Zero trust network project

Our goals:
1. build a network for healthcare organizations or small enterprises with
basic security principles.
2. Applying ZTNA and IAM technologies: MFA, SSO, active directory or
openLDAP, least privilege.
3. Implement security policies.
4. Use FortiGate firewall for securing traffic between network segments.
Create network security groups and ACLs to restrict traffic based on source/destination IP
addresses and ports.

5. Simulate cloud environments and enforce cloud security policies.

6. Simulate and Test Policy Implementation
7. Implement UEBA (User and Entity Behavior Analytics)
8. Implement EDR (Endpoint detection and Response)
Conduct health checks on endpoints before allowing them to connect to your network or
access systems

9. Implement SOAR (Security, orchestration, automation and response)

10.

Steps to achieve each goal:

1. To fully understand zero trust network principles:
Unlike traditional perimeter-based security, Zero Trust enables the business while
adapting security architecture to support new user populations (e.g., employees,
partners, customers, and patients), customer engagement models, rapid cloud
 adoption, and new IoT devices and sensors. The COVID-19 pandemic has resulted
in large-scale transformative change, requiring a rapid pivot to Zero Trust.

Improving identity management and device security are two core components of
the Zero Trust extended (ZTX) ecosystem.

Activate a core principle of Zero Trust by redrawing logical segmentation

boundaries around network assets and increasing isolation between
segmentations. Authorize and log all access at segmentation boundaries and
inspect and log all activity within each network segmentation. The segmentation
policy defines the access that each group has with another group. For example, the
application tier can talk to middleware, which can talk to databases, but the
application tier (where most exploits will happen) cannot access the database tier
(where the crown jewels are) directly.

2. build a network for healthcare organizations or small enterprises with basic

security principles.
• identify and catalogue all users, devices, and digital assets that require
network access.
• creating a detailed list of all users who access your network. This includes
employees, contractors, remote workers, and any third parties
• For each user, document their role, access requirements, and the type of
data they need to access.
• List all physical and virtual assets. Physical assets consist of tangible
resources like hardware and network infrastructure. Virtual assets
encompass cloud services, software applications, databases, and any
stored data.
• identifying sensitive data across your IT infrastructure, including on-
premises servers, cloud storage, and endpoint devices. Types of sensitive
data include personal identifiable information (PII), financial records,
intellectual property, and confidential business information.
• Micro-segmentation.

3. IAM technologies:
 Identity and Access Management (IAM) technologies are tools and frameworks used
to manage digital identities and control user access to resources within an
organization. IAM ensures that the right individuals and entities have the
appropriate access levels to the right resources, at the right time, and for the right
reasons.
• This involves creating, managing, and deleting user identities. It includes
processes like registration, profile management, and user deprovisioning.
• Access management deals with enforcing policies that determine which users
can access specific systems, applications, or data. It includes authentication
and authorization mechanisms.
• Verifying the identity of users through passwords, multi-factor authentication
(MFA), biometrics, or single sign-on (SSO) solutions.
• Defining what users are allowed to do once authenticated. Role-Based Access
Control (RBAC) and Attribute-Based Access Control (ABAC) are common
methods used.
• Single sign on (SSO) A feature that allows users to log in once and gain access to
multiple applications or systems without needing to re-enter credentials.
• Centralized repositories (like Active Directory) that store information about
users and resources, enabling efficient authentication and access control.
• NIST Special Publication 800-53: NIST provides a comprehensive guide on IAM
and access control standards used across industries. Access it here.
• Gartner’s IAM Research: Offers insights into IAM solutions, trends, and
vendors. Access it on Gartner’s website or through your institution’s library if
available.

4. Implement Security Policies:

Develop a set of policies that govern access control, segmentation, identity
management, and workload isolation.
• Access should be controlled using Role-Based Access Control (RBAC) or
Attribute-Based Access Control (ABAC).
• Enforce segmentation and micro-segmentation using firewalls and access
control lists (ACLs).
• Implement identity and authentication policies (e.g., using OpenLDAP) to secure
user access.

Example use case: User Authentication

In this use case, a user needs to log in to access your network. You want to first implement
basic authentication (username and password) in a traditional network. Then, you’ll
upgrade it in your Zero Trust Network by adding Multi-Factor Authentication (MFA) and
contextual authentication.

Basic User Authentication (Traditional Network)

• User logs in with a username and password.

• Once authenticated, the user can access resources without additional checks.

