In the previous two articles, we defined the need, and we’ve examined the intelligence provided by the policy plane from both a security and operational perspective. We know that as we pursue the foundational tenants of federal IT modernization memos and overall guidance, that we not only need to establish trust, enforce trust-based access, and continuously validate compliance, but we need to deliver the modernized infrastructure rapidly. A surefire way to prohibit any attempts at rapid modernization is to do things the way we’ve always done them. To unbox every piece of infrastructure one at a time, throw them up on our workbench, and proceed to program them by hand. We have to avoid that at all costs – lest we assure our inevitable failure. Our orchestration and policy planes have no power at all if they cannot be distributed and continuously enforced throughout the entire infrastructure. So let’s jump right into it!
The horsepower enabling Zero Trust policy propagation across all major domains of the enterprise is found in the programable fabrics that weave them all together.
In a Zero Trust architecture, we ensure that all connections to the network are subjected to dynamic authentication and authorization in accordance with the auth chains that our cyber security organizations put in place. In our new normal, federal IT assets are more mobile than ever, thus requiring our modernized networks to have the ability to dynamically adapt to continuously transforming IT environments without compromising security or performance. This is where overlay networking comes in.
While underlay networks are simply responsible for providing a robust, predictable, and stable IP transport mechanism, overlay networks provide differentiated, virtualized networks that support mobility and segmentation at scale. They abstract themselves over the top of underlay infrastructure by way of encapsulation. The operations of the overlay take place via highly flexible encapsulated protocols like VXLAN, Geneve, and LISP. When discussing Zero Trust, there are two forms of segmentation:
Macro-segmentation: Historically, enterprises securely segment networks with different security levels by way of VRFs. VRFs logically segment large portions of the network from other large portions. Leaking traffic between VRFs is normally subjected to security appliances. When discussing programmable fabrics, a VRF = VN Virtual Network.
Example: “We have shared network resources on campus, containing multiple programs. We need to ensure that traffic from Program A is completely segmented (virtually) from Program B.”
Micro-segmentation: Micro-segmentation deals with how endpoints/applications/users intercommunicate within a VN. This provides lateral access control that Zero Trust policy requires. Thus requiring authentication and authorization of every transaction that occurs, even within the same VN.
Example: “Within the Program A VN, we have HR Users and engineering users connecting to the same VLAN within Building 100. We need to ensure that HR Users on VLAN 10 within Building 100 can only talk to Engineering Users on VLAN 10 within Building 100 if they are authorized.
Programmable fabrics allow for dynamic segmentation both at the macro and the micro-levels. The policy engine injects intent into the programmable fabrics, thus deciphering how traffic should be segmented. These programmable encapsulation types provide special fields for injecting programmable information including VRF/VN fields (macro-segmentation) and built-in security group data (micro-segmentation). The resulting policy for the flow is no longer simply tied to the source, destination, and port of the flow to control access between network boundaries. Rather, intent-based security policy from the policy engine is attached to the flow and enables us to attach user/machine-authentication attributes to round out the full security intent of the network flow.
To gain a better understanding of how the network onboarding process takes place, see this simplified description of operations below:
- When the host connects to the switch fabric, it is authenticated and authorized by way of 802.1x policy from the Policy Engine
- The fabric updates its mapping database to show that the host is connected to the network device/port. It assigns the host an “Endpoint ID” based on the IP and MAC-Address attributes of the host, and assigns an RLOC to the network device. Therefore, anything on the network attempting to reach Host A (IP/MAC Address) is pointed to SWITCH-01
- Once each EID/RLOC is identified, the VTEP is identified for both the source and desired destination.
- A VXLAN-encapsulated tunnel is established over the programmable fabrics, between Host A and Host B – thus abstracting that traffic from the rest of the network
The end-to-end encapsulation across the fabric is extremely powerful both in terms of Zero Trust segmentation as well as operational advantages. Virtual Networks can be extended between different domains to maintain the virtual overlay macro-segmentation strategy between those two domains. It can be accomplished between two different domains that are comprised of infrastructure from two different manufacturers. How? Because the Software-Defined Controllers for each environment absorb segmentation policy directly from the same centralized Policy Engine. This unleashes limitless possibilities when it comes to Zero Trust micro-segmentation development across the enterprise. It is the ability to maintain and propagate consistent, end-to-end policy across common domain boundaries, that makes the multidomain architectural approach the “real” Zero Trust.