Zero Trust Networks (Razi Rais, Christina Morillo, Evan Gilman etc.) (Z-Library)

📄 File Format: PDF

💾 File Size: 8.0 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Praise for Zero Trust Networks, 2nd edition Zero trust is not just a strategy; it is a mindset that challenges assumptions, scrutinizes every interaction, and guards our digital systems against unseen foes. This book offers practical guidance for chief technology officers, engineers, and information technology professionals embarking on their zero trust journey. —Ann Johnson, Corporate Vice President, Microsoft Security This book packages essential concepts of zero trust security in an easy to understand language. A definitive read for beginners and professionals alike. —Karan Dwivedi, Security Engineering Manager at Google This book does an excellent job of synthesizing the zero-trust security model. It explains the key pillars of zero trust security while also covering the zero trust frameworks developed by NIST, DoD, CISA, and other organizations, making it a valuable resource for anyone seeking to understand how to implement the zero-trust security model. —Andrew Cameron, Automotive Industry Technical Fellow in Identity We may not realize this, but our lives depend on computers. When you are in an airplane, or in a hospital, or in a train, or even turning a light bulb on at home, it’s all computers. A breach can cause pandemonium, and securing this infrastructure is paramount. As such, zero trust networks provide you with the fundamentals and mindset you need to understand to secure your investments. This book is a great resource for developers, infrastructure engineers, and managers alike, as it thoroughly explains the whys and hows of zero trust. —Sahil Malik, Security Engineer, IT Industry

📄 Page 3

With the rapid adoption of cloud networks, bring-your-own-device, and work-from-home policies, implementing zero trust security in today’s enterprise networks is an absolute must. It’s a lot more complicated than it sounds. But Razi Rais and Christina Morillo make all of the technicalities understandable for readers with general IT backgrounds. Their book is a must read for all people who administrate computer networks for business. —Kim Crawley, cybersecurity researcher and author of Hacker Culture: A to Z and The Pentester Blueprint

📄 Page 4

Zero Trust Networks 2ND EDITION Building Secure Systems in Untrusted Networks Razi Rais, Christina Morillo, Evan Gilman, and Doug Barth

📄 Page 5

Zero Trust Networks by Razi Rais, Christina Morillo, Evan Gilman, and Doug Barth Copyright © 2024 Christina Morillo and Razi Rais. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (https://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Michele Cronin Production Editor: Ashley Stussy Copyeditor: Liz Wheeler Proofreader: Sonia Saruba Indexer: WordCo Indexing Services, Inc. Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea June 2017: First Edition March 2024: Second Edition

📄 Page 6

Revision History for the First Edition 2024-02-23: First Release See https://oreilly.com/catalog/errata.csp?isbn=9781492096597 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Zero Trust Networks, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the authors and do not represent the publisher’s views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-492-09659-7 [LSI]

📄 Page 7

Preface Thank you for choosing to read Zero Trust Networks, 2E! Building trusted systems in hostile networks has been a passion of ours for many years. In building and designing such systems, we have found frustration in the pace of progress toward solving some of the more fundamental security problems plaguing our industry. We’d very much like to see the industry move more aggressively toward building systems that strive to solve these problems. To that end, we propose that the world take a new stance toward building and maintaining secure computer networks. Rather than being something that is layered on top, only considered after some value has been built, security must be fundamentally infused with the operation of the system itself. It must be ever-present, enabling operation rather than restricting it. As such, this book sets forth a collection of design patterns and considerations which, when heeded, can produce systems that are resilient to the vast majority of modern-day attack vectors. This collection, when taken as a whole, is known as the zero trust model. In this model, nothing is taken for granted, and every single access request— whether it’s made by a client in a coffee shop or a server in the datacenter— is rigorously checked and proven to be authorized. Adopting this model practically eliminates lateral movement, VPN headaches, and centralized firewall management overhead. It is a very different model; one that we believe represents the future of network and infrastructure security design. In the second edition, we broaden the scope to include recent developments in zero trust. We have added two entirely new chapters and additional real- world scenario walkthroughs to the current chapters. The chapter on zero trust architectural standards, frameworks, and guidelines will help you better grasp the zero trust perspective from leading organizations, such as NIST, CISA, DoD, and others. Since zero trust initiatives are not easy, we added a chapter dedicated to discussing challenges and practical advice to deal with them. This chapter finishes with an examination of more recent technical