Enhanced Authentication with Zero Trust

• User logs in with username and password.

• After that, the user is prompted for MFA (e.g., a code sent to their phone).
• The system checks additional context (like location or device) to verify that it's really
the user trying to log in.
• If something seems suspicious (e.g., login from an unusual location), the user may
be asked for further verification or blocked from accessing sensitive resources.

Step 2: Implement the Use Case

Traditional Network: Basic Authentication Setup

• Tools: Use Active Directory (AD), LDAP, or RADIUS to implement username and
password-based authentication.
1. Configure User Authentication:
a. Set up a server (e.g., using Active Directory) that stores usernames and
passwords.
b. Create users and set passwords.
c. Allow users to log in using their credentials.
2. Logging and Monitoring:
a. Enable basic logging so that you can monitor login attempts (successful and
failed).
Zero Trust Network: Enhanced Authentication Setup

• Tools: Use MFA solutions like Google Authenticator, Conditional Access (Azure
AD), or Duo Security to add additional layers to user authentication.
1. Add MFA:
a. Integrate MFA with your authentication system.
b. When the user logs in, they will be asked for their password and a second
factor (e.g., a temporary code sent via SMS or generated by an authenticator
app).
2. Contextual Authentication:
a. Check the context of the login attempt (e.g., time, location, device type).
b. If the user is logging in from a trusted location and device, they proceed
normally.
c. If the system detects an unusual login (like from a new country), it can
prompt for extra verification or deny access.

Fine-Tuning Traditional Network

1. Password Policy:
a. Set up a stronger password policy. For example, require a minimum of 10
characters, including uppercase, lowercase, numbers, and special
characters.

Example RegEx for a strong password policy:

regex
Copy code
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{10,}$

2. Session Timeout:
a. Adjust session timeout. By default, the user may stay logged in for hours, but
you can fine-tune it to log them out after 15 minutes of inactivity.
3. Login Monitoring:
a. Fine-tune logging so you can detect failed login attempts. For instance, if a
user fails 5 login attempts in 5 minutes, the system locks their account for 10
minutes to prevent brute force attacks.
Fine-Tuning Zero Trust Network

1. Adjust MFA Policies:

a. Fine-tune when and how often users are prompted for MFA. For example,
require MFA only when accessing sensitive resources or when logging in
from an unrecognized device.
2. Contextual Access Controls:
a. Fine-tune access policies based on context. For example, allow access
without MFA if a user logs in during office hours from the office network, but
require MFA for after-hours access or remote access.
3. Behavior-Based Policies:
a. Implement behavior monitoring using tools like UEBA (User and Entity
Behavior Analytics). Fine-tune the system to detect abnormal behavior,
such as accessing sensitive data at unusual times, and trigger additional
authentication or alerts.

tep 4: Test the Fine-Tuning

Once you’ve adjusted these settings, test them in both environments:

• Traditional Network: Test password policies, login attempts, and session

timeouts. Ensure that users can log in smoothly but are locked out after repeated
failures.
• Zero Trust Network: Test MFA, location-based access, and behavior-based alerts.
Try logging in from different devices and locations to see how the system responds
(e.g., prompt for MFA if needed).

Example: Fine-Tuning RegEx for Login Monitoring

If you're logging login attempts and want to fine-tune your system to detect patterns like
repeated failed logins, you can use RegEx patterns in your logs.

Log Format Example:

sql
Copy code
2024-10-23 12:45:02 Login failed for user: john.doe from IP:
192.168.1.10

RegEx to Match Failed Logins:

regex
Copy code
Login failed for user: [^\s]+ from IP: (\d{1,3}\.){3}\d{1,3}

This RegEx will find all failed login attempts in your log. You can then:

• Set a rule that triggers an alert if there are more than 5 failed logins from the same IP
in 10 minutes.
• Fine-tune the system to lock the account or require additional authentication after
multiple failed attempts.

Using RegEx for Log Monitoring and Security:

• Elastic has useful guides on using RegEx to parse logs for security monitoring, which
is commonly applied in SIEM (Security Information and Event Management)
systems.
• Reference: Elastic, Using Regex in Security Analytics.
• Link to article

A regular expression is a way to match patterns in data using placeholder characters,

called operators.

