Zero Trust Networking
Rainer Stropek | @rstropek | rainer@timecockpit.com
Cloud Apps Beyond Perimeter Security
What is a "Zero Trust Network"?
Server
Server
Server
Server
LB
Client
Client
Client
Client
Client
Client
Server
Server
Server
Internet
Server
Server
Client
VPN
Server
Server
Server
Server
LB
Client
Client
Client
Client
Client
Client
Server
Server
Server
Internet
Server
Server
Client
VPN
Hard rules outside,
soft (or no) rules inside
Perimeter Security
- Secure secure "inside" from insecure "outside"
- E.g. Firewalls, proxies, DMZs, VPNs
Problems (Examples)
- Mobile and home working outside of corpnet/VPN
- Is corpnet really secure?
- Software-as-a-Service
- Outgoing and incoming
- Further reading: Google's BeyondCorp project
Server
Server
Server
Server
LB
Client
Client
Client
Client
Client
Client
Server
Server
Server
Internet
Server
Server
Client
VPN
Assumption:
We cannot trust
any network
Server
Server
Server
Server
Client
Client
Client
Client
Client
Client
Server
Server
Server
Internet
Server
Server
Assumption:
We cannot trust
any network
Server
Server
Server
Prerequisites for Zero Trusted Networking
Three Rules
-
Authenticate every connection
- Users, Devices
- Encrypt all traffic
- Log everything
What about legacy apps?
-
Network segmentation
- Microsegmentation
- Problems: PaaS, Serverless
How Can Azure Help?
-
PaaS and Serverless
- No more patching of base software infrastructure
-
Encryption of data in transit out of the box
- Certificate management (free managed certs in preview)
- Key Vault secure storage for certs and secrets
-
Azure AD for authentication and authorization
- Users and services
- Managed identities for M2M communication
-
Private Endpoints
- Enable PaaS/Serverless in locked-down network segments
- Logging, monitoring, and telemetry
- Application Insights
How Can Azure Help?
-
Network security
- Network Security Groups
- Web Application Firewall (WAF)
- DDoS protection
- API Management
- Secure RDP/SSH (e.g. Bastion)
- VPN Gateways
- Secure Control Plane
- Azure Resource Manager
- Azure Cloud Shell
Avoid...
- ...secrets
- Use AAD instead
- E.g. AAD admin for Azure SQL
- (if not avoidable) ...storing secrets outside Key Vault
- ...putting old, legacy apps on the internet
- ..applying traditional perimeter-focused policies on cloud-native apps
- Make no sense with many PaaS/Serverless cloud services
- ...forget logging/monitoring/telemetry
- ...underestimating the importance of AAD
- ...manually manage certificates and secrets
- ...inventing your own security protocols and services
Demo
Time!
Demo
- Cloud Native Web API
- App Service Web App
- .NET Core 3.1
- Protected by AAD (OpenID Connect)
- SQL DB for storage
- Fully managed
- Admin access protected by AAD
- App access protected by AAD (Managed Identity)
- Limit SQL DB access to VNet
- SQL Private Endpoint
- Legacy Node.js app
- Not ready for Zero Trust Networking
- VNet isolation with access via Bastion
Demo
- Code Walkthrough
- App Service Code
- Legacy Web App
-
Let Web API access legacy backend
- Access through Bastion
- Allow PaaS access to VNet
- Protect Web API using AAD "Easy Auth"
- Show headers
- Switch SQL to AAD
- AAD Admin
- Managed Identity access from Web API
- Restrict access to SQL DB using Private Endpoint
- Including private DNS zone
Zero Trust Networking in Azure
By Rainer Stropek
Zero Trust Networking in Azure
- 392