Network Segmentation with Zero Trust approach

I am working with an external consultant to design a network for ministry building but I thought to take second opinion from super reddit experts.

Our CTO has advised to use zero trust network architecture.

It would be two-tier network (collapsed core)

We are planning to segment the network with different use cases such as users VLAN A should not talk to user VLAN B, IOT VLAN should not communicate with users and server VLAN.

I am thinking to put a DC FW and then firewall the VLANs gateway to DC firewall or do VRFs in core switches and then terminate the VRFs on the DC firewall.

It will be grateful if anyone can demonstrated any ideas with rough network diagram.

Appreciating any help.

Your Zero Trust Approach is just a normal network environment. Real zero trust is going way farther than what you are describing and is out of my own scope to be honest. If your customer demands a REAL Zero Trust you might want to look into it, since “I terminate the Gateway Address on my firewall” might not be enough and should be standard anyway in most implementations.

In the context of networking Zero Trust is fairly simple in principle:

While the common practice has been to trust all connections initiation from inside (trusted) networks by default and drop all unsolicited connections source from outside (untrusted) networks by default (e.g. the default behavior of a NATed network).
ZT is instead moving to a model where you trust neither the inside or outside and explicitly define policy in both directions.

This is generally done at every VLAN boundary. You can go further using private VLANs to also filter between clients on the same segment (with proxy ARP allowing same-segment host-to-host traffic to pivot through the firewall where policy can be enforced). Some more advanced solutions leverage enterprise-grade switch hardware to dynamically apply port ACLs based on 802.1X authentication but that is very implementation specific.

In practice the difficulty of ZT is identifying the traffic requirements for internal hosts.

This is especially challenging as most applications document traffic requirements horribly if at all (often providing a list of every port used without any indication of direction of traffic flow). There are some solutions out there that try to make this easier but ultimately it requires that you do the actual work of identifying and documenting traffic requirements then implementing policy.

The low hanging fruit for ZT are things like server networks (since servers typically need very limited outgoing connections for things like software updates which you can simplify further by maintaining an update-only web proxy and configuring them to use it) or device networks that have very simple traffic patterns (printers, phones, cameras, building automation systems, etc…). It’s fairly common to group these devices by type or vendor since they can usually share the same policy which simplifies things (e.g. a separate printer VLAN and a camera VLAN).

If you’re using a collapsed core the easiest option would be to have a stateful firewall off your core switch that uses a L2 trunk for the inside and a L3 routed link for the outside with routes for every firewall network pointing at the firewall. The firewall acts as the L3 gateway for all firewalled VLANs and you limit your SVIs to networks that you want to bypass the firewall and make use of stateless ACLs for performance reasons. If you use a L3 access model you start getting into VRFs but in a collapsed core model its not necessary.

Remember: Just terminating networks on a firewall isn’t Zero Trust. Zero Trust is the policy implementation that doesn’t trust traffic from any system by default and opening policy to only what is required.

Client networks are much more challenging to implement Zero Trust with if you’re going to permit general web access. For these I generally recommend using something like Cisco Umbrella for DNS-based control and something like Stealthwatch or an IDS solution off a tap to monitor client behavior.

It’s very doable and should be standard practice for every network except client networks at this point.

By using ZT on your server networks you will significantly reduce the attack surface between your clients and servers as well as limit the ability for servers to establish an outgoing callback to request an exploit payload or establish a command and control channel if a client is used as a pivot point to attempt to compromise them. In many cases this will be the difference between being owned and dodging that bullet. It also makes indicators of compromise stand out much more since unexpected outgoing traffic will be dropped and generate a log entry and possibly an alert depending on how you’re implementing things.

We have an established method for identifying traffic requirements for new systems and applications that we haven’t created policy for before. Essentially we create overly broad policy which allows outgoing connections but logs every single connection made. We then run the system normally for a week or so and script out consolidation of that log data to specific destinations ports and protocols along with logging all DNS lookups performed by the system. From here we build a traffic requirements document that breaks down what the connections come in to the system and what connections originate from the system along with what hostnames are used for each connection if the destination is dynamic. From there we lock things down to only what is necessary but still logging anything dropped and review again after a month to make sure we’re not missing anything. Depending on how critical the system is we can condense this process into a few days but it requires more man power and actively testing every aspect of the application.