Password Policies and Fine-Tuning in Authentication:

• OWASP (Open Web Application Security Project) provides best practices on

password policies and implementing secure authentication mechanisms.
• Reference: OWASP, Password Policy Cheat Sheet.
• Link to article

Zero Trust Use Cases and Implementation:

 • Palo Alto Networks has documentation outlining use cases and implementation of
Zero Trust networks.
• Reference: Palo Alto Networks, Zero Trust Use Cases.
• https://www.paloaltonetworks.com/zero-trust

EXAMPLE USE CASE: DEVICE

AUTHENTICATION

1. Traditional Network Device Authentication

• Process: Devices are often authenticated using basic methods like MAC addresses
or static IPs. When a device connects to a network, a firewall or router checks if the
MAC address or IP address is in an allowed list. This provides basic identity
validation for devices.
o Example: MAC address filtering is used in a Wi-Fi network where only
devices with specific, pre-approved MAC addresses can join the network.
• Limitation: MAC addresses can be easily spoofed by an attacker. Static IP
addresses are also vulnerable because they don't offer dynamic, context-based
checks.

. Zero Trust Network Device Authentication

• Process: In a Zero Trust model, devices are authenticated dynamically using more
advanced techniques like device certificates, cryptographic tokens, and even
device health checks. These methods ensure that only trusted devices, which
meet security standards, can access network resources.
o Example: A device might require a signed certificate from a trusted authority
(e.g., Microsoft, your organization) to authenticate itself. Beyond the
certificate, the device's security status (e.g., OS version, patches) is
continuously monitored to ensure it complies with network policies.
 • Improvement: Even if an attacker attempts to spoof a device's MAC or IP, they will
not be able to provide the valid cryptographic token or device certificate that is
dynamically required in a Zero Trust Network.

Fine-Tuning Device Authentication in Zero Trust

• Implementing device authentication can be fine-tuned using:

o Conditional Access: Only allow devices to connect if they meet specific
conditions (e.g., from a trusted network, updated OS).
o Certificate Revocation: Devices that don’t comply with security policies
(e.g., outdated OS, no antivirus) can have their certificates revoked,
preventing them from accessing the network until they are compliant.
o Just-in-Time Authentication: Devices can be granted temporary access
based on need, ensuring they are verified in real-time for specific tasks.

Using RegEx for Device Authentication Logs

When you implement device authentication, your security systems (like SIEMs or firewalls)
generate a lot of logs related to device connections, failures, and successful
authentication attempts. RegEx helps filter and identify key patterns in these logs to
enhance monitoring, detect anomalies, or fine-tune authentication rules.

Example Use Case of RegEx in Device Authentication Logs

1. Detecting MAC Address Spoofing

a. Logs will often contain entries about devices joining the network. You can
use RegEx to filter logs for repeated, suspicious authentication attempts
from the same MAC address, which may indicate spoofing.

Sample RegEx to Match MAC Addresses:

regex
Copy code
([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})

b. This matches standard MAC address formats like 00:1A:2B:3C:4D:5E or

00-1A-2B-3C-4D-5E.
 c. How to Use: You can apply this RegEx to your logs to monitor for repeated
attempts from specific MAC addresses within a short time frame. If multiple
failed connection attempts with the same MAC address occur, it might be a
sign of spoofing.
2. Finding Failed Certificate-Based Authentication Attempts
a. In a Zero Trust Network, device authentication often relies on certificates. If
authentication fails (e.g., due to an invalid or expired certificate), this will
show up in your logs. Using RegEx, you can capture these failures and
identify trends.

Sample Log Entry:

csharp
Copy code
2024-10-23 12:30:01 Device with IP 192.168.1.10 failed certificate
validation: Invalid certificate (DeviceID: ABC123).

RegEx to Capture Failed Certificate Validations:

regex
Copy code
\bfailed certificate validation\b.*(DeviceID:\s?\w+)

b. This pattern captures log entries with "failed certificate validation" and
extracts the DeviceID.
c. How to Use: You can apply this RegEx to your SIEM or firewall logs to get an
alert every time a device fails certificate validation, which might indicate
either a misconfiguration or an attacker trying to use an unauthorized device.
3. Identifying Device Health Check Failures
a. In Zero Trust networks, devices often undergo health checks before being
authenticated. Logs might indicate whether a device is up to date or not.
Using RegEx, you can search for devices that fail health checks.

Sample Log Entry:

sql
Copy code
2024-10-23 14:45:10 Device with IP 192.168.1.11 failed health check:
OS outdated (Last patch: 2023-07-10).

