Lecture on Zero Trust Networks

Jul 26, 2024

Take quiz

Lecture on Zero Trust Networks

Overview of Traditional Networks

  • Traditional networks often become open once inside the firewall.
  • Lack of security controls allows both authorized and unauthorized movements.
  • Risks include unauthorized access and spread of malicious software.

Zero Trust Networks

  • Concept: No entity (device, user, process) is trusted by default.
  • Requirement: Authenticate or prove identity for accessing resources.
  • Security Measures:
    • Multi-factor authentication (MFA)
    • Encrypting data at rest and in transit
    • Additional system permissions
    • Adding firewalls
    • Various security policies and controls

Implementing Zero Trust

  • Breakdown Security Devices: Separate into smaller functional components.
  • Functional Planes:
    • Data Plane: Manages data forwarding, address translation, routing, etc.
      • Example: Switches, routers, firewalls handling frames and packets.
    • Control Plane: Manages policies and rules.
      • Example: Routing tables, firewall rules.

Example Implementation

  • Physical devices like switches (interfaces move data - Data Plane, configurations - Control Plane).
  • Applies to virtual devices and cloud-based controls too.

Adaptive Identity

  • Purpose: Enhance identity verification by considering additional factors.
  • **Factors Considered: **
    • Source of request
    • User’s IP address location
    • Relationship to organization (employee, contractor, etc.)
    • Physical location and connection type
  • Result: Adjust authentication strength dynamically.

Limiting Network Entry Points

  • Restricting access to be within a building or via VPN.

Policy-Driven Access Control

  • Purpose: Decide authentication methods by evaluating various data points.
  • Security Zones:
    • Define zones based on trust (trusted, untrusted, internal, external).
    • Rules for zone communication (e.g., deny untrusted to trusted).
    • Implicit trust within certain zones.

Policy Enforcement Points (PEP)

  • Role: Enforce decisions on traffic based on policies.
  • Components Involved:
    • Devices ensuring all network traffic adheres to policies.

Policy Decision Points (PDP)

  • Role: Make decisions on traffic based on security policies.
  • Policy Engine: Compares requests to policies to grant, deny, or revoke access.
  • Policy Administrator: Communicates decisions to PEP.

Zero Trust Model Workflow

  1. Subjects/systems from untrusted zone communicate over data plane to PEP.
  2. PEP sends request to Policy Administrator.
  3. Policy Administrator communicates with Policy Engine.
  4. Policy Engine makes decision (allow/disallow).
  5. Decision sent from Policy Administrator to PEP.
  6. PEP enforces the decision, granting access if allowed.

Summary

  • Zero Trust architecture requires verifying every resource access request.
  • Multiple layers of security and control are established to prevent unauthorized access.
  • Adaptive identity and policy-driven access ensure dynamic and tight security controls.