@@ -434,6 +434,13 @@ SDN controller can also take account of such events as the migration
434434of a VM from one location to another, or the addition of a new VM that
435435requires additional firewall rules to be installed.
436436
437+ The approach described above is often referred to as
438+ *micro-segmentation *. By contrast to traditional firewall approaches
439+ in which large network segments offer unfettered access among all
440+ devices on the segment, micro-segmentation creates small and precisely
441+ defined virtual networks that connect only those systems that need to
442+ be able to communicate to deliver a particular service or function.
443+
437444For further details on network virtualization and distributed services
438445we recommend our companion book on software-defined networks.
439446
@@ -443,9 +450,135 @@ we recommend our companion book on software-defined networks.
443450 and B. Davie. `Software-Defined Networks: A Systems
444451 Approach <https://sdn.systemsapproach.org> `__.
445452
453+ 9.4 Zero Trust Security
454+ -------------------------
455+
456+ As we noted above, traditional firewalls suffer from a fundamental
457+ weakness: they attempt to divide the network into "trusted" and
458+ "untrusted" zones. If an attacker manages to find a way to get access
459+ within the trusted zone, perhaps by compromising a legitimate piece of
460+ software running on the trusted side of the firewall, they now have a
461+ large set of machines on which to launch further attacks without
462+ interference. This state of affairs runs counter to some of the
463+ security principles we outlined in Chapter 2, notably the principle of
464+ least privilege. A machine on the trusted side of a firewall often has
465+ access to a lot more resources—other machines and data—than is necessary to do
466+ its job. One of the main approaches to improve this state of affairs
467+ is known as "zero trust security".
468+
469+ The term "zero trust" was coined by the analyst firm Forrester in
470+ 2009, and continues to be widely used in the industry today. The
471+ central idea behind zero trust is that, by default, every device and
472+ user should be untrusted. Each user and device then needs to
473+ authenticate itself to gain access to a precise set of services. There
474+ is no blanket "trust this device to access anything" policy. Zero
475+ trust stands in contrast to the old "perimeter security" model in
476+ which there is the idea of a trusted region within a perimeter
477+ protected by firewalls and an untrusted region outside the perimeter.
478+
479+ Zero trust is sufficiently well accepted that NIST has written a
480+ specification (see Further Reading below) which provides this helpful
481+ definition:
482+
483+ *“Zero trust…became the term used to describe various cybersecurity
484+ solutions that moved security away from implied trust based on network
485+ location and instead focused on evaluating trust on a per-transaction
486+ basis.” *
487+
488+ The classic example of trust based on location would be sitting in an
489+ office connected to some corporate network. Such a network would, in
490+ the past, have allowed anyone connected to it to access to a wide set of
491+ servers and data, with the trust being assumed because the user had
492+ managed to get admitted to the building.
493+
494+ There is more to zero trust that just getting away from location-based
495+ access. As a motivating example, consider a traditional VPN server
496+ providing remote access to a corporate network. Once a remote user is
497+ authenticated to the server, they are given access to a broad set of
498+ "inside the perimeter" resources (machines, data, etc.) within the
499+ enterprise. In effect, the user and their device are now treated as
500+ "trusted" to access many different systems. Such an approach has been
501+ the cause of many published breaches of sensitive data. An infamous
502+ example involved a heating and cooling system contractor's VPN
503+ credentials being used to access a retailer's database of customer
504+ credit card data. By contrast, a zero trust approach would entail a
505+ precisely defined policy that authenticates the user and their device
506+ to only the systems that are needed for them to do their job.
507+
508+ Micro-segmentation, described above, was one of the early technologies
509+ created to help in the implementation of zero trust. Rather than
510+ allowing all machines in a large network segment communicate freely,
511+ as was the case previously, micro-segmentation allows precisely
512+ defined policies to limit communication among a set of devices to just
513+ what is needed to deliver their intended function. For example, the
514+ systems related to heating and cooling don't need access to
515+ the systems where customer credit card details are stored.
516+
517+ The VPN example above provides motivation for a different approach to
518+ handling users and devices outside of the confines of a traditional
519+ office and outside the perimeter defenses. A well-known and
520+ comprehensive approach to rethinking the perimeter defense and VPN
521+ model is Google's Beyond Corp, described in a 2014 paper in the further reading
522+ section below. It is both an approach used to implement zero trust at
523+ Google for employees accessing corporate resources and a service that
524+ enterprises can implement themselves.
