Event Recording

Reinventing the Network with Zero Trust to Stop External Network Attacks


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
I'm gonna start with a, a very quick introduction, just to make sure that we're on the same page. You may be thinking, oh, Phillip, come on, we, we know all this stuff, you don't have to talk about that, but it really set helps to set the stage as to how we can transform how we think about what has previously been complex, networking security for all use cases. In fact, so complex that we've always said, this cannot be managed by developers. It needs to be managed by dedicated networking security teams. Cause it's too complicated. And our modus opera Andi is to make it as easy as possible and free for anyone to implement. So what do we do today? Well today, or at least in the past, traditionally, you know, the, the future is unevenly distributed. Many people set up their traditional network approach as cast and Mo we all know the term, but basically how do I set up a parameter between my cloud or my private data centers or my remote users so that not anyone can just access my applications.
And then, well, about a decade ago, we started saying, you know what? We should put TLS everywhere because that enables us to stop man in the middle attacks and people intercept in our data. Great. That is definitely an improvement of security. And it really came around with, you know, things like let's encrypt and HBS everywhere, becoming ubiquitous and free to the extent that, you know, every modern browser now does it. In fact, HBS everywhere has been retired a year ago because every browser just does it as standard. That's great. That's an improvement. Unfortunately, it doesn't stop all attacks because there are many network level attacks that are not man in the middle, such as a malicious, compromising the device and being able to naturally move across the network, the network, which is in a trusted domain of our moat system. So this is the problem, because this is exactly how VPNs work.
Now, I know you can do things like split tunnel limb, but the native functionality is you get access to the whole network. So then we started saying, well, let's let's segment the network. Let's make it so that you can't just laterally move across everything. And that is potentially improvement because a malicious cannot move packets. But what about if they're able to circumvent the segmentation, they're able to move across devices and naturally move. And this is obviously happening because we have unfortunately so many cyber attacks today and yes, then probably into the future. So then 10 years ago, we started conceptualizing the idea of zero trust, how to effectively say always validate, you know, rather than being trust, but verify always explicitly, explicitly validate if people can be trusted and it's an overused term, throw a rock on the internet and you'll hit every single vendor talking about zero trust in different ways.
It is a very wooly term, but let's look at how we look at it at least. So instead of having just our basic network of approach, we need to have a concept of device identity of user identity so that we can explicitly say, who is a thing, should it be able to communicate, you know, authentication, authorization being explicitly done now in our world that authentication authorization should be done before any connectivity can be take place before any data packets can take place. So in our opinion, it mandates using embedded strong cryptography using X 5 0 9 certificates. Now PKI and X 5 0 9 are complicated things. Luckily there are ways in which you can massively abstract away the complexity. This is an overview of how our open source project does it. In fact, this is a simple overview. This may look complicated at first view, but there's a five part blog, which goes super, super deep into how we built this and made it simple.
The key point is that you are able to now explicitly know every single endpoint, rather than looking at IP addresses and having some trust of the network. Because if you're using IP addresses, you are trusting a network. So instead we're able to basically stop a device from sending packets. If it isn't trusted, what if though, a user is able to exploit the device because it happens to be on the same network, even if it has a, maybe they have an identity, which we don't know has been compromised. Well, this is where we have to bring in the second privilege. The second principle of least privilege where by default, nothing can talk to anything else. There should be no access. It, it should not fail open. There are products which recently have been shown, even though they call themselves zero trust to fail open. I, if you don't authenticate, then it just opens up and gives access.
In our opinion, that is a very bad approach. You want to explicitly fail closed. You want to be least privileged so that malicious actors cannot get on the network and be able to exploit devices. This enables us to ensure that we can stop those people, but we need to take it further because if a device gets stolen, potentially it can be used as a way to attack other devices. If there is trust. So we thought, how do we make it free and easy? How do we take it to the point that we can have actual zero trust of all networks, including the internet, the external network, the local network, and even the host OS network. So let's look at some free and easy zero trust. First of all, we start off an overlay, an overlay network. We have to build an overlay because we want to say we don't explicitly trust the underlay.