RegEx to Capture Device Health Check Failures:

regex
Copy code
\bfailed health check\b.*(OS outdated|antivirus disabled|firewall off)

b. This matches logs where the device failed a health check due to various
reasons like an outdated OS, disabled antivirus, or firewall issues.
c. How to Use: You can use this RegEx to filter logs and get alerts whenever a
device fails a health check, indicating a non-compliant device trying to
access the network.

Steps to Implement and Fine-Tune Device Authentication Use Case

1. Set Up Device Authentication Methods:

a. In your traditional network, use MAC address filtering or static IPs.
b. In your Zero Trust Network, switch to device certificates and cryptographic
tokens.
c. Configure device health checks as part of the authentication process in the
Zero Trust Network.
2. Monitor and Log Authentication Events:
a. Ensure your firewall, VPN, or SIEM tool logs every authentication event (both
successes and failures).
b. Log details should include device identity (e.g., MAC address, IP, device
certificate), time of access, and health check results.
3. Use RegEx for Log Analysis:
a. Apply RegEx patterns to your logs to detect anomalies like repeated failed
login attempts or certificate validation issues.
b. Example: Set a rule in your SIEM to trigger an alert when the same MAC
address tries and fails to authenticate multiple times within a short window.
4. Fine-Tune Authentication Policies:
a. Based on your log analysis and RegEx filters, adjust authentication policies.
 i. Example: If multiple devices fail health checks because they don’t
have the latest security patch, adjust the certificate policy to require
stricter OS checks.
ii. Example: If MAC address spoofing is detected, switch from MAC-
based authentication to certificate-based.

Conclusion: Device Authentication and RegEx in Zero Trust

By understanding how device authentication works differently in traditional networks

versus Zero Trust Networks, you can create stronger, more dynamic security controls.
Using RegEx to monitor logs helps detect suspicious activities and fine-tune your policies.
Through these efforts, you can demonstrate the differences in security posture between
traditional methods and Zero Trust models.

For more technical references:

• NIST's Zero Trust Architecture (NIST 800-207) for deeper insight on Zero Trust
models.
• ElasticSearch Log Monitoring: Guides on using RegEx in SIEM tools to filter and
analyze authentication events in real time.

More uses cases to search:

2. Least Privilege Access

• Traditional Network: Users are assigned roles that grant broad access to
resources based on their department (e.g., HR staff can access all HR files).
o Process: Access is granted once based on role. No further checks are made
after the user logs in.
o Limitation: This can be risky if the user's credentials are compromised, or if
they need access to only specific files, but have broader access.
• Zero Trust Network: Access is limited to the minimum resources required, and
dynamic verification happens based on context (e.g., time, device, behavior).
o Improvement: Users are continuously verified, and their access is limited to
specific tasks or files, not entire systems. For example, an HR manager
 accessing payroll will only have access to that specific file and only during
work hours.
o Fine-Tuning: Set policies that restrict user access based on time of day,
device, and location.

3. Privileged Access Management (PAM)

• Traditional Network: Administrators have persistent access to critical

infrastructure (e.g., databases or servers) using a static password.
o Process: Once the administrator logs in, they have full, ongoing access to
resources without additional authentication.
o Limitation: If admin credentials are stolen, attackers can gain unlimited
access without being noticed.
• Zero Trust Network: Admins must use multi-factor authentication (MFA) and are
granted temporary, task-specific access.
o Improvement: Admins use one-time passwords (OTP) or biometric
authentication before accessing sensitive systems. Their access is time-
bound and restricted to specific systems or tasks. After completing the task,
their access automatically expires.
o Fine-Tuning: Implement just-in-time access control, where admin privileges
are granted only for a specific time frame (e.g., 30 minutes for a specific
server).

4. User Behavior Monitoring and Anomaly Detection

• Traditional Network: User activities are logged but not continuously monitored.
Alerts might be generated for failed login attempts, but behavior isn't tracked in
real-time.
o Process: After a successful login, the system doesn't usually track the
user’s behavior or monitor for abnormal activities.
o Limitation: If an attacker steals credentials, they can access resources
without raising any alarms.
• Zero Trust Network: Continuous monitoring of user behavior using UEBA (User and
Entity Behavior Analytics) tools.
o Improvement: The system analyzes user behavior patterns (e.g., logins, file
access, browsing history) and flags anomalies. For instance, if a user
 suddenly downloads a large number of sensitive files at night (which is
abnormal for them), an alert is generated, and their access is restricted until
further verification.
o Fine-Tuning: Adjust the sensitivity of behavior monitoring tools to avoid false
positives but ensure suspicious activities (e.g., access outside normal
hours) are flagged.

