ZTI (Zero Trust Identity) & Beyond with LISA
We rarely post like this in such detail, but we felt it would be helpful to put together a recipe for ZTI (Zero Trust Identity) & Beyond to pay back to our friends in the INFOSEC world.
The ZTI initiative started by Brian Zimmer while at Netflix, known as the Location Independent Security Approach (LISA) forms the core to the Varpath Beyond Zero Trust ID. We have taken LISA, and added some controls for 2021. This is not a true cookbook. There are large generalizations left out. For example, it is an assumption that you are going to be able to install Anti Virus and VPN clients on your device fleet. Also that you have an Identity Directory like Microsoft AD FS, Google Id, or LDAP already running. There is also an assumption that you have managed switches, and know how to log into them. The original ZTI framework was proposed years ago and has stood up well. We hope you find the few tweaks and updates helpful.
This is written for System Administrators, IT Managers, and Network/Firewall engineers. It is written with effectiveness and price in mind, and uses the vendor Cisco for switching and either Palo Alto Networks or WatchGuard as a Cloud Access Gateway firewall. You do not have to use these vendors, feel free to substitute your own.
The price point we were shooting for to accomplish everything is $20 per user per month max.
This equates to around $5,000 per year for 20 users.
LISA (Location Independent Security Approach)
What is Zero Trust Identity (ZTI)
First lets cover trust. Because I need to explain Beyond Zero Trust afterward. So first Zero Trust.
What does zero trust mean?
Zero Trust Identity in the LISA context is just a fancy way to say you need to prove who you say you are to obtain access to resources. There is no access implicitly granted based on your location. Your desk or office has no more access to resources than when you are at the coffee shop.
First Multi Factor Authentication (MFA)
When you go to the bank, or get a drivers license, or at the airport you have already experienced Two-Factor authentication. Similar to MFA but When you check in or go to the airport or bank counter you are often asked for two forms of ID. One is a government ID. One is whatever else. A credit card is usually pretty acceptable.
True MFA mixes things up. One of the forms of authentication is usually something you know, like a password. The second is something you might have on you like your phone, or a certificate on your laptop. That is the basis for Multi Factor Authentication. We can chain more than two things, but let’s just go with two for now, password and authentication from a mobile phone as the most common. You may already be used to this from websites that send you a SMS text.
Health Check / Posture Check
I may even have you also provide proof of posture. Posture assessment can include details such as a specific Anti Virus or a mobile device’s jailbroken status. Those details can allow me to provide you with more access or trust, based on policies.
What is Beyond Zero Trust Identity
If Zero Trust is: “I have zero trust in who you say you are, until you hand me the right credentials. If you do, I can provide you with services.”
Then Beyond Zero Trust is: “I will never trust you, even if you hand me the right credentials.” (because of Indicators of Impossibility)
The key to Beyond Zero Trust is something we call IOI. IOI stands for Indicators Of Impossibility. Although largely details specific to your organization, many IOIs are very general. Here are some to get you thinking about what would be IOI’s. Let us know if there are other IOI’s you feel would be helpful to be featured here.
By paying attention to IOI within your environment, you can help reduce your attack surface.
IOI : Indicators Of Impossibility
ICMP and UDP are protocols that are almost never used to INITIATE communication for legitimate purposes. Sure, I might stream a movie, or join a meeting. These might use UDP, a lot of UDP! So yes it is seen on my network. But those things are initiated/consumed by me. It is an internal to external request outbound to Netflix or Ring Central. These are not inbound connections.
If your business provides services over UDP, I assure you that you would already know this. It is very rare, and seen mainly with VOIP providers and other media service companies. YOU are not offering a streaming or VOIP service. So why do you accept connections as if you were one?
Most companies have no legitimate reason other than VPN to initiate a connection to your company using something other than TCP. Even with TCP, there are only a few legitimate services you could be offering these days. So with ICMP or UDP, or whatever else, these protocols are clearly not needed. Use this as an IOI to drop that incoming IP into a block list (AKA SHUN list).
How about IPv6? Don’t use it? Well that might be another IOI then.
Why are you reaching out to my systems on TCP/1433? That’s the port for SQL server!