An overlay is anything which is building, you know, kind of OSI, you know, three to two upwards where you, you are building an IP overlay, whether it's, you know, DPSS is an overlay VPNs and overlay underlays, your switches, your routers, et cetera. So we need to build an overlay network. And the open ZT project allow enables you to build an overlay using a software defined network architecture. So a separate control plane to a separate data plane, and therefore to attach things, the edge source and destination, client server, service server, machine server, whatever use case we use networks for any and effectively ensure that every connection is locked down because every single software component within this overlay has gone through the process of bootstrap and trust with the strong identity. So nothing can exist on the overlay without explicitly having gone through that process. And then it builds secure connections using mutual TLS.
So the, you know, one component mutually authenticates the other component, which also mutually authenticates back so that a malicious cannot just get on the overlay. It's also a mesh network so that we can make sure that we can make it highly available and do smart route in to give the best performance and reliability. Then we need to connect things to the overlay. We have the edge where we can deploy into any application with SDKs, where we can deploy into any of the popular operating systems, be it windows, Linux, Mac, you know, Kubernetes, yada Y to be precise or as virtual network appliances into our public or private cloud. Again, anything that's a source of destination, whether it's client service, service server, or machine server. This enables us to have the options of three models in terms of how we send our packets from point a to point B, we can have what we like to call zero trust network, access the term popularized by Gartner, which most vendors talk about, where we can effectively say we have zero trust of the internet.
Now in our lingo, that means having the cloud security Alliance software defined perimeter, where there are no inbound ports. So you can't attack from the internet. Even if you have a server, which is using log four, J it cannot be exploited by log for shell because it's not attached to the network. There are no inbound port to try and attack in the first place. So we have zero trust of the internet. Then we have ZT J zero trust of the, to host. And this is where we can also say we have zero trust of the local area network, because I'm literally just connecting host to host. Then we have the final logical conclusion in our opinion, which is to say, I can have zero trust application access. This enables me to ensure only an application connects to an application, and I have zero trust of the external internet of the local, and even the host OS.
And this means that if someone steals my device, they still can't compromise the application. Cuz the zero trust access is inside the application itself. This allows us to in this scenario, be able to take our open source SDKs and stuff, it inside the application, which then runs on the device. So as I saying, even if the hacker compromise the device, they can't easily break into the application and then be able to send compromised communications at the same time, communicate applications can only communicate to their corresponding applications and not other things. You cannot do. Side channel attacks where I, I steal a device and I attack something else, which is on the VPN service, which would, you know, be available of any other normal VPN or some other Sierra trust services, which are delivered.
Yes, exactly. So let's look at some of the superpowers that you do get when you are using the open ZT project, we call him superpowers cause they give you amazing capabilities completed for free this little guy in the middle. He's obviously Batman, but it's Ziggy. Batman. Ziggy is a little piece of pastor. Every open source project needs a mascot. So ours is a little piece of pastor because ZT ZT is for zero. Trust is both delicious Italian pastor and also modern programmable networking. So first of all, we have the beast and we have mad max, what's the difference? Well, the beast is the limousine that the us president uses and mad max is obviously the dystopian future vehicles where we're all trying to kill each other. And the difference is that with the beast, it just looks like a limousine, but it's got Bulletproof gas.
It's bombproof, it's got, you know, roll flat for however many, no, you know, no miles so that it's not obvious that it is secured by design. You don't know where to attack because you don't know the weak points. Whereas mad max, you can see where the weak points are. You can see where you would want to attack because you can see effectively the bolted on for infrastructure. You can see the VPNs or the, the files, which may have a critical vulnerability, which are attached to the network, which enable us to start a, a kill chain or an exploit. In addition, when we're using open ZT because we have embedded identity, we have complete addressability. You don't have to conform to traditional internet norms of a certain IP address or a certain top level domain and DNS. You can call anything, anything you want. So I can connect from my device and send to Jenkins rather than you know, something else I could send it to 1, 1, 1, 1, instead of going to CloudFlare, it's going to go to, to my private system.
At the same time we are embedding, we call it dark security, private, outbound, only connectivity, where not only are we doing outbound connections on the client side, but we're also doing it on the server side. And this means we don't need any listening ports or any holes in the firewall, which just completely stops external network level attacks. Be it Dedos port scan and CV exploit, et etcetera. They cannot start in the first place cuz they cannot attach. This is oppose to what I was mentioned earlier. If you were using log four J or you're using, you know, spring, you know, the, the CV exploits of spring for shell or, or log for shell, you know, if you're attached to the network, if you have inbound ports, people can scan and exploit scan exploits. Now the number one attack vector and therefore malicious can get in and compromise.
