Loading

Part 1 – Zero Trust and Armadillos. And Dime Bars.

Part 1 – Zero Trust and Armadillos. And Dime Bars.

Anybody who knows me will know I like analogies in tech and a very well used one when describing Zero Trust or Perimeterless Networking is the Castle & Moat analogy.

Looking to avoid accusations of plagiarism whenever possible I’m going to instead take inspiration from a 1995 TV commercial starring Harry Enfield (those of you old enough will remember it!) and go with Armadillos vs Dime (now Daim – is nothing sacred?) Bars. 

One of those is hard on the outside and soft internally, the other soft and chocolatey on the outer layer – but everything else is hard. 

If you’ve never had the pleasure or just plain don’t believe me you can spend 30 seconds of your life watching it below.

Round about 1995 when that advert was screened, I was building out my first networks. Even ‘networks’ is probably too grand a name as it was more a case of a few desktop PCs chained together in a small workgroup, running file shares from their own drive for others in the workgroup to access.

Then the servers landed, first for a live logistics planning system and then to centrally share documents and other content as the employee count grew.

A few of the PCs had their own dial up email and that needed to be centralised so there could be email for the masses. A Microsoft Exchange server followed – it needed to run in an NT 4.0 domain on which users needed to authenticate to access LAN resources. I learned in years to come that NT 4.0 authentication wasn’t all it was cracked up to be but back then all that security fuss it was of little concern to me, I just wanted it to work.

ISDN business lines meant higher speed (and expensive) internet access could be provided and now we were all connected to the outside world.

At this point we weren’t even at Basecamp Armadillo. No hardened exterior. More marshmallow, soft & squishy all over and I shudder to think now how open we actually were to the outside world.

One of my first security eureka moments was when perusing IP filter logs on the MS Proxy 2.0 server we used to manage internet connectivity. I think I’d been studying for the MCSE exam at the time so had been reading up about all the different functionality the proxy server had.

Anyway, I could see connection attempts hammering away at us – all emanating from the same IP address on the same port, 139.

I guess most of you will know that’s the NetBIOS port and many a worm has spread from server to server, network to network across the service that really does believe sharing is caring. Perhaps the RFC even has that in it somewhere.

Curious, I attempted to connect to the NetBIOS port of the source IP and lo and behold, up popped all the file shares and printers of a local Daewoo (remember them?) car dealership!

So I’d fairly innocently carried out my first ‘hack’ and I bet there weren’t many easier.

A quick nose around confirmed to me that they really wouldn’t want this content (accounts data etc) so trivially accessed from the internet and concluded that the likely reason their network was calling out to mine was that they had some kind of infection. So I connected to their printer and printed off a message recommending they get a Firewall of some kind, I knew I was going to do exactly the same.

(I did check back a week or so later and they had so the print job did the trick!)

We hardened our own defences with a Cisco PIX firewall and added Microsoft ISA Server (which had some additional capabilities) later on when it became available.

 

This had all served to underline there was ‘stuff’ on the outside that I wouldn’t want to get into our network so we were probably at Baby Armadillo* stage now and from there as I moved on in my career I built various enhancements upon this. IDS/IPS/DPI to monitor block what was coming in and out of the network, 2FA for additional authentication challenges, VPNs for remote/mobile workers and site to site connectivity, vulnerability scanners, a smorgasbord of endpoint solutions, various SIEMs and so on..

But in all of the infrastructures I worked on the focus was on protecting the inside of the impenetrable shell of the Armadillo from the outside.

And in some ways that worked. The layers and architectures were mostly understood.

But breaches still kept happening. It turned out that despite the tough Armadillo exoskeleton there was still a soft underbelly letting the side down.

Recent statistics detailed how over 90% of successful breaches began with a spear-phishing attack going straight through perimeter defences into the user’s mailbox.

Those who practice defence-in-depth should be ok in that scenario right? No. In 75% of these breaches – which ended in a ransomware scenario – the victim had up-to-date endpoint protection.

Once you’re inside the shell – you’re in.

The explosion of Cloud & Mobility has added perhaps the biggest additional facet to this evolution because now the business is moving the core data outside of the shell.

In 2020 most organisations will already have a hybrid cloud infrastructure of some description with a decent sized footprint in the cloud and reaping many of the benefits of doing so (cost, elasticity, scalability, resilience, rapid deployment etc).

But from a security perspective many simply shifted and lifted their problems to the cloud. That unpatched Windows 2012 server VM? Still unpatched, likely because of dependencies or other business challenges AND it’s now outside the Armadillo shell.

The mobility challenge has been met for years by dedicated VPN/RAS/MDM services, many of which have had high profile vulnerabilities themselves and now in a time when the numbers of applications which are cloud based SaaS/PaaS services continues to grow it’s no longer an optimal or appropriate architecture for the userbase out in the wild to connect into the Armadillo, have security controls and monitoring applied and then go back out to the internet/cloud again (And so on, in/out, in/out, along this over-utilised network path the traffic will flow. I feel for the Armadillo).

It’s well documented that the COVID pandemic caused an almost overnight shift to entire workforces now working from home so we saw the demand on the VPN infrastructure of many orgs increase 4-5 fold. Old appliances had to be recommissioned to meet the sudden demand – some of them out of support in many cases.

And where businesses attempted to alleviate the strain on the VPN platform by implementing split-tunnelling and sending users directly to the cloud service this has often been at the expense of relinquishing some security controls without researching the cloud platform for alternatives.

Identity has sprawled and become fragmented with no single source of the truth, often with different passwords for different systems stored anywhere and everywhere.

 

Another amplification of the challenge will be 5G and/or IPV6 enabled IoT devices and a possibly infinite number of sources to either defend or indeed protect your key assets from. Whilst you might retain a trusted/untrusted posture with regard to IoT, an architecture that denies access by default is preferable.

 

With the demands for instant access from the modern user and omnipresent connectivity, permitting access to services solely because the source of the request was from a certain ‘trusted’ network is an approach no longer delivering optimal security.

 

Next time we’ll talk about considerations for building a Zero Trust based approach.

* A Baby Armadillo is called a Pup which is part of Infosec lexicon, standing for Potentially Unwanted Program so perhaps the writing was on the wall all along.

More Posts:

CloudKubed Digital Transformation & Cloud Experts

GET IN TOUCH