“Just because you’re paranoid doesn’t mean they aren’t after you.” – Joseph Heller
This quote from Catch-22 highlights the wisdom (and the absurdity) of adjusting to a world where threats are both known and unknown, and originate from sources both friendly and malicious. It is, however, good advice and translates well into modern InfoSec practices – especially the concept of “Zero Trust Security.” Originating from Forrester a few years ago, the Zero Trust Security approach abolishes the notion of trusted anything – no user, traffic source, or connected network should be considered above suspicion, even if it’s an email from your CISO.
Inherent Network Security
At 128 Technology, we believe that Zero Trust Security is a philosophy that must be embraced and an approach that must be incorporated throughout the network. To be clear, this doesn’t mean bolting standalone security devices all over the network – it means infusing security into the fabric of the network itself. So, how do you adopt a Zero Trust Security approach?
Whether it’s a software-defined WAN (SD-WAN) or a software-defined data center (SDDC), it’s essential in today’s threat landscape to integrate isolation, segmentation, load balancing, and firewall functions seamlessly into a network that is built with security at its core. The default behavior is to treat and apply these security controls to sessions – the language of applications and services. Session-aware technology bridges the gap between networks and the applications they serve, enabling security functions to be inherently integrated into the network.
In order to adopt a Zero Trust Security model and enable the network to support today’s businesses that are striving to compete in today’s data-driven landscape, we believe that it can only be accomplished by following certain guiding principles.
Zero Trust Security Guiding Principles
Today’s networks were designed with perimeter-based security architectures that are not suited for the sophisticated cyber attacks that make the headlines on a daily basis. In order to bring your network up to the speed of business, and fully implement a Zero Trust Security model, there are certain guiding principles that must be adopted. Those principles, and why we need them, follow.
In traditional networks, the allow-by-default policy transports packets across the networks without any controls. By transitioning to a deny-by-default policy, the overall role of the network shifts from transporting all packets, to only transporting packets which are validated as safe, properly encrypted, and business-critical. This tight control of the packet flow within the network is very powerful and can limit, and in some cases completely eliminate, network attacks.
Distributed Stateful Firewall:
Most enterprises are still relying on standalone firewall devices at the edge of the network, which heavily rely on ACLs and VLANs to control access to various segments of the network. As the network traffic grows, this makes the firewall ACL rules unmanageable and error-prone, exposing the enterprise to various network attacks. With a session-aware firewall, access control is tied to service within a tenant. Therefore, only members of a tenant are allowed to access its services, thereby minimizing the complexity of configurations, while maintaining a high security standard. As a result, you have an access control rule that is context-specific and pertinent to the service, while eliminating the need for a global ACL list and error-prone configurations.
One of the primary requirements of Zero Trust Security is to support policy-based inter-router traffic encryption and authentication. Every packet exchange between 128T Routers is authenticated and encrypted by default using HMAC-SHA256-128 and AES256, respectively. As part of the flow setup process, the 128T System exchanges metadata in the first packet and the metadata exchanged is signed using HMAC-SHA256-128, or encrypted using AES256.
Most of the legitimate traffic on an IP network has packets that flow bi-directionally consisting of two flows, one in the forward direction and one in the reverse direction. In traditional switching and routing infrastructures, forward and reverse flows may take asymmetric paths through the network. In a session-aware network, routes can be expressed in terms of the directional sessions, which automatically include the two unidirectional flows that comprise a given session. This combines the functions of a router and a stateful firewall, into a single function to simplify networks and improve security.
Centralized Policy Management:
With traditional firewall devices, the difficulty with managing policies grows as the network grows. 128T Routers provide centralized policy management, administration, provisioning, monitoring, and analytics with a single “pane-of-glass” view for all routers running in the network. With service-level policy enforcement, policies can be context-specific and globally applied to all routers for instant, comprehensive security.
Security in the DNA
By adopting a Zero Trust Security model, security is in now part of your network’s DNA – transformed with the strength and intelligence to protect the sensitive information that travels across it. Your network is now your best weapon to defend against the evolving threat landscape, as well as your strongest ally when it comes to serving your business.
Until our next blog post on securing your network and your data, consider this quote from a Forrester paper on a Zero Trust Security network architecture:
“To rethink the network requires a willingness to set aside preconceived notions about what the network should be, and think about what the network could be.”
This blog was originally posted on August 8, 2016. We have updated it and republished on December 4, 2018. Hope you enjoy the revamped post!