But if we close all inbound ports that attack vectors, not even possible in the first place instead, having to worry is all of my software up to date. Have I patched it, getting calls in the middle of the night of, oh my God, this vulnerability's being exploited. The most latest one is a vendor's load balance in solutions have a vulnerability. I think it's F five and they're literally being wiped. So people's applications and websites are going off the internet because people are just destroying them because they're able to exploit to critical mobility. But if you close reports, that's not possible. So we can just stop any of the, the vulnerability, be it spring for shell log show, et cetera. We also have the ability to basically have reachability to anywhere. There is no concept of client server. There is a service communication to a service I could set up open seating.
Someone could access someone on that laptop. Like my laptop is access, you know, acting as a server, one of our engineers, places Xbox while he is, you know, traveling from work because he's able to access his computer away from home in any fashion, without the complexity of traditional setups, you also get end-to-end encryption completely for free using lip sodium, which is AEs 2 56 equivalent, but much lighter weight. So we don't need as much compute power to run it. You can turn it off, but by default it's on enter. Encryption is hard. It took zoom and you know, WhatsApp and many other applications, months and years to build it and we've opened, ZT get it completely free. And that's the algorithm we use for it simultaneously. There's no inference allowed. Normally if you intercept a packet, you can see, Hey, I'm doing HTTP or I'm doing SSH or I'm doing MySQL.
Cause you can see the port when it's opens ZT it's all 4 43. It all just looks like internet traffic. And you're probably thinking, well, that sounds really complicated, Phillip, actually, it's not. All you need to do is to bind an SDK into your application and you don't need need to know the port or the IP address. You're actually making it simpler while also gaining the ability to have private DNS so that you, you know, your DNS responses cannot be intercepted and compromised while simultaneously knowing that you have any name in convention, you want, you also get the power of being able to see how the network is working to have a firewall in my internal environment, being misconfigured has a vLab being misconfigured. One of our customers tells us that if someone comes and says, you know, there's a problem with the net Foundry platform, they turn around and say, no, it's not.
You've got a problem in your rules or your application or your host because I can see from my dashboard that there's not a problem in the overlay network because the overlay network gives us such intelligence as to whether services can be reached or not. And then finally smart rootin, going back to the point earlier, the mesh network is building an adaptive mesh based upon the lowest end to end latency so that not only can we give the best performance and reliability from a performance perspective, but also uptime, cuz it will avoid traffic on the internet. We all know the traffic is variable. Let's say that's why people deployed private networks cause they couldn't trust the internet or we make the internet better. One of the interesting areas that we massively focus on at the moment is what we call notifications. This is where Ziggy a little chef builds open ZT into other applications.
So we've gone and we've ified a bunch of stuff via SSH. You effectively have a clientless way to access resources without having port 22 open. We've also created the same ability with Promeus and that enables us to deploy the second, most popular open source login system anywhere and not have any inbound ports, not having problems to be able to pull our information. We've just in fact done a nice little write up on this effectively. We can deploy anything anywhere and not be exposed to the network. In fact, any application or service anywhere, the only thing we need is outbound internet. We don't need the complexity of traditional network and insecurity stuff that we bolt on and this makes it much easier. There was a bunch of other notifications we're building, which we'd be happy to share more on. And in fact, get feedback from other people.
Where would you like us to see where we should embed zero trust into at the same time, this is the longest path that exists on the world. Why do I share this? Because while putting zero or private network and built on zero trust principles into our applications is definitely the best thing to do. It's not gonna happen tomorrow. Therefore, what we've been doing is building ways to enable people to go on the path. We've built our tunnel applications, which enable you to start today without having to, you know, rewire application or we have our, our edge routers and virtual appliances, which you can deploy into any public or private cloud so that you can start in those environments. I E we're making it as easy as possible to get started. Where can you get open? ZT well, you can go to any one of our repositories or discourse groups or talk to us on Twitter in order to understand how you can get zero trust based, private networking, completely free and easy.
At the same time, net Foundry is the creator and maintainer of open ZT and we've built a SAS implementation of it, which includes free forever tier, not free for 14 day tiers, but literally start free and you can use it forever without having to pay us any money. We also have enterprise options if you would like to use that. But effectively our job is to make secure connectivity free and easy so that it can be put everywhere so that we can sleep at least a little bit better at night while we digitally transform our organizations. Thank you very much. Any questions.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00