“Just because you’re paranoid doesn’t mean they aren’t after you.”
This quote from Catch-22 highlights the wisdom (and the absurdity) of adjusting to a world where threats are both known and unknown, and originate from sources both friendly and malicious.
It is, however, good advice and translates well into modern infosec practices – especially the concept of “Zero Trust Security.” Originating from Forrester a few years ago, the Zero Trust Model for security abolishes the notion of trusted anything – no user, traffic source, or connected network should be considered above suspicion, regardless of what it is and its location on, or relative to, the corporate network.
At 128 Technology, we believe that Zero Trust security must be incorporated throughout the network. To be clear, this doesn’t mean putting standalone security devices everywhere – it means infusing security into the fabric of the network itself. This idea is one of our guiding principles.
So how do we incorporate the Zero Trust model into networking? As you might have guessed, it starts with session orientation.
Sessions have directionality, reflecting which endpoint (source) initiated the session. Lots of advanced network functions (firewalls, NATs, load balancers, etc…) have an understanding of directionality in order to filter out “unrequested” packets. Session-aware routers can do the same, and can do it at every hop inside your network, creating pervasive firewall functionality throughout the network – not just at its edge. In a very real sense, the network becomes the firewall.
In addition to intelligent traffic filtering, session-aware routing has some interesting implications. For example, Denial of Service (DoS) attacks can be recognized and stopped well before they get close to the intended target. Another possibility is placing Intrusion Detection and Intrusion Prevention (IDS/IPS) capability within routers, throughout the network.
While these network-wide, distributed stateful firewall and security capabilities are highly compelling, the prospect of configuring and maintaining such a scheme could quickly become a form of “ACL Hell.” We’ve solved that challenge too.
In order to enable a distributed network-wide security model, 128 Technology has developed an architecture that simplifies how network traffic is classified, segmented, and secured.
To do this, security policies are aligned with services rather than physical infrastructure. Services represent applications reachable by an IP address (such as a web server, database server, logging service, etc…). Services are grouped into tenants, which are sub-networks that maintain their own sets of policies, access controls, and allowed network paths. To access a service (or services) within a tenant, you need to be a member of that tenant. This approach turns the access control list (ACL) concept on its head, and drastically minimizes the configuration required for access control. What’s more, with the service/tenant model, there are no default routes or broadcast domains – packets are forwarded only if there is an explicit path configured for the service the packet is trying to reach.
Because every 128 Technology router has knowledge of every tenant, along with the service topology, access control and policy can be easily baked into every possible route on the network on a session-by-session basis. As a result, you can segment the network on an incredibly granular level, end-to-end across the entire network. So while traditional traffic isolation and segmentation requires complex physical network separation techniques and/or overlays, the 128T Networking Platform can provide greater isolation in a more dynamic (and more simple) manner.
How’s that for Zero Trust?
There’s more to the 128 Technology security story, but that will have to wait for another time. In the meantime, consider this quote from a Forrester paper on Zero Trust Network Architecture: “To rethink the network requires a willingness to set aside preconceived notions about what the network should be, and think about what the network could be.”