Zero trust architecture is a paradigm focusing on a client rather than networks. It can be complex to set up, but a first simple step is possible with an appropriate DNS security solution.
Perimeter security is not enough
Most enterprise networks are based on security topology separating the internal and the external networks. The internal where the users are located, and the external which connects to the Internet and partners. Most of the time, intermediate zones are built to allow and control inbound flows, often called DMZ. But such enterprise network security topology that relies on macro-segmentation principles is no longer appropriate. It is commonly accepted that threats mostly come from the inside of the enterprise network- for example malware, phishing invitations and cryptolockers.
Filtering between security zones is performed nowadays by firewall devices, as most traffic goes through them. But their job is becoming harder with the generalization of ciphered protocols, TLS-based in most cases (e.g. https). Therefore, in order to protect the enterprise network, filtering should rely on inspecting inside the transaction and decoding the ciphered traffic. However, even if technically possible, deciphering the traffic to inspect it is not always allowed, resulting in limited filtering capabilities.
The logical answer from an architecture point of view would be to scale down the size of the zones. This requires moving from macro-segments to micro-segments that could be as small as a single client, resource or server. This vision is complex to set up and requires thinking differently about the way networks are architectured and automated. It demands the ability to identify a client or a usage, rather than a port on a switch or a subnet. It also requires storing all policies and dynamic information on the network in a central repository. Finally, it requires being able to verify in real-time the behavior of the network and usages.
Zero trust architecture orientation
“Zero trust” is a standard enterprise network security approach. It aims to provide optimized security architecture and technologies. This approach is aligned with the requirements inducted by digital transformation, mainly agility and fast, small increments.
The proposed architecture pattern with zero trust relies on the fact that there are no longer trusted and untrusted zones, perimeters, devices, and users. Everything is untrusted – by default.
The main building blocks of the architecture are:
- Micro-segments that can embrace a small group of devices aligned with a usage – could be as small as for one device, one server, or one user
- Deep knowledge of users and applications through Identity and Access Management (IAM) enabling filtering flows at a functional level. This becomes the standard approach and not an exception- security is not just an overlay somewhere between core network zones
- Statistics, log collection and telemetry to know the status of the network in real-time. All the events are linked with SIEM correlation tools, ideally including threat behavior analysis
These building blocks are not standard recipes that a network engineering team could apply by the book…they need to be broken down into smaller architectural patterns. But we could easily see the requirement for a dynamic configuration model that needs a centralized and automated model of provisioning the network and associated security. Being able to provision an access network on a site for a set of users from a department requires automation, and therefore a software defined network (SDN) approach. This is also true in datacenters when building a specific network for elements of an application. Central provisioning is the key.
Zero trust, a gap to close
Moving from a set of network and security devices configured directly on the console interface to a centralized automated system using an abstracted model is a huge gap to close. It is like moving from monolithic applications to microservices with source repository, continuous deployment and immutable infrastructure. It requires specific network and security devices, an integrated solution, and a full understanding of the APIs that are involved in the ecosystem. But most importantly, it requires a serious dose of confidence in the automation process as everything will be performed automatically.
This is not a standard thinking approach for a network engineer to design a network service from the client usage towards application in a set of YAML files, and totally rely on an automated system to configure an overlay network on all the equipment. The impact could be perceived as larger than when modifying each equipment configuration step by step, which is not possible with underlay and overlay networks.
Manipulating IP addresses is implicit when using SDN, micro-segmentation, IAM and fully automated network process. This is where a midway step in the zero trust journey could be performed through a DNS solution.
When looking at the security side of the zero trust architecture, the only way to reduce the chances of success of an adversary is by understanding the who, what, when, where, and how of their actions. Knowing that most internal threats, in order to go into action, require DNS resolution service, we could think about an intermediate way of enabling and controlling user to application access. Thankfully this solution is available on most current enterprise networks and could be deployed immediately.
DNS security is key in zero trust architecture
A DNS solution is a central network foundation, distributed and scalable, providing information for any client to access every application and service. Most of the traffic first goes through a DNS address resolution, so DNS plays a major role in the attack schema of most malware, ransomware and Command and Control (C2) communication. This known fact has been proven by multiple studies.
In addition, the DNS service knows each client on the network in detail. It knows their normal traffic patterns and the applications they access (since normal behavior is to resolve the address of a service before accessing it). Any deviance from this pattern, every request for a different application, a domain on the internet or any advanced usage relies from the very beginning on DNS requests. DNS has perfect visibility over all the traffic for each user, resource and server on the network, and therefore should be used as the first line of defense. This could be easily applied on a micro-segment of the size of a unique IP address. What is complex at the whole network level becomes easy to perform at the DNS client level. This is what an advanced DNS firewall solution offers.
DNS combined with threat intelligence can enhance the security of each micro-segment by analyzing client behavior and answering the client accordingly. Advanced patterns could be applied to be more reactive to abnormal behaviors, while predictive analysis and machine learning approaches would allow for being one step ahead of attackers on internal threats and result in quicker answers.
A DNS security solution with filtering at the client level authorizes enhancement in global enterprise network security. It provides a real increment in protecting infrastructures and can help network and security engineers to move forward towards zero trust architecture at their own speed.