The purpose of this guide is to provide a high level overview of my thoughts on zero trust and not a complete security architecture. It is a work in progress that will be updated.
Zero Trust this Zero Trust that, blah, blah. Everyone says everyone should do it. Even the United States Department of Defense has a 104 page guideline, https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf.
The National Institute of Standards and Technology has this special publication, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.
However no one tells you what technology to use or how to configure/deploy it. I’m changing that! This a guide on how it works with configuration guides/links and very few if any acronyms so you can do it yourself!
First here is how Forrester defines Zero Trust: https://www.forrester.com/blogs/the-definition-of-modern-zero-trust/ I’m not going to retype what they wrote. But here are the concepts that are important:
Just so you don't have to read everything to get the answer, I’m going to give it to you now. Palo Alto firewall configured with:
Why Palo Alto, because they are the only company that I have found that can do it at the deepest level with the least amount of additional hardware.
You might think I’m crazy because Virtual Private Network is old technology and you should instead buy some new sexy next generation product cloud based phenom that will eat your budget (don't do this). Yes it's been around and it still works, it's not difficult to setup can be used with multi factor authentication, or even utilize passwordless authentication (using the credentials of the windows machine you logged onto and/or certificates), Just dont forget multi factor authentication. The other great thing about the VPN client is that it provides posture validation so you know only authorized systems can connect. Fasten your seat belts and let's get to it.
Architecture:
The Palo Alto must be the center, conceptually and routing wise, of your network. Meaning that all traffic must flow through the firewall so the proper policies can be applied (referring to the three Forrester bullet points above) (in large networks there can/will be many firewalls). I cannot show every scenario due to many different factors in network design, etc., so I’m going to just show how this can be done for a small doctors office, we’ll call him Doctor SKRZ.
Remember that you define the boundary of Zero Trust, being a group of servers or a single laptop.
The Palo Alto:
So the basic firewall config can be found on the Palo Alto Live Community Site.
https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint-of-heart/ta-p/435501, careful with it, you have been warned. It is a strict configuration but has a lot of best practices from both Palo Alto and DISA prebuilt into it. Some features/functions still have to be configured or modified since they cannot be added into a base config.
The Global Protect setup can be found here:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfXCAS
Since configs change etc, I’m not going to restate them.
OK what about the rest of the network? There should be a few vlans (virtual local area network video here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMuTCAW) that are required for this small office and all terminate at the Palo Alto. What I mean by terminate is that the Palo Alto holds the gateway so traffic can exit out of the vlan. The Palo Alto can then be used to apply policies to allow only the required traffic.
What are VLAN’s?:
Since this is a small doctor's office, we’ll use the 10’s methodology. Why, because why not, honestly its just random anyway. So we’ll make the users vlan number 10, servers vlan20, printers vlan30, and Internet of things (Supervisory Control and Data Acquisition. SCADA) and other items etc vlan40. payment system(s) vlan50, Medical equipment vlan60, phones vlan70, and internet side vlan666. Why not a flatter network? Remember that not all of these devices can utilize VPN technology and must have their network traffic be separated. Yes some things can live on the same network, it depends on your resources, access to someone who can make changes to switch ports, etc. The idea is to keep like type equipment together and the firewall to maintain separation and who/what can talk to what equipment..
Choosing subnet addresses:
DHCP notes:
Here I have sketched out a basic network diagram with 3 switches, one is power over ethernet to power phones. So the easy config would be to trunk the switch ports to the Palo Alto allowing all vlans except vlan1, within no native vlan. Then on the Palo Alto side have the trunk ports that are allowed (this will drop any vlans that are not on the Palo Alto. It doesnt really matter at this point which device is plugged into which switch AS LONG AS THAT PORT IS CONFIGURED FOR THE PROPER VLAN. The Palo Alto will determine what traffic can pass to/from/between the devices based on its policies.
First you have the DENY ALL policy at the bottom to block all traffic and then everything above it is allowed, unless specifically blocked. You can see the policies from the template that deny/allow certain traffic.Vlan666Since we are not hosting anything an internet user would require, web page, etc., its DENY ALL inbound traffic 🙂.
Here are some policies that show basic traffic.
To get to the servers and everything else, users must VPN into the Palo Alto using Global Protect. This will identify them, to the Palo Alto as well as allow us to create security policies to allow traffic based on their role/name. Here are a few best practices/steps to write policies that actually use the zero trust approach: https://docs.paloaltonetworks.com/best-practices/zero-trust-best-practices One of the servers will be a Domain Controller and the other a file server. Bingo, zero trust. Does this mean you are done and everything is good? No! This is only a piece of the overall security strategy to employ depending on your business and/or requirements, HIPPA, PCI, etc.
This guide and Zero Trust are only one possible foundation.
“He will win who knows how to handle both superior and inferior forces.” Sun Tzu