The moment you see this on your border network, nip it in the bud. Immediately block that IP. There is absolutely no reason to allow the attacker to continue their recon. Did they start with TCP/1? Well that’s a no brainer. Next is going to be a connection to TCP/2. I’m pretty sure 3 is next. So you have an attacker enumerating your open ports. Should you let them continue? NO! This is a ridiculously obvious IOI. It is absolutely impossible that this is legitimately caused by someone trying to browse to your website. Some firewalls lack the ability to stop this attack, but if you can, SHUN that IP!
Impossible IP sources:
Do you have a user VPN’ing in from North Korea? Even if they provided their MFA password, this is a flat out IOI. Impossible!
In general, inbound Geofencing is an invaluable source of IOI. If you don’t do business in China, you can be assured there is no impact to blocking/SHUN any of these foreign IP sources. Does anyone remember the story of the software developer who outsourced his job to a developer in China? He was eventually caught because of an IOI. The company eventually noticed a Chinese IP connecting to their VPN.
How about inbound connections to your gateway from a TOR exit node? You can just deny it. Unless you are running a TOR site, nobody really expects you to accept connections over TOR. Nobody expects a big business deal to come over TOR either. Luckily TOR exit nodes are not super dynamic. They change, but it is fairly OK of a strategy to just download a block list daily and import it into your firewall. Here is a site that I like to pull this data:
Here is a list of TOR exit points, as maintained by the TOR project.
You can easily import this list as an alias in WatchGuard. Set that alias up as a deny rule. Additionally place IPs triggering the policy into your SHUN bucket.
Impossible Time Of Day Activity:
It is extremely unlikely that your non-exempt workers will VPN to do work voluntarily late at night. This is almost always an IOI. Did your receptionist just log into VPN at 2:00 AM?
NEVER GONNA HAPPEN IN THE REAL WORLD.
It’s not theoretically IMPOSSIBLE, I mean you DID give them VPN and credentials, right? But yeah, it’s totally impossible that they would be working at night for any legitimate purpose. This will not end well. So just group this into the IOI bucket.
Impossible User Names:
An obvious example for an impossible user name is the moment you see a login attempt for “administrator” on a Linux host, or “root” on a Windows system, you have actionable data. This is an obvious IOI, and you should SHUN that inbound request’s IP address. This is also applicable to your cloud services. Most cloud email providers have varying degrees of control over logins. Some are better than others.
Impossible User Names is also an excellent place to reverse honey-pot. If you have any dark-web intel that you use to scan for company domain names, you will know what usernames have been leaked. This will often contain usernames from employees that are no longer with the company. These are absolutely invaluable at creating actionable IOI. It is impossible that an ex-employee needs to log in. That IP is now an attack IP and it should be blocked or put on a SHUN list.
You can use a SOAR (Security Orchestration and Response) tool to work with the data you have or the SIEM you have to accomplish this. Or this could be part of your Office365 network. Microsoft has many tools to help with this. For example, Microsoft Conditional Access accomplishes a few of the things we are talking about here.
Implementing LISA Zero Trust Identity:
Despite coming from such a large organization (Netflix), LISA felt like a great solution for us because Varpath represents security for many small to midsize organizations. Our customers range in size from 2 to 2000 employees. So we are always looking for solutions that are it is easy to adopt for small organizations, and actually uses many of the configurations and techniques I already have running.
The most important thing for me is the ability for an initiative to get adopted successfully. So here is the easiest way I’ve found to implement Zero Trust successfully for a smaller organization. You don’t have to do things this way, it is just one of the easiest ways I’ve found to make things work.
$$$ (Step 1: Software, & Licenses)
Assuming you do not work for a startup-unicorn, and need to get the job done I’ll try to explain how to do this all on a shoestring budget. Money does need to be spent in a couple areas, but it’s not exorbitant if you know what to buy.
* Outside the scope of this document, but very applicable is management of your on-prem and datacenter networks. You should consider buying a hardware gateway to protect the networks of these static office resources.
Why do we know what works well? Because behind the scenes we have had direct experience with many suppliers and manufacturers of hardware and software. Can you do this with Meraki and DUO? Probably. Although I’m still calling out DUO for being social engineered recently. Can you do with with Fortinet? Probably. Sonicwall? Probably too. Cisco’s mainline products? Probably yeah. We actually do not have very big requirements here.
