The Non-Zero Components of a Zero Trust Network
Timothy Rooney
28. März 2022
In the face of a rising tide of network infiltration attempts via increasingly diversified attack vectors, enterprises must constantly remain vigilant and proactive in managing system monitoring and attack detection solutions. Whether you realize it or not, IP address management (IPAM) plays a key role within your overall network security strategy. Core IPAM functions, including tracking IP inventory, allocating address space, monitoring network access through DHCP and discovery, and various DNS security tactics (collectively, DDI) not only serve as requisite network functions but are critical to your network security strategy. As the sophistication of attacks continues to spiral, defensive strategies including IPAM must likewise evolve to keep pace if not outpace nefarious exploitation of network and system vulnerabilities.
Zero Trust Security
The concept of zero trust networks, originally posited by Forrester Research a decade ago, is rising in prominence as a fundamental network security approach within enterprises, across Internet of Things (IoT) environments and even in evolving macro developments such as secure access service edge (SASE). As the name implies, zero trust networks begin with the assumption that no user or device is implicitly trusted. Contrast this with the castle-and-moat philosophy where users and devices within a network are implicitly trusted and defenses are focused on detecting and repelling attacks originating externally to the network. As remote workers having accessed your networks from a variety of computing devices with high mobility are now returning to offices, your network is increasingly vulnerable to attacks originating both within and outside your network.
Implementing zero trust requires the identification of your most critical or sensitive data and enveloping it within a protect sector. Having identified your most important data, map how that data flows within and through your network to users, administrators or other systems. This step facilitates a tight scoping on the permissibility of such data across your network into micro-perimeters, comprised of the data sources, destinations and network paths.
Admittance of users within a micro-perimeter requires employment of the principles of user authentication, device authorization, and minimal privilege access to allow users with approved devices to access only those portions of the data required for their respective responsibilities. After you’ve defined your micro-perimeters within your network via these admittance strategies as well as network access and flow controls, continual monitoring and analysis of data flows enables detection of anomalies as well as attempted or successful perimeter violations to initiate response and recovery actions. Automating the detection, characterization and deterministic actions based on certain events is recommended to reduce the window of attack exposure and to quickly remediate infringements and to shore up defenses.
The Key Role of DDI in Zero Trust
As with every network initiative, DDI plays a key role in zero trust networks deployment. Your fundamental IP address plan and allocation strategy facilitates implementation of address-based security policies. Once you’ve defined each of your critical data and general network flows, you’ll need to define its micro-perimeter, which from a network perspective, would largely entail constraining what network endpoints (IP subnets or individual IP addresses) can access repositories housing the data by IP address and perhaps even defining access lists on the path along the way between them. A DDI system affords quick and easy access to such information by inventorying subnets as well as IP address-to-host associations.
In terms of user authentication and device authorization, DHCP-initiated, autoconfigured, and cloud system IP address assignments must be tracked to detect devices present on the network with respect to authorized devices. Thus, many zero trust authentication solutions incorporate 802.1X and certificate-based authentication which can be supplemented by various forms of discovery to identify potential unauthenticated devices and users.
DNS also plays a key role within zero trust networks. As the first step in establishing an IP connection, DNS can be configured to respond differently to the same query from different resolvers using DNS views, a feature which enables a DNS server to respond with differing answers based on certain criteria including query source IP address. Views define match criteria to resolve a particular version of a zone via address match lists. For example, two views for an internal zone can be established, one which includes resolution to a server housing sensitive data and another that does not resolve the corresponding domain name. Similarly, views can restrict resolution data accessible by IoT devices which reside on dedicated IoT networks or subnets.
When a device becomes authorized, its corresponding IP address can be added to the address match list corresponding to the view that resolves the destination hosting the sensitive data. The only hitch is that the DNS service typically needs to be restarted. You could alternatively soften the per host authorization access to such DNS resolutions and perhaps just match on addresses within a given subnet or set of addresses if authorized devices are known a priori to emanate from a given address pool or set of subnets and pools. The device assignment to a particular pool can be configured within DHCP as well, and the device could be assigned an address from such a pool upon successful authorization. This would enable static definition of your view statements though require integrated DHCP address assignment based on external inputs (device authorization).
DDI Helps Enforce Zero Trust and Provides Incident Forensics Data
Your IP address plan, device initialization strategies (DHCP, SLAAC, etc.), and DNS name resolution configuration all serve as foundational components within a zero trust network, particularly with respect to provisioning and operation. From the monitoring and defense perspectives, auditing and forensics of network activity including potentially DHCP and DNS transactions and IP address discovery history serve as critical inputs. And DNS security measures can supplement broader network defense-in-depth strategies by monitoring for malware DNS queries or data exfiltration via DNS tunneling. A comprehensive IPAM solution such as that from Cygna Labs Diamond IP can serve as the underpinning for your zero trust network deployment to facilitate definition and management of network micro-perimeters, DHCP pool criteria, IP discoveries, DNS view definitions and DNS security features.