A lot of people try to define ZT as something different but in terms of network security this is the most widely accepted definition. There are some people who think ZT means using a VPN for every client to connect to servers. This is not accurate. If you blindly trust all VPN traffic (as many do) that’s not ZT either. There are other strategies aside from VPN to forcing client authentication before access to a system is granted (including web application proxies which implement SSO which is the most common). Even if a client is trusted by such a solution to truly be running a ZT model you still need to restrict that authenticated client to only the traffic necessary.

If you implement ZT you need to become efficient at observing host traffic and documenting traffic requirements. You can try to buy some pre-canned solution but most of them won’t work and you’re better off with a vendor neutral discovery and documentation strategy if you ever change solution. Also there are different definitions of ZT depending on what technology you’re looking at (e.g. networking vs. application security).

One of the reasons you would want to take zero trust approach is to get away from network segmentation. Why do you wnat to club them together.

Zero trust architecture comes with application integration with an IDP.

Has your CTO thought through that ?

As one of the other contributors has mentioned, one of the advantages of zero trust is that the network becomes irrelevant. It should not matter which vlan, vrf, site, etc as long as the identity is verified.

You need to have IDP as the main factor to determine access.

I have been doing zero trust for around 5 years for various organizations. If you’d like, message me and I can assist.

There is a lot of good discussion in this thread about what zero trust is or isn’t. One thing for sure is that it will add significantly to both up-front and recurring costs. Zero trust is absolutely not plug and play - there is a large administrative burden.

The other critical thing about zero trust, is that whatever it is, it is built upon a solid non-zero-trust foundation - and that alone can get expensive.

My recommendation would be to research the real and hidden costs of Zero Trust and make sure your CTO is aware and prepared to take on that cost.

There’s a lot of misinformation in this thread.

A lot of the posts here describe microsegmentation, not zero-trust. That said, microsegmentation is absolutely a good thing, if you can handle the administrative overhead, and you should look into it if your enterprise will pay for a solution that provides it. It’s probably more bang for the buck than zero-trust for you.

There are myriad posts here about microsegmentation, so I won’t spend too much time there, but tl;dr identify flows that are important for the applications you care about, whitelist those flows, and blacklist everything else. Expect a lot of application breakage during this process. You can try to observe for awhile before moving to a blacklist model, but invariably you’ll miss flows that happen only on occasion or exception. Make sure whatever solution you use is prepared to log those historically so you can troubleshoot later.

We are planning to segment the network with different use cases such as users VLAN A should not talk to user VLAN B, IOT VLAN should not communicate with users and server VLAN.

Consider this more granularly, maybe - the ‘micro’ in microsegmentation. IOT devices rarely need to communicate with other IOT devices, and east-west traffic is similarly rare (though not unheard of) among users. Most traffic in the enterprise (and really, outside of the datacenter) is north-south.

​

Zero-trust represents a system where the thing you’re connecting to your enterprise network is untrusted until proven otherwise, but also (crucially left out in many posts) the thing connecting doesn’t trust the network (or peer). If someone forklifts a server out of your datacenter, it shouldn’t give up the keys to the kingdom if attached to a switch in a warehouse out in Maryland.

The things you care about should strongly authenticate via something rooted in hardware, like a hardware certificate. For users, you can use a hardware certificate plus user credentials (something you know plus something you have - inherent multifactor). This gets you part of the way there - now you know that the hardware thing is at least the thing you issued. What about the “stuff” running on it? Not just applications, but the O/S, the OS Loader, etc.

Ideally this is handled via remote attestation signed by keys derived from something like a trusted platform module (TPM). You want to ensure the things you are attaching in sensitive areas are measured and compared securely against known-good values. For **actual** zero-trust, you need to measure everything in hardware before it runs (so it can’t self-modify), and then compare against known good values before allowing something access.