At Varpath, we are very good at Cisco, Fortinet, Juniper, and Palo Alto Networks firewalls. We love them all. I think at one time we even knew Sonicwall, but we haven’t seen any new deployments in the field in ages.
Ok… Let’s imagine this is for a small company. One with 20 employees. So here’s the damage at full list price. Not bad, right? $5,420! This includes ALL the licenses you’ll need! If you have 200 employees, not 20, you’ll happily find that there are huge wins to cost at scale. So the price per employee will be even cheaper for you!
And last to note, this is a cloud gateway. But as we mentioned at the start of this article, the moment you have an office presence again, you’ll want to compliment your office network with a hardware gateway.
|Solution||3Y SKU||Count||Cost 3Y||Cost 1Y||Subtotal 3Y||Subtotal 1Y|
With ALL licenses
|Panda Patch Management||WGPAT053||20||$43.00||$23.00||$860.00||$460.00|
|TOTAL 3Y & 1Y||$11,425.00||$5,420.00|
You are reading that correctly.
$5,420 MSRP to secure 20 employees with a complete commercial grade solution with 24×7 GOLD support from the vendor. That is PRE-discount, and any vendor is sure to provide a discount.
Endpoint Madness (Step 2: Isolation)
Now the endpoints, endpoints, endpoints… Endpoint madness everywhere. We are going to start by isolating them. Because we can’t control them.
We lost the field on control once legit IOT showed up. Now we have some with the form factor of a lightbulb. I guess it’s only a matter of time before someone asks me to start securing the light bulbs. So endpoints it is. And it’s not just PCs and phones anymore. Now we are dealing with refrigerators, TVs, stereos, cameras, all sorts of things. Some can run security agents, most can not.
How are you going to wrangle that? The answer is you aren’t. You’ll just assume everyone has a virus on their machine. A deadly lethal one. Or if they don’t start the day with one, they download it while you are at lunch. Or in the bathroom. The fridge they are rolling into the lunch room on a pallet is loaded with malware and will cryptolocker everything over WiFi after it gets plugged into the wall.
On endpoints, you need to control the spread. So you need to keep them from mingling. Why? Because Joe in shipping just walked a Windows LAN-based virus on to your trusted network. You have the ability to limit the worst-case-scenario. That virus can do either one of two things:
Malware compromises the shipping PC, and spreads relentlessly through the network. Using your LAN it traverses from machine to machine, eventually crossing your site to site VPNs. The virus infects your HQ, data center, cloud, backups, and all remote sites. All company systems connected to the LAN are now encrypted with ransomware.
Malware compromises the shipping PC with never before seen ransomware that gets past the Anti-Virus and APT tools already installed on the machine. The machine is now useless, and has to be rebuilt and restored from a backup image. Since the machine has no reason to talk directly to it’s neighbors, the virus does not spread to the rest of the network.
You don’t need NAC, 802.1x, fancy software or additional money to fix isolation. You only need to know a little about what is already plugged into your network. The simplest solution is already built into 99% of the switches from Switchzilla (Cisco).
How to isolate users:
This is probably the most complicated and yet also the simplest part of a Zero Trust implementation that stymies people and stops them dead in their tracks.
The answer is incredibly simple, but very confusing. You are going to be saying WHAT! I could have done that back in the ’90’s? Yes. Yes you could have. Because this feature came out with Cisco IOS Train 11.2 or something like that. Super way old.
There are a lot of NAC vendors out there that will try to sell you something, that may or may not work. I suggest you solve this issue by looking at the OSI model, and addressing the situation as far down the stack as possible. That way your solution can be more focused on simplicity. Plus switches have been around forever.
So you can either use a tried-and-true feature that is ALREADY included in your Layer 2 switch, or you can pay for fancy software that runs at layer 7 that makes your Layer 2 “smart”. But really how smart do you need things?
Private VLANS (PVLANs) are almost the right solution, but with LISA being a focus on null-location, I really don’t need a PVLAN that spans switches. So I can do this even SIMPLER using the super super simple command “switchport protected”.
Switcharoo(config-if)# switchport protected
Yup, that’s it. Feel free to google that, but that is seriously the extent of the command. Each time you type “switchport protected” into a port config, that’s one less port that can get infected from another “switchport protected” port. We wrote up a whole post on this already here about containing lateral movement. It’s simple, so do it!
This may be called something different with other vendors. This is not possible to accomplish on unmanaged network switch equipment.
