第1页 / 共229页
第2页 / 共229页
第3页 / 共229页
第4页 / 共229页
第5页 / 共229页
第6页 / 共229页
第7页 / 共229页
第8页 / 共229页
Zero Trust Networks Building Secure Systems in Untrusted Network....pdf
Preface
Who Should Read This Book
Why We Wrote This Book
Zero Trust Networks Today
Navigating This Book
Conventions Used in This Book
O’Reilly Safari
How to Contact Us
Acknowledgments
1. Zero Trust Fundamentals
What Is a Zero Trust Network?
Introducing the Zero Trust Control Plane
Evolution of the Perimeter Model
Managing the Global IP Address Space
Birth of Private IP Address Space
Private Networks Connect to Public Networks
Birth of NAT
The Contemporary Perimeter Model
Evolution of the Threat Landscape
Perimeter Shortcomings
Where the Trust Lies
Automation as an Enabler
Perimeter Versus Zero Trust
Applied in the Cloud
Summary
2. Managing Trust
Threat Models
Common Threat Models
Zero Trust’s Threat Model
Strong Authentication
Authenticating Trust
What Is a Certificate Authority?
Importance of PKI in Zero Trust
Private Versus Public PKI
Public PKI Strictly Better Than None
Least Privilege
Variable Trust
Control Plane Versus Data Plane
Summary
3. Network Agents
What Is an Agent?
Agent Volatility
What’s in an Agent?
How Is an Agent Used?
Not for Authentication
How to Expose an Agent?
No Standard Exists
Rigidity and Fluidity, at the Same Time
Standardization Desirable
In the Meantime?
Summary
4. Making Authorization Decisions
Authorization Architecture
Enforcement
Policy Engine
Policy Storage
What Makes Good Policy?
Who Defines Policy?
Trust Engine
What Entities Are Scored?
Exposing Scores Considered Risky
Data Stores
Summary
5. Trusting Devices
Bootstrapping Trust
Generating and Securing Identity
Identity Security in Static and Dynamic Systems
Authenticating Devices with the Control Plane
X.509
TPMs
Hardware-Based Zero Trust Supplicant?
Inventory Management
Knowing What to Expect
Secure Introduction
Renewing Device Trust
Local Measurement
Remote Measurement
Software Configuration Management
CM-Based Inventory
Secure Source of Truth
Using Device Data for User Authorization
Trust Signals
Time Since Image
Historical Access
Location
Network Communication Patterns
Summary
6. Trusting Users
Identity Authority
Bootstrapping Identity in a Private System
Government-Issued Identification
Nothing Beats Meatspace
Expectations and Stars
Storing Identity
User Directories
Directory Maintenance
When to Authenticate Identity
Authenticating for Trust
Trust as the Authentication Driver
The Use of Multiple Channels
Caching Identity and Trust
How to Authenticate Identity
Something You Know: Passwords
Something You Have: TOTP
Something You Have: Certificates
Something You Have: Security Tokens
Something You Are: Biometrics
Out-of-Band Authentication
Single Sign On
Moving Toward a Local Auth Solution
Authenticating and Authorizing a Group
Shamir’s Secret Sharing
Red October
See Something, Say Something
Trust Signals
Summary
7. Trusting Applications
Understanding the Application Pipeline
Trusting Source
Securing the Repository
Authentic Code and the Audit Trail
Code Reviews
Trusting Builds
The Risk
Trusted Input, Trusted Output
Reproducible Builds
Decoupling Release and Artifact Versions
Trusting Distribution
Promoting an Artifact
Distribution Security
Integrity and Authenticity
Trusting a Distribution Network
Humans in the Loop
Trusting an Instance
Upgrade-Only Policy
Authorized Instances
Runtime Security
Secure Coding Practices
Isolation
Active Monitoring
Summary
8. Trusting the Traffic
Encryption Versus Authentication
Authenticity Without Encryption?
Bootstrapping Trust: The First Packet
fwknop
A Brief Introduction to Network Models
Network Layers, Visually
OSI Network Model
TCP/IP Network Model
Where Should Zero Trust Be in the Network Model?
Client and Server Split
The Protocols
IKE/IPsec
Mutually Authenticated TLS
Filtering
Host Filtering
Bookended Filtering
Intermediary Filtering
Summary
9. Realizing a Zero Trust Network
Choosing Scope
What’s Actually Required?