📄 Page 8

advancements, including artificial intelligence, quantum computing, and privacy-preserving technologies, all of which are highly relevant to zero trust and cybersecurity in general. Who Should Read This Book Have you found the overhead of centralized firewalls to be restrictive? Perhaps you’ve even found their operation to be ineffective. Have you struggled with VPN headaches, TLS configuration across a myriad of applications and languages, or compliance and auditing hardships? These problems represent a small subset of those addressed by the zero trust model. If you find yourself thinking that there just has to be a better way, then you’re in luck—this book is for you. Network engineers, security engineers, CTOs, and everyone in between can benefit from zero trust learnings. Even without a specialized skill set, many of the principles included in this book can be clearly understood, helping leaders make decisions that implement a zero trust model, improving their overall security posture incrementally. Additionally, readers with experience using configuration management systems will see the opportunity to use those same ideas to build a more secure and operable networked system—one in which resources are secure by default. They will be interested in how automation systems can enable a new network design that is able to apply fine-grained security controls more easily. Finally, this book explores a mature zero trust design, enabling those who have already incorporated the basic philosophies to further the robustness of their security systems. Why We Wrote This Book We started speaking about our approach to system and network design at industry conferences in 2014. At the time, we were using configuration management systems to rigorously define the system state, applying changes programmatically as a reaction to topological changes. As a result of

📄 Page 9

leveraging automation tools for this purpose, we naturally found ourselves programmatically calculating the network enforcement details instead of managing the configuration by hand. We found that using automation to capture the system design in this way allowed us to deploy and manage security features, including access control and encryption, much more easily than in systems past. Even better, doing so allowed us to place much less trust in the network than other systems might normally do, which is a key security consideration when operating in and across public clouds. While writing this book, we spoke to individuals from dozens of companies to understand their perspective on network security designs. We found that many of those companies were reducing the trust of their internal networks. While each organization took a slightly different approach in their own system, it was clear that they were all working under the same threat model and were, as a result, building solutions that shared many properties. Our goal with this book isn’t to present one or two particular solutions to building these types of systems, but rather to define a system model that places no trust in its communication network. Therefore, this book won’t be focused on using specific vendor software or implementations, but rather it will explore the concepts and philosophies that are used to build a zero trust network. We hope you will find it useful to have a clear mental model for how to construct this type of system when building your own system or, even better, reusable solutions for the problems described herein. Navigating This Book This book is organized as follows: Chapters 1 and 2 discuss the fundamental concepts at play in a zero trust security model. Chapters 3 and 4 explore the new concepts typically seen in mature zero trust networks: context-aware network agents and trust engines.

📄 Page 10

Chapters 5 through 8 detail how trust is established among the various actors in a network, with focus on devices, identities, applications, and network traffic. Most of this content is focused on existing technology that could be useful in a traditional network security model. The scenario walkthroughs at the end of each chapter will help you understand how the core principles of zero trust are used in a real- world setting. Chapter 9 brings all this content together to discuss how you could begin building your own zero trust network and includes two case studies. Chapter 10 looks at the zero trust security model from an adversarial view. It explores potential weaknesses, discussing which are well mitigated and which are not. Chapter 11 explores zero trust architectures, standards, and frameworks from NIST, CISA, DoD, and others. The goal is to help you understand the zero trust security model from the perspective of leading organizations in the industry. Chapter 12 outlines various functional and technical obstacles that organizations experience when implementing zero initiatives. It also provides high-level considerations that may assist you in effectively dealing with these challenges. Additionally, it examines the impact of artificial intelligence (AI), quantum computing, and privacy-enhancing technologies on zero trust security models, which are extremely important advancements to understand. The potential impact of AI, quantum computation, and privacy-enhancing technologies on zero trust security model is also examined. Comprehending these advancements is of the utmost importance, given their pivotal role in cybersecurity strategy. Conventions Used in This Book The following typographical conventions are used in this book:

📄 Page 11

Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. NOTE This element signifies a general note. WARNING This element indicates a warning or caution. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments,

📄 Page 12

and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://www.oreilly.com/about/contact.html We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at https://oreil.ly/zero- trust-networks-2e. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media Follow us on Twitter: https://twitter.com/oreillymedia Watch us on YouTube: https://youtube.com/oreillymedia