The only ports that should NOT be switchport protected are your gateway and your printer(s). Well… ok wait… there are also VOIP phones. Do you have your phones piggy backing a PC into your LAN? That will make things tougher for sure. But luckily phones have changed quite a bit over the years. The exact function and capabilities of your phone system are unknown to me. You may need to put the phones on their own network. But at least your phones aren’t browsing cat comics on the Internet. So there is some level of increased security by virtue of a smaller attack surface.
Wireless Networks : Client Isolation
More and more client traffic is utilizing wireless networks. Enable isolation on your wireless networks to restrict lateral movement. All modern wireless systems have this ability. The issue from the old days with shared wireless was using it in a coffee shop or airport. Any use of the Internet in a shared space exposed you to eavesdropping and interception attacks from your neighbors.
In response, wireless vendors now provide very isolated wireless networking, where your laptop or mobile device only needs to talk to the Internet. If you didn’t already look at our post on containing lateral movement, this is the same link. Make sure you plug into copper, or exclude common WiFi devices such as printers, other gateways, etc.
Below is a screenshot of the checkbox “Client Isolation”. Your WiFi system may call it something different. What ever the name is, the function is the same. Keep your systems from mingling in a huge pool.
Endpoint Software : Patch Management
Vital to all of this is a small component from Panda’s endpoint agent management suite. It is called Patch Manager, and it is very helpful. For just a little money, you can add patch management to your tools that will not only patch Microsoft, but also 3rd party software! So you will know if your VPN agent is out of date, if your clients are running an old version of Java, etc.
Home Networks : VPN
Once your home users VPN into the Cloud Access Gateway from home, they will largely become isolated from their local networks. It depends on how you have VPN set up, but make sure you do not allow split tunneling. We will discuss this more below under the VPN set-up.
Identity (Step 3: Strong Authentication)
Identity, specifically assurance via strong identity will form the basis of all your controls. Using identity we will be able to provide group membership. Group membership will be the determining factor on what resources you are gated into. Additionally identity will be used to form an audit trail for access, authorization, and accounting.
At Varpath, we like solutions that work well. We can’t be supporting infrastructure across all our customers all the time. We need bullet-proof solutions that work well. Enter AuthPoint, an identity solution purchased by WatchGuard. You can use Auth0, or Ping, or whatever you want. We are fairly agnostic. Agnostic with one caveat. Make sure your cloud provider CAN NOT easily re-assign ownership of your account.
To throw a jab in there at DUO, they might mess things up and give away the ownership to your service without warning. Even worse, without letting you know what they did, like they did to us. What can I say… someone tricked them. But their response has been horrible. After agreeing to refund us for their disaster, they backtracked on things and started dragging their feet on the refund. We were able to get about half reclaimed from them through American Express, but they still owe us the rest and I don’t think they are going to pay us.
So this is why you have to remove the humans from the system. Automate as much as you can.
Using WatchGuard AuthPoint, I can even enable hardware login security that combines the laptop login with MFA. That way, my users can use their cell phones to log into the laptops. That will create an OATH token that can then provide SSO access from the laptop. The modern cell phone is the best and easiest authentication mechanism to maintain. Just walk over to my laptop, send myself a login push, and I’m back to work.
CAG (Step 4: Cloud Access Gateway)
For the purposes of this article, we will assume you have resources hosted in a cloud. So we will proceed with setting up a firewall in that cloud. If most of your resources are in AWS, we would want to put our gateway in AWS. You should also put it in the same (Availability Zone/Region) as the rest of your cloud resources. Make sure you put your Cloud Access Gateway in a cloud that isn’t even connected to your resources. So if the majority of your resources are in Azure US East, you put your CAG there. If your resources are primarily hosted in AWS US West, then that is where your CAG is going to go. This minimizes latency and complexity to your resources, which are both vital factors.
You will want to enable the following features on your CAG:
- APT Blocker and services are set to open/detonate zero day malware in a sandbox.
- Similar to Lastline, Wildfire, or FireEye.
- Helps spot zero day malware.
- Prevent Malware from getting on the machines.
- Panda AV agent easily runs in conjunction with TDR and Defender.
- Any other vendor AV can be used.
- APT Blocker and services are set to open/detonate zero day malware in a sandbox.