Building a System Diagram
Understanding Your Flows
Controller-Less Architecture
“Cheating” with Configuration Management
Application Authentication and Authorization
Authenticating Load Balancers and Proxies
Relationship-Oriented Policy
Policy Distribution
Defining and Installing Policy
Zero Trust Proxies
Client-Side Versus Server-Side Migrations
Case Studies
Case Study: Google BeyondCorp
The Major Components of BeyondCorp
Leveraging and Extending the GFE
Challenges with Multiplatform Authentication
Migrating to BeyondCorp
Lessons Learned
Conclusion
Case Study: PagerDuty’s Cloud Agnostic Network
Configuration Management as an Automation Platform
Dynamically Calculated Local Firewalls
Distributed Traffic Encryption
Decentralized User Management
Rollout
Value of a Provider-Agnostic System
Summary
10. The Adversarial View
Identity Theft
Distributed Denial of Service
Endpoint Enumeration
Untrusted Computing Platform
Social Engineering
Physical Coercion
Invalidation
Control Plane Security
Summary
Index
Zero Trust Networks
Building Secure Systems in Untrusted Networks
Evan Gilman and Doug Barth
Zero Trust Networks
by Evan Gilman and Doug Barth
Copyright © 2017 Evan Gilman, Doug Barth. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online
editions are also available for most titles (http://oreilly.com/safari). For more information,
contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
Editors: Courtney Allen and Virginia Wilson
Production Editor: Kristen Brown
Copyeditor: Amanda Kersey
Proofreader: Jasmine Kwityn
Indexer: Wendy Catalano
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Rebecca Demarest
July 2017: First Edition
Revision History for the First Edition
2017-06-15: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781491962190 for release details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Zero Trust Networks, the
cover image, and related trade dress are trademarks of O’Reilly Media, Inc.
While the publisher and the authors have used good faith efforts to ensure that the information
and instructions contained in this work are accurate, the publisher and the authors disclaim all
responsibility for errors or omissions, including without limitation responsibility for damages
resulting from the use of or reliance on this work. Use of the information and instructions
contained in this work is at your own risk. If any code samples or other technology this work
contains or describes is subject to open source licenses or the intellectual property rights of
others, it is your responsibility to ensure that your use thereof complies with such licenses and/or
rights.
978-1-491-96219-0
[LSI]
Preface
Thank you for choosing to read Zero Trust Networks! Building trusted systems in hostile
networks has been a passion of ours for many years. In building and designing such systems, we
have found frustration in the pace of progress toward solving some of the more fundamental
security problems plaguing our industry. We’d very much like to see the industry move more
aggressively toward building the types of systems which strive to solve these problems.
To that end, we are proposing that the world take a new stance toward building and maintaining
secure computer networks. Rather than being something which is layered on top, considered only
after some value has been built, security must be fundamentally infused with the operation of the
system itself. It must be ever-present, enabling operation rather than restricting it. As such, this
book sets forth a collection of design patterns and considerations which, when heeded, can
produce systems that are resilient to the vast majority of modern-day attack vectors.
This collection, when taken as a whole, is known as the zero trust model. In this model, nothing
is taken for granted, and every single access request—whether it be made by a client in a coffee
shop or a server in the datacenter—is rigorously checked and proven to be authorized. Adopting
this model practically eliminates lateral movement, VPN headaches, and centralized firewall
management overhead. It is a very different model indeed; one that we believe represents the
future of network and infrastructure security design.
Security is a complicated and ever-changing field of engineering. Working on it requires a deep
understanding of many layers of a system and how bugs or weaknesses in those layers can allow
an attacker to subvert access controls and protections. While this makes defending a system
challenging, it’s also a lot of fun to learn about! We hope you’ll enjoy learning about it as much
as we have!
Who Should Read This Book
Have you found the overhead of centralized firewalls to be restrictive? Perhaps you’ve even
found their operation to be ineffective? Have you struggled with VPN headaches, TLS
configuration across a myriad of applications and languages, or compliance and auditing
hardships? These problems represent just a small subset of those addressed by the zero trust
model. If you find yourself thinking that there just has to be a better way, then you’re in luck—
this book is for you.
Network engineers, security engineers, CTOs, and everyone in between can benefit from zero
trust learnings. Even without a specialized skillset, many of the principles included within can be
clearly understood, helping leaders make decisions that get them closer to realizing the zero trust
model, improving their overall security posture incrementally.
Additionally, readers with experience using configuration management systems will see the
opportunity of using those same ideas to build a more secure and operable networked system—
one in which resources are secure by default. They will be interested in how automation systems
can enable a new network design that is able to apply fine-grained security controls more easily.
Finally, this book also explores mature zero trust design, enabling those who have already
incorporated the basic philosophies to further the robustness of their security systems.
