As networks and the services they deliver become increasingly multifaceted, so does the task of ensuring network security for these services. Trends such as cloud-based implementations, highly mobile end users, and software-defined architectures have all led to new innovations around delivered applications, providing services that would have been considered science fiction only a couple of decades ago.
However, these positive trends have equally increased the attack surface of these services, offering new attack vectors for malicious actors to exploit. Risks include active and passive breaches, denial of service attacks (DDOS), address resolution protocol (ARP), dynamic host configuration protocol (DHCP), (domain name service (DNS) spoofing, malware, and man-in-the-middle attacks.
Traditionally, network infrastructure security has dealt with such risks by focusing on perimeter security, which involves implementing measures designed to protect the boundary of a network from external threats. Technologies such as firewalls, network access control systems, and VPNs are all types of perimeter defense and methods that enable infrastructure security.
Even so, with trends such as the cloud, highly mobile endpoint devices, and almost ubiquitous wireless connectivity in populated areas, the network perimeter is becoming much more difficult to define. It is no longer confined to a corporate LAN. This makes network infrastructure perimeter security correspondingly difficult to implement. Moreover, the migration of devices into and out of a corporate network, along with the possibility of users unknowingly installing malware on their devices, brings the entire concept of using the perimeter as a trusted boundary into question.
This is where a zero trust security model makes all the difference. Zero trust is a network security approach, also sometimes referred to as “perimeterless security,” where all devices are considered untrustworthy by default, regardless of their location. Every transaction involving an endpoint device must be independently authenticated, authorized, and encrypted.
This approach elevates network infrastructure security to a new level, effectively mitigating the various threats described above without the need to define or enforce a network perimeter around the infrastructure. This is especially the case for cloud-based services requiring a shared responsibility model for the secure provisioning of cloud-based services between the cloud provider and customer.
In this article, we will examine how the zero trust approach can be leveraged to deal effectively with security issues related to network infrastructure. We will also outline some best practices to keep in mind, which are based on what are known as the “seven pillars of zero trust”. You can find out more about these pillars in detail in this article, but in the meantime, let’s just list them here again for reference:
- Identity: Authentication and access control policies
- Device: Management (security, patching, and access control) of all devices
- Network: Network isolation, encryption, and monitoring
- Application: Application firewalling, testing, and code review
- Data: Data protection, integrity, and recovery
- Observability: Monitoring and analysis of logs, events, and metrics
- Automation: Vulnerability scanning and intrusion prevention
Summary of Key Network Infrastructure Security Concepts
The table below outlines some of the most important best practices to consider when approaching network infrastructure security using the zero trust security model.
Network Infrastructure Security Best Practices
As previously discussed, traditional network infrastructure security has been based on defining and defending a clear and distinct perimeter of the enterprise network. All network traffic within that perimeter is treated as trusted, creating a safe zone, and any traffic from outside of the perimeter is treated as potentially hostile.
With today’s almost fluid network infrastructure deployment resulting in a blurred and undefined network perimeter, this approach is no longer sufficient to protect a network from today’s most cunning attackers.
Below are some of the most significant best practices to consider when implementing network infrastructure security using a zero trust mindset.
Use Zero Trust Principles as Your Design Guide
The zero trust security approach is based on the premise that all network traffic is to be treated as untrusted and that access to resources is granted on an “as-needed” basis. This approach is further defined using a set of zero trust pillars, which are fundamental principles upon which the zero trust security architecture is based.
You may find that different sources quote slightly different pillars and sometimes even a different number of pillars, as some of the concepts involved are grouped differently. However, there is a consensus on what the sum of these pillars contains, resulting in a relatively young yet robust set of principles that can be successfully used today.
This article explains the zero trust pillars in detail, while this chapter of our guide provides recommendations for implementing them.
Apply the Principle of Least Privilege When Granting Access
One of the fundamentals of the zero trust model is the principle of least privilege. This security concept dictates that users and processes should be granted only the minimum level of access to resources necessary to perform their tasks. This is an important aspect of the model because it reduces the risk of data breaches and other security incidents by limiting the access that users and processes have to sensitive data and resources.
POLP is implemented through network access controls, which allow organizations to grant access to resources on a per-request basis or “as needed.” This access also has a time dimension, where access is granted only for the duration of the specific transaction or task to be completed. This principle significantly reduces the attack surface of the network infrastructure because it significantly limits access to sensitive data and resources.
The application of POLP falls under the zero trust pillar of Identity. Within that pillar, several authentication and access control best practices ensure maximum security. These include:
- User authentication, typically using multi-factor authentication (MFA), which can comprise various elements, including traditional passwords, time-based one-time passwords (TOTP), biometrics, and certificates, as well as the emerging use of passkeys.
- Certificate-based systems, where a certificate authority issues a digital certificate to allow others to verify the identity of an entity. These are commonly used to authenticate servers rather than users.