- Threat Detection Response
- Client based threat agent that comes with the firewall. No additional costs!!!
- Run in conjunction with Windows Defender or other Anti Virus tools.
- Responds by cleaning or quarantining malware.
- Provides a health check for endpoint posture status.
- “Enable Host Sensor Enforcement” for VPN as shown below.
- Reputation Enabled Defense
- Pulled from external and internal threat lists.
- SANS has many free lists indexed that you can use.
- At a minimum, blocking TOR exit nodes is recommended.
- Intrusion Detection/Prevention
- Automated signature and behavior based alerting and response.
- Basic complement of Firewall intrusion solutions.
- Alerting and Reporting
- Using WatchGuard Dimension in this example.
- Helpful to show all the data into dashboards.
- Set up SNMP/email alerting based on rules.
- Executive graphs are helpful for management.
- WatchGuard provides “Dimension” as seen below for FREE
- It isn’t quite a SIEM.
- It does do alerting, reporting, pretty charts and graphs.
- It supports multiple firewalls.
- It runs on VMWare (.ova template) or Hyper-V (.vhd template).
- This is really more for local firewalls or long term storage to a SQL server.
- But if you don’t want to deal with a local instance WatchGuard provides you the ability to dump everything to the cloud for a few pennies more.
- I did say the magic word, FREE right? FREE!
- Reputation Enabled Defense
- Geofencing services are very helpful to set up. As a starting point:
- Block access to and from all foreign countries except ones you need for Google.
- Google will require you have Canada, Ireland, & the UK open.
- Selectively whitelist any other countries you might need from that.
- Blacklisted companies will not be able to connect to your VPN.
- A visual map of allowed and banned companies would look like this.
- Geofencing services are very helpful to set up. As a starting point:
- DNSWatch (Similar to Cisco Umbrella, OpenDNS).
If you are going to block nothing else, at least block the Security DNS checklist.
Additional MUST-DO : Break automated attacks
(on your infrastructure using SHUN)
Please note the checkbox here “Auto-block sites that attempt to connect”. That’s what you want here. Any sites that try to connect to your firewall are automatically blocked.
The value of a SHUN list is not that you are making a naughty list. It’s totally OK if this list is temporal and only lasts 3 minutes as shown. You can crank that up higher too. Feel free to block bad connections for hours or days. But just by having the list exist, it breaks automated attacks against your infrastructure. An attacker can not just easily enumerate open ports on your firewall. They have to wait until they are off the SHUN list to keep their attack going, which if not programmed for, will fail.
FINAL STEP, REMOTE ACCESS VPN
- AUTH : Your VPN MUST use Multi-Factor Authentication.
If you use a WatchGuard VPN gateway this is accomplished by just checking the box. Authpoint MultiFactor VPN is integrated with their SSLVPN product as of version 12.7 of their OS.
- HEALTH : Your VPN MUST do health checks (posture assessment).
WatchGuard VPN supports enforcement of their Threat Detection and Response APT product. This is a very easy way to deploy endpoint security for your VPN. I know its a checkbox, but that makes it easy to implement!
- NETWORK ARCHITECTURE : Your VPN MUST NOT allow split tunneling.
You must not allow for back-doors into your infrastructure. This is not enforceable architecture.
Those are the three golden rules. After that you are mostly off to the races.
NOT EVERYTHING NEEDS VPN
Make sure you pin down all your cloud services to only respond to SSO MFA approved requests. In other words, do not let your users go directly to one of these sites. This is usually set up per-cloud or SAS system.
If your users just need cloud access to email while they are on the move, that’s great! No need for VPN, they can just use SSO authentication.
Additionally, sometimes other services that see you coming from an Azure or AWS IP will block you. You may need to unblock these or drop out of VPN to troubleshoot what is going on there.
SOME THINGS ALWAYS NEED VPN
You should use full VPN for deep access to administrative portals, and back-end systems.
If you have a portal that you would like to additionally restrict, lock it down to the publicly NAT’ed IP of your firewall.
You can be anywhere, but your cloud service administrative functions should be locked down to your firewall’s exit IP.
That’s it! You are on the final stretch. There are always going to be loose ends to tie up, but hopefully you understand the goals and objectives.
If If you have questions on how to build your Zero Trust solution, feel free to drop us an email, help@ varpath.com
The Varpath Team