Zero Trust Networking
What is the Zero Trust security model?
The zero trust security model describes an approach to security where devices are not trusted by default, regardless of previous verification and connection to a managed corporate network, such as a corporate LAN. Instead, the zero trust approach advocates mutual authentication, including checking the identity and integrity of devices without respect to location. It also provides access to applications and services based on the confidence of device identity and device health in combination with user authentication.
The term “zero trust” was first coined in 1994 by Stephen Paul Marsh in his doctoral thesis at the University of Stirling. By 2019, the UK National Technical Authority, the National Cyber Security Centre were recommending that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned. By 2020 the majority of leading IT platform vendors, as well as cyber security providers have well-documented examples of zero trust architectures or solutions. This increased popularization has in-turn created a range of definitions of zero trust, requiring a level of standardization by recognized authorities such as NCSC and NIST.
Google’s Beyond Corp approach to enterprise security is built on the zero trust security model.
What is LimaCharlie Net?
LimaCharlie Net is a zero trust networking solution based on the identity of the device which is transparent to the user. The technical term for this technology as it is delivered is a Secure Access Service Edge (SASE). It is an SD-WAN rolled into a cloud service with which you can secure and monitor network access to your endpoints by providing advanced instrumented VPN access.
LimaCharlie Net appears like other endpoints in your LimaCharlie deployment. Once enabled, these devices will be able to connect to the Internet by default, with additional features that can be enabled through the use of policies. By using the concept of a device ID, LimaCharlie can easily correlate telemetry between the network and endpoint sensor providing a true XDR capability.
The underlying technology used for the VPN is called WireGuard. WireGuard is a next-generation VPN technology that has achieved wide adoption, including being rolled into the next Linux kernel. It is promoted for its simplicity, speed, and security.
Clients are available for Windows, Android, macOS, Linux, iOS and ChromeOS. Client configuration is done either through a QR code or a simple configuration file.
What can you do with it?
LimaCharlie Net uses the concept of policies to configure network attributes. Using policies we can easily manage and configure the following capabilities.
Firewall Policies
Firewall policies define what outbound access is allowed or disallowed. When you create a new organization and enable Net it is created with a default policy. This default policy gives unlimited access to the Internet to all clients. This default policy is required because Net denies all outbound connections by default (safe by default).
Sample default policy:
"default-allow-outbound": {
"type": "firewall",
"policy": {
"tag": "",
"is_allow": true,
"bpf_filter": "",
}
}
Capture Policies
A capture policy defines packet capture in the cloud. Perform full PCAP capture with impacting the end user.
DNS Policies
A DNS policy defines custom DNS entries that are available to the defined set of endpoints. This can be used for traditional DNS purposes (providing simplified names to access resources), as well as security purposes to sinkhole malicious domains.
Can it do anything else?
LimaCharlie is committed to its vision of providing information security tools and infrastructure as a cohesive ecosystem. The cross pollination of technologies under this model is changing what is possible and LimaCharlie Net is a great example of that.
Real-Time Telemetry from the Network
LimaCharlie Net produces real-time telemetry that is processed by the same detection and response (DR) rules written for the EDR capability.
DNS Tracking
A DNS tracking policy will generate DNS_REQUEST LimaCharlie events in real-time from the Net traffic. These events will be visible in the Net Sensor's Timeline or Live Feed section. The events also go through the edr Target of D&R rules.
Connections Tracking
A Connection tracking policy will generate NETWORK_CONNECTION LimaCharlie events in real-time from the Net traffic. These events will be visible in the Net Sensor's Timeline or Live Feed section. The events also go through the edr Target of D&R rules.
PCAP Capture and Zeek Network Monitoring
Through the use of policies, LimaCharlie Net can capture PCAP files in the cloud without impacting the user. The PCAP files can then be re-ingested by the Artifact Ingestion
*** This is a Security Bloggers Network syndicated blog from LimaCharlie's Blog authored by LimaCharlie's Blog. Read the original post at: https://www.limacharlie.io/blog/secure-access-service-edge