5. Remote Access

• Traditional Network: VPNs (Virtual Private Networks) are used for remote access.
Once a user connects to the VPN, they have broad access to the network.
o Process: A user connects to the VPN using a shared key or personal
password, granting them access to the internal network.
o Limitation: VPNs can be compromised, and if a VPN account is hacked,
attackers can gain access to the whole network.
• Zero Trust Network: Remote access is granted only to specific resources after
verifying both user and device identity.
o Improvement: Users must pass identity checks (e.g., MFA) and device
security checks (e.g., up-to-date antivirus) before being allowed to access
specific applications or files. A compromised VPN account would not lead to
broad network access.
o Fine-Tuning: Set access policies that require users to re-authenticate or
verify identity periodically during remote sessions. For example, users may
need to perform MFA every hour or if the session shows signs of inactivity.

6. Micro-Segmentation

• Traditional Network: The network is segmented into large zones, such as a

production network and a guest network, with basic firewall rules to separate them.
o Process: Traffic within each zone is trusted and unrestricted. Firewall rules
typically only apply between zones (e.g., blocking traffic from the guest
network to the internal network).
o Limitation: If an attacker breaches one zone (e.g., production), they have
free access to everything in that zone.
 • Zero Trust Network: Micro-segmentation is implemented, creating smaller
security zones within the network. Each zone requires authentication and strict
access controls.
o Improvement: Access to each resource or server is restricted, even if it’s
within the same zone. For example, if an attacker gains access to one server,
they cannot move laterally to other servers without re-authenticating.
o Fine-Tuning: Adjust segmentation rules based on sensitivity. Highly sensitive
data (e.g., financial records) should be placed in isolated segments with
stricter access policies.

7. Data Access Use Case

• Traditional Network: Data access permissions are static, and users are given
blanket permissions based on their role.
o Process: A user might have access to all financial documents if they are part
of the finance team.
o Limitation: If the user’s credentials are compromised, attackers can access
a wide range of documents without restrictions.
• Zero Trust Network: Data access is dynamic and based on real-time verification.
o Improvement: Access to each document or data store is granted on a need-
to-know basis. Real-time checks (e.g., location, device status, behavior)
determine whether the user can access a specific file.
o Fine-Tuning: Use DLP (Data Loss Prevention) tools to classify and control
access to sensitive data based on its importance (e.g., blocking access to
financial data outside of work hours).

8. Application Access Control

• Traditional Network: Once users log in, they have access to all the applications
they are entitled to, regardless of the context.
o Process: Access is granted by roles and groups, and users get access to
entire applications.
o Limitation: There’s no further check on what they do inside the application
after logging in.
• Zero Trust Network: Access to applications is granted based on real-time
conditions (e.g., device, location, time of day).
 o Improvement: For example, an employee can only access a cloud
application if they are on a corporate-managed device, and their device
complies with security policies. Any sign of unusual activity within the
application (e.g., trying to download large amounts of data) triggers further
verification.
o Fine-Tuning: Implement Conditional Access policies that only allow access
to applications under predefined conditions (e.g., working hours, secure
devices, specific locations).

Summary

• Device Authentication: From MAC-based authentication to certificate-based and

device health checks in Zero Trust.
• Least Privilege Access: Limit access to the bare minimum based on task or role.
• Privileged Access Management (PAM): Use temporary, task-specific access
rather than persistent access.
• Behavior Monitoring: Use UEBA to continuously monitor user behavior and detect
anomalies.
• Remote Access: Fine-tune access using MFA, device health checks, and limited
access to specific resources.
• Micro-Segmentation: Isolate critical assets and apply access controls at a
granular level.
• Data Access: Implement real-time data access controls and monitor for abnormal
access patterns.
• Application Access: Control application access based on device, location, and
real-time behavior.
Resources to learn:
https://training.fortinet.com/course/view.php?id=33128

https://github.com/ukncsc/zero-trust-architecture/blob/main/2-Know-your-User-Service-
and-Device-identities.md

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/194961/basic-
ztna-configuration

https://www.cisco.com/c/en/us/solutions/collateral/enterprise/design-zone-security/zt-
ag.html