- Password policies, including strict requirements around password strength, expiration, and reset.
- Access control policies, such as role-based access control (RBAC).
- Identity provisioning policies for managing how new users are added to the system and existing users are removed.
- Identity governance policies, such as managing user identity data, including how it is collected, stored and protected.
- User onboarding and provisioning, which define the process by which new users are added, trained, and granted access to the necessary resources and training.
- Identity and access management (IAM) systems for managing user accounts and granting access to resources based on user identity and authorization.
These best practices are further explored in the article Zero Trust Pillars: A Tutorial.
Secure Traffic Between Endpoints
By doing away with perimeter security, the zero trust approach requires that every communication between endpoints be secure. Unlike traditional VPNs, which specifically secure access to a network, securing traffic between endpoints, using this approach, means that each communication session between devices is individually authenticated, authorized, and encrypted.
This security approach works with the POLP principle so that when access to sensitive resources and data is required, it can be achieved using end-device to end-device security measures, essentially creating a “trusted connection” between those two endpoints and creating such a connection only if both sides are properly authenticated and authorized to do so.
It’s important to realize that endpoints include computers, smartphones, tablets, IP cameras, servers, virtual machines, cloud-based services, IoT devices, wireless access points, and other network-connected entities. This means that all devices must be registered and controlled from a centralized platform that hosts policies governing the communication among these devices session by session.
Adopting a solution such as ZTMesh that is designed to implement zero trust will enable you to quickly and painlessly transition to this modern security paradigm.
Manage Endpoint Devices
As is the case with all entities that connect to and leverage network resources, all endpoint devices are considered to be potential security risks. As such, POLP must be enforced for all endpoint devices. A distinction must be made between the POLP policies for particular users and those for the physical devices in question. This is because some types of endpoint devices don’t correspond to human users, so they won’t benefit in the same way from some of the principles as stated in the POLP section. Areas such as user onboarding and provisioning, user authentication, identity provisioning policies, and password policies will differ when applied to devices that don’t correspond to a human user.
Devices of this type include IoT devices and network infrastructure devices. IoT devices include sensors, smart thermostats, IP cameras, and smart security systems, while network infrastructure devices include routers, switches, and wireless access points.
Some of the most important measures and best practices to ensure adherence to zero trust policies for endpoint devices include:
- Implementation of device registration and authentication processes, including generating keys and other authentication credentials
- Enforcing device configuration policies
- Monitoring endpoints for unusual activity
- Implementing remote wipe and device lockdown capabilities
- Enforcing industry-accepted encryption algorithms for all communications
Segment Networks
Network segmentation is a tried-and-true security principle that has been around for decades. By segmenting larger networks into smaller subnets, you can more conveniently apply security measures to each segment, thus ensuring custom-tailored security measures for each segment. If communication between segments is needed, it is conventionally filtered by firewalls to restrict traffic only to authorized services.
This is often referred to as micro-segmentation, emphasizing that the smaller the segment, the better the level of security you can employ on your network. The idea is that by implementing security controls at the perimeter of each micro-segment, organizations can apply different security policies to different parts of the network based on the sensitivity of the data and resources in each micro-segment and the risk of a potential breach. Should a breach occur, it is likely to be confined to that micro-segment.
Micro-segmentation can be implemented through software-defined networking (SDN) or other technologies such as virtual LANs (VLANs) that allow for the creation of logical boundaries within the network. When used in conjunction with other zero trust security measures, such as network access control, it can provide a significant additional layer of protection to the network infrastructure.
It’s important to note that micro-segmentation alone is not a sufficient measure for preventing compromise, as once a malicious actor has gained access to a segment, they are essentially granted unfettered access inside that segment and can attempt to move laterally or launch attacks without prevention or detection.
Implement Denial of Service Attack Prevention
A denial of service (DoS) attack is a type of cyber attack that involves flooding a network or system with traffic from multiple sources to overwhelm it and prevent legitimate users from accessing it. Large-scale distributed DoS (DDoS) attacks are almost impossible to defend against, short of having an environment that can scale to absorb high traffic volumes. However, there are several measures that organizations can take to protect against DoS attacks.
Although the zero trust model is not specifically designed to protect against DoS attacks, it can be used to mitigate the impact of these attacks by limiting an attacker’s ability to access and exploit network resources. Some of the security principles that help against such attacks are:
- Network micro-segmentation
- Network access control
- Multi-factor authentication (MFA)
- Comprehensive network traffic monitoring
- Incident response plans
The first two items reduce the attack surface of a possible attack. Authentication allows a service to quickly drop invalid connection requests. These are aspects of the zero trust model that are further detailed within this article.
Implement Spoofing Prevention Mechanisms
Spoofing refers to the practice of disguising oneself as another entity to gain unauthorized access to resources or to mislead others. By masquerading as a legitimate host on the network, attackers can trick other hosts into trusting them and sharing vital information.