📄 Page 13

Acknowledgments from the First Edition We would like to thank our editor, Courtney Allen, for her help and guidance during the writing process. Thanks also to Virginia Wilson, Nan Barber, and Maureen Spencer for their help during the review. We had the opportunity to meet with many people during the writing of this content, and we appreciate their willingness to speak with us and provide intros to other folks working in this space. Thanks to Rory Ward, Junaid Islam, Stephen Woodrow, John Kindervag, Arup Chakrabarti, Julia Evans, Ed Bellis, Andrew Dunham, Bryan Berg, Richo Healey, Cedric Staub, Jesse Endahl, Andrew Miklas, Peter Smith, Dimitri Stiliadis, Jason Chan, and David Cheney. A special thanks to Betsy Beyer for writing the Google BeyondCorp case study included in the book. We really appreciate your willingness to work on getting that content included. Thanks! Thanks to our technical reviewers, Ryan Huber, Kevin Babcock, and Pat Cable. We found your comments invaluable and appreciate the time you took to read through the initial drafts. Doug would like to thank his wife, Erin, and daughters, Persephone and Daphne, for being so very understanding of the time it took to write this book. Evan thanks his partner, Kristen, for all of her support through the writing of this book. He would also like to thank Kareem Ali and Kenrick Thomas— without them, none of this would have been possible. Acknowledgments from the Second Edition We are especially grateful to Michele Cronin, our development editor, for her assistance and direction throughout the process. Thanks also to Simina Calin, our acquisitions editor, for helping us in establishing a successful path for this book. Our heartfelt thanks goes out to our technical reviewers, including Kim Crawley, Steve Winterfeld, and Karan Dwivedi, whose extensive feedback

📄 Page 14

and recommendations have enhanced every facet of this book. Many thanks! Razi would like to thank his wonderful wife, Javeria, as well as his mother and sister, Zahida and Khaizran, for their unwavering support throughout the writing of this book. Christina would like to thank her husband and children for their steadfast support and patience during the book-writing journey.

📄 Page 15

Chapter 1. Zero Trust Fundamentals In an age when network surveillance is ubiquitous, we find it difficult to trust anyone, and defining what trust is itself is equally difficult. Can we trust that our internet traffic will be safe from eavesdropping? Certainly not! What about that provider you leased your fiber from? Or that contracted technician who was in your datacenter yesterday working on the cabling? Whistleblowers like Edward Snowden and Mark Klein have revealed the tenacity of government-backed spy rings. The world was shocked at the revelation that they had managed to get inside the datacenters of large organizations. But why? Isn’t it exactly what you would do in their position? Especially if you knew that traffic there would not be encrypted? The assumption that systems and traffic within a datacenter can be trusted is flawed. Modern networks and usage patterns no longer echo those that made perimeter defense make sense many years ago. As a result, moving freely within a “secure” infrastructure frequently has a low barrier to entry once a single host or link there has been compromised. You may think that the idea of using a cyberattack as a weapon to disrupt critical infrastructure like a nuclear plant or a power grid is far-fetched, but cyberattacks on the Colonial Pipeline in the United States and the Kudankulam Nuclear Power Plant in India serve as a stark reminder that critical infrastructure will continue to be a high-value target for attackers. So, what was common between the two attacks? Well, in both cases, security was abysmal. Attackers took advantage of the fact that the VPN (virtual private network) connection to the Colonial Pipeline network was possible using a plain-text password without any multifactor authentication (MFA) in place. In the other example, malware was discovered on an Indian nuclear power plant employee’s computer that

📄 Page 16

was connected to the administrative network’s internet servers. Once the attackers gained access, they were able to roam within the network due to the “trust” that comes with being inside the network. Zero trust aims to solve the inherent problems in placing our trust in the network. Instead, it is possible to secure network communication and access so effectively that the physical security of the transport layer can be reasonably disregarded. It goes without saying that this is a lofty goal. The good news is that we’ve got pretty powerful cryptographic algorithms these days, and given the right automation systems, this vision is actually attainable. What Is a Zero Trust Network? A zero trust network is built upon five fundamental assertions: The network is always assumed to be hostile. External and internal threats exist on the network at all times. Network locality alone is not sufficient for deciding trust in a network. Every device, user, and network flow is authenticated and authorized. Policies must be dynamic and calculated from as many sources of data as possible. Traditional network security architecture breaks different networks (or pieces of a single network) into zones, contained by one or more firewalls. Each zone is granted some level of trust, which determines the network resources it is permitted to reach. This model provides very strong defense- in-depth. For example, resources deemed more risky, such as web servers that face the public internet, are placed in an exclusion zone (often termed a “DMZ”), where traffic can be tightly monitored and controlled. Such an approach gives rise to an architecture that is similar to some you might have seen before, such as the one shown in Figure 1-1.