525+
526+ The starting position for BeyondCorp is that the perimeter model no
527+ longer makes sense in a world of global connectivity, remote workers,
528+ and ubiquitous mobile devices. The name suggests moving "beyond corporate"—that
529+ is, moving away from the idea that there is a trusted corporate
530+ network inside a perimeter and than any user or device inside that
531+ perimeter should have access to everything on the corporate
532+ network. Instead, users and devices have to be authenticated and
533+ authorized to receive fine-grained access to specific resources, no
534+ matter what their location is.
535+
536+ A central aspect of BeyondCorp is that only "managed devices" get to
537+ access protected resources. These managed devices are all issued with
538+ their own certificates so that they can be authenticated. Before
539+ connecting to any service within the enterprise, the device connects
540+ to a proxy that can perform authentication. After a
541+ device has been authenticated, then the user also has to authenticate
542+ themselves using two-factor authentication, and the user's access
543+ privileges are looked up in a database. Thus, for example, engineers
544+ may have access rights to engineering systems such as code
545+ repositories, but not to finance or HR systems. Only after all these
546+ checks—device, user authentication, and user authorization—have passed
547+ does the connection get established between the client and the
548+ server. Device checks may include not only verifying the certificate on a
549+ device but also checking that its operating system is up to date or
550+ that it has relevant antivirus software installed.
551+
552+ There are quite a few subtleties to BeyondCorp (and there are
553+ publications describing its deployment) but the core principal of zero
554+ trust that it embodies is this: location inside a perimeter (or
555+ building) is not a reason for a device or user to be trusted to access
556+ a broad set of resources. Nor should a VPN tunnel grant access to a
557+ all the resources within the perimeter. Only after the device and the
558+ user have been authenticated and authorization has been checked can
559+ the user access a specific resource. So another way to say
560+ “zero trust” might be “narrow and specific trust after authentication
561+ and authorization” although it's less memorable.
562+
563+
564+
565+
566+ .. admonition :: Further Reading
567+
568+ S. Rose, O. Borchert, S. Mitchell, S. Connelly. `Zero Trust
569+ Architecture
570+ <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf> `__. NIST, 2020.
571+
572+ C. Cunningham. `A Look Back At Zero Trust: Never Trust, Always
573+ Verify
574+ <https://www.forrester.com/blogs/a-look-back-at-zero-trust-never-trust-always-verify/> `__. Forrester, 2020.
446575
576+ R. Ward and B. Beyer. `BeyondCorp: A New Approach to Enterprise
577+ Security
578+ <https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf> `__.
579+ ;login:, Usenix, 2014.
447580
448- 9.4 Security Appliances
581+ 9.5 Security Appliances
449582------------------------------
450583
451584As introduced at the beginning of this chapter, *security appliances *
@@ -454,7 +587,7 @@ throughout the network, watching for and responding to unwanted
454587traffic. The main challenge they face is how to distinguish between
455588good and bad traffic. This section looks at two examples.
456589
457- 9.4 .1 Intrusion Detection and Prevention
590+ 9.5 .1 Intrusion Detection and Prevention
458591~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
459592
460593A common example of a security appliance is an *intrusion detection
@@ -502,9 +635,9 @@ above for an example set of community rules.)
502635 that decisions about whether traffic is legitimate or malicious is
503636 clear cut. It often is not, and there can be real consequences in
504637 both directions. For example, an overly aggressive IPS rule-set or
505- anomoly detection heuristic could raise false positives, restricting
506- legimate traffic and negatively impacting revenue. Too conservative,
507- and malilcous traffic could crowd out legitimate traffic. *
638+ anomaly detection heuristic could raise false positives, restricting
639+ legate traffic and negatively impacting revenue. Too conservative,
640+ and malicious traffic could crowd out legitimate traffic. *
508641
509642 *It is also the case that that "unwanted" is in the eye of the
510643 beholder. Network probes that are sometimes used in research, with
@@ -537,7 +670,7 @@ firewalls will never block all forms of malicious traffic leads to the
537670conclusion that an IDS/IPS is worth having as a second line of
538671defense.
539672
540- 9.4 .2 DoS Mitigation
673+ 9.5 .2 DoS Mitigation
541674~~~~~~~~~~~~~~~~~~~~~~~~~~~
542675
543676Sometimes unwanted traffic is simply trying to consume resources,
@@ -558,7 +691,7 @@ just too much of it), the DDoS challenge is addressed by two general
558691countermeasures. Note that the best we can hope for is to mitigate the
559692impact of such attacks; there is no cure-all. This is easy to
560693understand at an intuitive level: an appliance defending against DoS
561- attacks is itself a kind of resource that can be DoS'ed .
694+ attacks is itself a kind of resource that can be DoSed .
562695
563696The first countermeasure is to absorb potential attacks with even
564697greater resources than the adversary is able to muster. For web
0 commit comments