Why We Wrote This Book
We started speaking about our approach to system and network design at industry conferences in
2014. At the time, we were using configuration management systems to rigorously define the
system state, applying changes programmatically as a reaction to topological changes. As a result
of leveraging automation tools for this purpose, we naturally found ourselves programmatically
calculating the network enforcement details instead of managing such configuration by hand. We
found that using automation to capture the system design in this way was enabling us to deploy
and manage security features, including access control and encryption, much more easily than in
systems past. Even better, doing so allowed us to place much less trust in the network than other
systems might normally do, which is a key security consideration when operating in and across
public clouds.
Around that same time, Google’s first BeyondCorp paper was published, describing how they
were rethinking system and network design to remove trust from the network. We saw a lot of
philosophical similarities in how Google was approaching their network security, and how we
approached similar problems in our own systems. It was clear that reducing trust in the network
was not only our own design preference/opinion, but the general direction the industry was
headed. With the realizations gained from comparing the BeyondCorp paper to our own efforts,
we started sharing broader understandings of this architecture and philosophy at various
conferences.
Attendees were engaged and interested in what we were doing, but the question we frequently
heard was “Where can I learn more about how to do this in my own system?” Unfortunately, the
answer was typically “Well, there’s not a whole lot…come see me afterward.” The lack of
publicly available information and guidance became a glaring gap—one we wanted to correct.
This book aims to fill that gap.
While writing this book, we spoke to individuals from dozens of companies to understand their
perspective on network security designs. We found that many of those companies were
themselves reducing the trust of their internal networks. While each organization took a slightly
different approach in their own system, it was clear that they all were working under the same
threat model and were as a result building solutions that shared many properties.
Our goal with this book isn’t to present one or two particular solutions to building these types of
systems, but rather to define a system model that places no trust in its communication network.
Therefore, this book won’t be focused on using specific software or implementations, but rather
it will explore the concepts and philosophies that are used to build a zero trust network. We hope
you will find it useful to have a clear mental model for how to construct this type of system when
building your own system, or even better, reusable solutions for the problems described herein.
Zero Trust Networks Today
The zero trust model was originally conceived by Forrester’s John Kindervag in 2010. He
worked for many years to set forth architectural models and guidance for building zero trust
networks and has advised many large companies on how to evolve their security posture in order
to attain zero trust guarantees. John was, and still is, an important figure in the field. His work in
the area greatly informed our understanding of the state of the union, and we thank him for
popularizing zero trust during its formative years.
Today’s zero trust networks are largely built using off-the-shelf software components with
custom software and glue to integrate the components in novel ways. As such, when reading this
text, please be aware that deploying this type of system isn’t as easy as installing and configuring
some ready-made hardware or software...yet.
It could be said that the lack of easily deployable components that work well together is an
opportunity. A suite of open source tools could help drive adoption of zero trust networks.
Navigating This Book
This book is organized as follows:
Chapters 1 and 2 discuss the fundamental concepts at play in a zero trust network.
Chapters 3 and 4 explore the new concepts typically seen in mature zero trust networks:
network agents and trust engines.
Chapters 5–8 detail how trust is established among the actors in a network. Most of this
content is focused on existing technology that could be useful even in a traditional network
security model.
Chapter 9 brings all this content together to discuss how you could begin building your own
zero trust network and includes two case studies.
Chapter 10 looks at the zero trust model from an adversarial view. It explores potential
weaknesses, discussing which are well mitigated, and which are not.
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program elements such as
variable or function names, databases, data types, environment variables, statements, and
keywords.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values or by values determined by
context.
This element signifies a tip or suggestion.
This element signifies a general note.
TIP
NOTE
This element indicates a warning or caution.
WARNING
O’Reilly Safari
Safari (formerly Safari Books Online) is a membership-based training and reference platform for
enterprise, government, educators, and individuals.
Members have access to thousands of books, training videos, Learning Paths, interactive
tutorials, and curated playlists from over 250 publishers, including O’Reilly Media, Harvard
Business Review, Prentice Hall Professional, Addison-Wesley Professional, Microsoft Press,
Sams, Que, Peachpit Press, Adobe, Focal Press, Cisco Press, John Wiley & Sons, Syngress,
Morgan Kaufmann, IBM Redbooks, Packt, Adobe Press, FT Press, Apress, Manning, New
Riders, McGraw-Hill, Jones & Bartlett, and Course Technology, among others.
For more information, please visit http://oreilly.com/safari.
How to Contact Us
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
