The goal for IAM is to ensure that any given identity has access to the right resources whether it is applications, databases and/or networks and as such is done within the correct context. There are many tools and methods are available for IAM but herein two distinct approaches will be discussed: a) TPM for device level encryption and identity and b) Multi-factor authentication for users.
Trusted Platform Module (TPM)
Today, many devices including whitebox switches, routers, OEM networking equipment, servers and laptop/desktop are equipped with a powerful yet essential Hardware-Based Endpoint Security module known as TPM. It’s a small cryptographic IC (Integrated Circuit) provides a hardware-based approach to manage user authentication, network access, data protection and more that takes security to higher level than software-based security. The diagram below is a typical depiction of network switch that includes TPM as part of CPU subsystem.
Figure 2 Typical depiction of Network switch that includes TPM as part of CPU subsystem.
The TPM module is based on the Trusted Computing Group’s root of trust and should be essential part of IT security model, today. Many OEM vendor’s such Cisco and Juniper provides their own tools enable and manage TPM. Many IT security practitioners cite complexity and added cost as one reason to not implement hardware-based endpoint security but as such is an oxymoron. Many COTS (Common Off The Shelf) devices nowadays uses TPM as integral part of their system, e.g. whitebox switches. For those buying COTS devices may ask independent NOS (Network Operating System) vendor to include TPM tool as part of their offering, it should be mandatory. As for desktop and servers etc, latest windows Operating System includes the support for TPM including private or public key support. Cloud software such Microsoft Azure provides complete IAM capability and integration of TPM to its active directory services. Those opting for linux OS, tools and mechanisms are available to enable TPM. So why not use it.
Next in your list should be available network access protocol such as TACACS+ (Terminal Access Controller Access Control Service Plus). It was originally developed by Cisco and later released as open standard in 1993. It’s earlier legacy precursor is defined by RFC 1492. The primary goal of TACACS+ is to provide centralized database against which to perform authentication and in actuality TACACS+ provides AAA (Authentication, Authorization and Accounting). The TACACS+ is based on client-server approach and uses TCP as transport protocol with default port 49. In contrast RADIUS (Remote Access Dial In User Server) uses UDP as transport protocol. Both RADIUS and TACACS+ make use of shared key for encryption and decryption for the communication between client and server. Unlike RADIUS, TACACS+ encrypt entire payload making it difficult for hackers to sniff and analyze packets or retrieve payload data including username and services etc. One important consideration to use TACACS+ apart from its ability to encrypt entire payload is that it can be used with Active Directory or LDAP server and thus having visibility on device identity and service requests.
Using both TPM and TACACS+, network security manager can innately eliminate some of the common vulnerabilities of network with perimeter defense that effective.
Multi-factor Authentications (MFA)
You are perhaps familiar with it in some form or other. Perhaps you have encountered it when creating an email account at Yahoo or Google. The MFA adds extra layer of protection on top of username and password for network resource access. It can be two factors or even three factors authentications. requires a user to present two or more of the three possible authentication factors. In order for the authentication to be complete, the verification system (the computer, the website or application etc) must validate each factor after it is presented. For example, an SMS code for OTP (One-Time Password) [RFC 6238] can be used for 2nd level verification. There many mechanisms available for 2nd and 3rd level authentication, e.g. voice, hardware-based token or even biometric signature. IT security professionals advice to consider this appropriate based on PCI DSS, SOX, and HIPAA mandate as applicable to their business.
In a traditional network, the concept of segmentation is done through different mechanisms such as through Zoning, Firewalls and VLAN etc. However, proponents of micro-segmentation argue that network is unaware of application and databases that are running within its perimeter and hence, segmentation mechanisms may not be effective curtailing attacks in applications or databases. Some even goes as per as suggesting that Firewalls are too cumbersome and inflexible for dynamic nature of today’s cloud system. Hence, something more adaptive and dynamic is needed that can be limit hacker’s exploitation to perhaps single application than multiple applications or databases. There are numerous tools available to create visibility and limit attacks in applications using micro-segmentation method. Micro-segmentation is based on idea of stopping lateral movement incase of an attack. It is based on two principles: Granular segmentation that allows monitoring and enforcement down to hypervisor level and Dynamic segmentation that enhances former with threat intelligence and dynamic implementation of policy enforcement when a threat is detected. With micro-segmentation path between applications can be restricted and only access can be granted through approved path. In this way, if hackers mange to attack a single application the exposure can be limited to that application only. Micro-segmentation can be implemented two ways:
Agent-less: This approach generally depends on existing third party APIs, span ports and netflow etc to collect and control traffic. This mechanism allows the possibility to collect visibility flows, contexts and alerts which in turn can be used to set security policies. Many networking devices that support standard interface like netconf for SDN (Software Defined Networking) can be integrated with an orchestration platform to create security policies for micro-segmentation.
Agent-based: In contrast, agent-based approach uses a small footprint microcode to be placed in network devices and servers within userspace of the underlying OS. An API can collect required information for security policies to be implemented. Agents can be deployed through existing management and automation tools such as Ansible, Chef, Puppet, SSCM or built into cloud workload templates.
Software Defined Perimeter (SDP)
In somewhat similar to micro-segmentation, SDP dispels the notion of perimeter defense and provides mechanism to stop attacks at the first place. It uses centralized controller that grant access based on assigned policies. The concept is proposed by CSA (Cloud Security Alliance) as a framework for dynamic network protection which is developed based on the Global Information Grid (GIG) Black Core network initiative proposed by the Defense Information Systems Agency (DISA) (Moubayed, Refaey & Shami, 2019). It adopts “need-to-know” model of DISA where the device’s identity is verified and authenticated first before granting access to the application infrastructure. Because of this selective process, infrastructure is referred to as “black” meaning infrastructure is unknown to users and cannot be detected. As a result, SDP can effectively mitigate many network-based attacks including server scanning, denial of service, and man-in-the middle etc.
The SDP uses centralized or distributed controller to validate device and user credentials and relies on five separate security layers to grant or reject access:
- Single Packet Authentication (SPA): In this phase, SDP controller which reject access to the device if user authorization fails.
- Mutual Transport Layer Security (mTLS): SDP uses full power of TLS standard to enable mutual two-way cryptographic authentication.
- Device Validation: It is an extra layer protection in which device is verified that is belongs to authorized user.
- Dynamic Firewall: Unlike static firewalls with thousands of rule, it uses dynamic firewall with one constant rule in which to deny access to all connections. After vigorously verifying device and users, rule will be relaxed granting access to applications or resources.
- Application Binding: In this process SDP forces application to use TLS tunnel this ensures only authorized application can communicate whereas unauthorized application will be blocked.
The discussion presented here provides basic understanding Zero Trust networks. IT professionals may use the methods presented here to implement “Zero Trust” security model for their respective organization. However, it is to be noted that process of implementation requires through analysis of network and application environments along with applicable compliance and governance requirements. It is better to consider “Zero Trust Networks” as a phased approach in which each phase planning and implementation will depend upon success of the prior. IT professional may choose to implement one or multiple of these methods in phased deployments but always verifying the deployment against objective. Some implementation may overlap in security features and hence, appropriate guidance is needed.
- Lockheed Martin, 2019. The Cyber Kill Chain®. Available online at
- Moubayed, A., Refaey, A. & Shami, A., 2019. Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks. IEEE Network ( Volume: 33 , Issue: 5 , Sept.-Oct. 2019 ).
- ZDNET, 2019. This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army. ZDNET. Available online at https://www.zdnet.com/article/this-aggressive-iot-malware-is-forcing-wi-fi-routers-to-join-its-botnet-army/