📄 Page 17

Figure 1-1. Traditional network security architecture The zero trust model turns this diagram inside out. Placing stopgaps in the network is a solid step forward from the designs of yesteryear, but it is significantly lacking in the modern cyberattack landscape. There are many disadvantages: Lack of intra-zone traffic inspection Lack of flexibility in host placement (both physical and logical) Single points of failure It should be noted that, should network locality requirements be removed, the need for VPNs is also removed. A virtual private network (VPN) allows a user to authenticate in order to receive an IP address on a remote network. The traffic is then tunneled from the device to the remote network, where it is decapsulated and routed. It’s the greatest backdoor that no one ever suspected. If we instead declare that network location has no value, VPN is suddenly rendered obsolete, along with several other modern network constructs. Of course, this mandate necessitates pushing enforcement as far toward the network edge as possible, but at the same time it relieves the core from such responsibility. Additionally, stateful firewalls exist in all major operating systems, and advances in switching and routing have opened an

📄 Page 18

opportunity to install advanced capabilities at the edge. All of these gains come together to form one conclusion: the time is right for a paradigm shift. By leveraging distributed policy enforcement and applying zero trust principles, we can produce a design similar to the one shown in Figure 1-2. Figure 1-2. Zero trust architecture Introducing the Zero Trust Control Plane The supporting system is known as the control plane, while most everything else is referred to as the data plane, which the control plane coordinates and configures. Requests for access to protected resources are first made through the control plane, where both the device and user must be authenticated and authorized. Fine-grained policy can be applied at this layer, perhaps based on role in the organization, time of day, geo-location, or type of device. Access to more secure resources can additionally mandate stronger authentication.

📄 Page 19

Once the control plane has decided that the request will be allowed, it dynamically configures the data plane to accept traffic from that client (and that client only). In addition, it can coordinate the details of an encrypted tunnel between the requestor and the resource. This can include temporary one-time-use credentials, keys, and ephemeral port numbers. It should be noted that the control plane decision to allow a request is time- bound rather than permanent. This means that if and when the factors that led the control plane decision to allow the request in the first place have changed, it may coordinate with the data plane to revoke the requested access to the resource. While some compromises can be made on the strength of these measures, the basic idea is that an authoritative source, or trusted third party, is granted the ability to authenticate, authorize, and coordinate access in real time, based on a variety of inputs. We’ll discuss the control and data planes more in Chapter 2. Evolution of the Perimeter Model The traditional architecture described in this book is often referred to as the perimeter model, after the castle-wall approach used in physical security. This approach protects sensitive items by building lines of defenses that an intruder must penetrate before gaining access. Unfortunately, this approach is fundamentally flawed in the context of computer networks and no longer suffices. To fully understand the failure, it is useful to recall how the current model was arrived at. Managing the Global IP Address Space The journey that led to the perimeter model began with address assignment. Networks were being connected at an ever-increasing rate during the days of the early internet. If a network wasn’t being connected to the internet (remember, the internet wasn’t ubiquitous at the time), it was being connected to another business unit, another company, or perhaps a research network. Of

📄 Page 20

course, IP addresses must be unique in any given IP network, and if the network operators were unlucky enough to have overlapping ranges, they would have a lot of work to do in changing them all. If the network you are connecting to happens to be the internet, then your addresses must be globally unique. So clearly some coordination is required here. The Internet Assigned Numbers Authority (IANA), formally established in 1998, is the body that today provides that coordination. Prior to the establishment of the IANA, this responsibility was handled by Jon Postel, who created the internet map shown in Figure 1-3. He was the authoritative source for IP address ownership records, and if you wanted to guarantee that your IP addresses were globally unique, you would register with him. At this time, everybody was encouraged to register for IP address space, even if the network being registered was not going to be connected to the internet. The assumption was that even if a network was not connected now, it would probably be connected to another network at some point.