The idea here is that you are protecting against low-level attacks - if you can’t trust the OS loader, you cant trust the O/S, and if you can’t trust the O/S, you can’t trust anything running on it, etc. etc. This is “hard” and frequently onerous with existing solutions (and you have to strongly protect your remote attestation endpoint and system itself). Something like Secure Boot is usually considered to be “good enough” for most enterprises as a starting point.

Attestation and authentication should be done mutually - a new device should verify its peer in addition to expecting to authenticate itself.

Note that network devices such as routers, switches, and firewalls are also considered untrusted in this model, and should be strongly authenticated and authorized where possible. This isn’t just the realm of “server guys.”

IMHO, Zero trust architecture is a little ambiguous but it definitely goes beyond VLAN segmentation. To me and how I’ve seen it implemented, it’s verifying a user, then his machine, then make sure the machine is patched, and then depending on the trust policy, only allow the machine access to specific resources only. This is the least sexy approach I’ve seen. It can definitely get more complex if you fully integrate with ZT systems.

VLAN’ing is great. Big question is what firewall are you using ? I used PaloAlto and a toy they have which makes building rules really nicely is Expedition which does machine learning on your logs and automagically adds rules to your firewall to review based on real use traffic. From there you can tweak hard. I’d VLAN everything… Printers? VLAN em and create a rule that allows your users to connect to that VLAN to print but not your IoT VLAN etc… VLAN your Crown Jewels out of production as well. When reacting rules, try to be as granular as possible which of course depends wholly on which Firewall you use… I’m working on a similar project for education right now using PaloAlto and I’m having a lot of fun (and stress) doing it =) . Good luck on your project, wishing you success. Check to see if your firewall does SSL Decrypt. You can of course specify that you wouldn’t decrypt certain trafficks but then decrypt all others. This way… you can finally block TicTok and Snapchat ffs! =).

That’s not zero trust, that’s just a normal segmented network.

Depends on your scaling.
In small to mid enviroment, I would say that placing a Firewall as a core and stitching all VLANs there would be sufficient. If you’re not sure about placing a FW into core, you can put a classic Core switch as a collapsed core, divide VRFs there and route everything to firewall.
However, this is not a Zero Trust approach.
I’d suggest looking at the options like dACL/pACLs or TrustSec if you’re going for Cisco.

You have described an ISFW which has been standard for over 10 years when implementing anything beyond basic network security. Do some reading around zero trust as it goes a lot further.

Your firewall is going to look like swiss cheese in a matter of months. I guarantee it.

Separating the IoT network makes sense, other use case vlans such as where there might be 3rd party access makes sense to separate like that but just end users for no particular reason, doesnt.

I would recommend to reduce L2 size as much as possible, use PVLAN / port isolation by default or use /30, because L2 is impossible the secure. If you really want ZT just make all traffic go thru VPN even when onsite, big advantage is that you will be ready for 100% work from home regarding the VPN sizing

do you need to do more then layer3 inspection between the subnets? like iot can talk to IT vlan or users vlan but only over HTTPS if you want that then move vlans up to firwall. if you just need these ip’s can talk to this then on core could work. also depoends on what you like to work on more. is there going to be any really fast inter vlan communication then maybe keep it on the core.

NSX has a distributed firewall for VM based environments and even physical servers.

Zero trust is possible to get to in this manner.

I’m told you can do a fairly good job of implementing zero trust on non-segmented networks with products like Illumio. Is this true?

Start with a good NGFW that integrates with AD. Use client isolation on your switches and wireless. If you need client to client Communication, run proxy arp on the FIREWALL. That will force all communications through the firewall, you can actively scan on the firewall, or mirror it to scan on something else retroactively. Use AD as your authentication mechanism, your firewall should have the ability to give access to specific endpoints based on the account that is signed in. Beyond that, you need to use mfa, as others pointed out, proxy access to apps, requiring a further authentication step when going to an app is another good ZT precaution.

Dumb question: By ministry building, are you talking about a church/non-profit or government building (Ministry of Defence)?

NAC with profiling is the way to go for microsegmentation. Forget about multipling vlans…it will only introduce complexity and less scalability.