Adhering to the zero trust approach to network security helps to mitigate spoofing attacks since all communication sessions are mutually authenticated, encrypted, and only authorized between registered endpoints according to predetermined access control policies. However, we include spoofing prevention as a best practice to protect the parts of the enterprise network that do not yet conform to zero trust principles.
Some of the most common methods of spoofing include:
- IP spoofing, where an attacker masquerades as a trusted host, such as a server or a default gateway
- DNS spoofing, where an attacker acts as a legitimate DNS server but can redirect users’ DNS requests to different IP addresses
- ARP spoofing, where an attacker sends illegitimate ARP messages in an attempt to cause hosts to direct their traffic to the attacker instead of to the intended destination
- DHCP spoofing, where a rogue DHCP server on the network responds to DHCP requests, providing incorrect network parameters to requesting hosts
The zero trust principle of allowing only authenticated communication between endpoints is of vital importance in this context because it can be used to verify that the entity with which a host is communicating is indeed the legitimate intended entity and not a spoofed attacker. ARP and DHCP spoofing can be handled through Dynamic ARP Inspection in managed switches along with allowing DHCP responses to only come only from the switch port that is connected to the DHCP server. However, should any of these mechanisms be compromised, the mutual authentication mechanisms of a zero trust deployment will ensure that invalid endpoints will fail to be authenticated and hence a session to them will not be set up.
Employ Security Information and Event Management (SIEM)
In the context of the zero trust security model, a SIEM system can be an important tool for helping organizations monitor and protect their networks. A SIEM system can be used to centrally collect and analyze security-related data from a variety of sources, such as network devices, servers, applications, and endpoints. By analyzing this data in real-time, organizations can identify potential threats and take timely action to mitigate the risk.
In a zero trust environment, a SIEM system can be particularly useful for:
- Monitoring network traffic: A SIEM system can help organizations monitor network traffic for unusual or suspicious activity, such as unusual traffic patterns or attempted access to restricted resources.
- Detecting insider threats: A SIEM system can be used to monitor user activity and detect anomalies that may indicate an insider threat, such as employees attempting to access resources for which they are not authorized.
- Responding to security incidents: A SIEM system can provide alerts and notifications when potential threats are detected, allowing organizations to respond quickly and take appropriate action to mitigate the risk.
Overall, a SIEM system delivers a centralized view of an enterprise’s security posture and, as such, is an important component of a zero trust security strategy. It can aid organizations in monitoring and protecting their networks from active and passive breaches and detecting and responding to potential threats promptly.
Employ Third-Party Penetration Testing
Regardless of what security model you are employing, penetration testing (or pen testing) should always be employed whenever security is of utmost importance for your enterprise.
Pen testing is a security evaluation method that involves conducting a simulated attack on a network or system to detect vulnerabilities.
Having a professional examine the level of security implemented on your network is always an important step in evaluating how secure your zero trust network truly is.
An enterprise transitioning from a traditional perimeter-based security model to a zero trust model may go through a period when the old and new paradigms coexist. Penetration testing can help identify those vulnerabilities and flag them before they are exploited.
Employee Training
Many of the principles involved in the implementation of a zero trust security strategy include specific expected behavior from employees and partners using the network in question. The majority of the principles involved with the Identity pillar of the zero trust security strategy are geared more toward human behavior. This means that a very important component of a successful security strategy is employee training.
Training should focus on areas such as:
- Policy and procedure training: Educate employees on the organization’s policies and procedures related to zero trust security, including how to access and use company resources and what to do in case of a security incident.
- Technical training: Train employees on the technical aspects of zero trust security, including how to use security tools and technologies, how to configure their devices to meet security standards, and how to troubleshoot common security issues.
- Role-based training: Inform employees about specific security responsibilities and the requirements of their roles within the organization.
- Social engineering training: Train employees to be alert to the various mechanisms used to get them to perform actions that are not in their interest. This includes awareness of various forms of phishing attacks and malicious downloads.
Final Thoughts
The zero trust model is a modern approach to network infrastructure security that has been gaining acceptance in recent years. The seven pillars of zero trust coalesce the most important security principles associated with protecting networks, devices, applications, and data. At the center of the zero trust model are controlling and encrypting communications among endpoints instead of protecting only the perimeters.
However, the adoption of zero trust security principles will take time, leaving many enterprises under a hybrid model where attacks must be prevented using traditional techniques, outlined below:
- Deploying an identity provider to enable the use of single sign-on (SSO) along with multifactor authentication (MFA) for access to services and network resources such as VPNs
- Segmenting networks
- Implementing out-of-band network management
- Implementing denial of service attack prevention
- Implementing methods to prevent spoofing (ARP, DHCP, IP, and DNS)
- Implementing a SIEM console to aggregate, index, and alert on key events
- Conforming to the shared responsibility model when using cloud-based services
- Engaging a third party to conduct penetration testing at regular intervals