Deployment of Bold Reports under a Zero Trust Model
Introduction to Zero Trust Model
The zero trust model is a security framework that challenges the traditional approach of trusting everything behind the corporate firewall. Instead, it operates on the principle of never trust, always verify.
Core Principles of Zero Trust:
- Verify Explicitly
- Least-Privilege Access
- Assume Breach
Accessing Internal Resources through VPN (Zero Trust Model)
This document outlines the setup for accessing internal resources of the sales desk site through VPN utilizing a zero-trust model.
Overview:
1. Mesh Network
SyncVPN creates a mesh network, allowing multiple servers to connect seamlessly. In a mesh network, each server can communicate directly with any other server, forming a flexible and redundant topology.
2. Secure Access
SyncVPN ensures secure access to resources. When users or servers connect to the network, their identity is verified through certificates. This prevents unauthorized access and protects sensitive data.
3. Layer 3 Connectivity
SyncVPN operates at Layer 3 (the Network Layer) of the OSI model. Layer 3 handles routing, IP addressing, and logical addressing. By providing Layer 3 connectivity, SyncVPN enables communication across different networks.
4. On-Demand, Encrypted Tunnels
Servers can establish encrypted tunnels dynamically. These tunnels are created as needed, ensuring efficient use of resources. Data transmitted through these tunnels remains confidential due to encryption.
5. Certificate-Based Authentication
Both clients (users or devices) and servers use certificates. Certificates securely identify and authorize peers. This mutual authentication ensures that only trusted entities participate in the network.
6. Validation of Certificates and CAs
During authentication, SyncVPN validates certificates. It verifies that certificates are issued by trusted Certificate Authorities (CAs). This step prevents spoofing and unauthorized access.
Zero Trust Model in SyncVPN
1. Office 365 and Multi-Factor Authentication (MFA) Integration with SyncVPN:
-
We have successfully integrated Multi-Factor Authentication (MFA) with the SyncVPN application for Office 365 authentication.
-
MFA requires users to provide multiple forms of verification before accessing their accounts, enhancing security.
-
This aligns with the Zero Trust model, emphasizing continuous authentication and verification regardless of user location.
-
By implementing MFA, we add an extra layer of protection for user identity verification.
2. Device Verification and Compliance:
-
After user authentication, the SyncVPN app verifies the user’s device in Azure AD.
-
Verification includes checking the Device ID and compliance status.
-
If verification fails, the SyncVPN application will not launch.
-
Device and compliance verification encompass the process of ensuring that a user’s device satisfies predetermined security and compliance criteria prior to being granted VPN access. This verification process typically entails confirming whether the device is registered within a device management system like Microsoft Intune, assessing its compliance status (including factors like up-to-date software and activated encryption), and evaluating its overall security posture.
3. Authentication via Certificates:
- Each user and server has a separate authentication certificate embedded within the SyncVPN application.
- These certificates contain private IP addresses, keys, and fingerprints.
- When users access VMs, clusters, or sites within our network, their certificates authenticate them.
- This approach ensures that only authenticated users can access our services.
4. Restricted Access to Specific Users:
- We’ve configured SyncVPN to restrict users based on their required services using VPN firewall rules.
- This aligns with the principles of Zero Trust, granting access only to necessary resources.
- Regardless of user location or network, strict access controls and verification are enforced.
5. Micro-Segmentation:
- Our network is micro-segmented, creating separate segments for users, servers, and mobile/iPad devices.
- This setup allows us to securely and selectively connect users to specific services.
- Micro-segmentation enhances security by limiting lateral movement within the network.
6. Continuous Monitoring with SyncVPN
- We’ve implemented the SyncVPN Dashboard, which collects logs from the SyncVPN application.
- The dashboard enables real-time observation of user activity and network behavior.
- Anomalies and potential security incidents are detected promptly.
- This monitoring aligns with the Zero Trust model, emphasizing continuous verification.
By adopting a zero-trust security model and implementing VPN access through a forwarder VM, organizations can significantly enhance network security and reduce the risk of unauthorized access to internal resources.
Using SyncVPN to Connect to the Bold Reports Site
The Bold Reports site is hosted within a private cluster, making direct external access impossible. To enable secure access, we’ve set up SyncVPN. Here’s how it works:
1. Centralized VPN Server:
- We maintain a centralized VPN server that stores login details for all users and servers.
- This server acts as the gateway for VPN connections.
2. VM Forwarder Setup:
- Due to limitations, SyncVPN cannot be directly configured within the cluster.
- Instead, we’ve set up a VM (forwarder) within the Cluster VPC network.
- The forwarder VM handles routing and forwarding rules to redirect traffic from the VPN network to the Cluster Network.
3. User Workflow
- Users initiate the connection by activating the SyncVPN application.
- The application performs the following steps:
- Office 365 Authentication: Users log in using their Office 365 credentials.
- Multi-Factor Authentication (MFA): Additional verification ensures secure access.
- Device Verification and Compliance: The user’s device is checked for compliance (e.g., encryption, software updates).
- Once authenticated, the user requests a connection to the Bold Reports site.
4. VPN Server Interaction
- The VPN server receives the connection request.
- It informs the forwardervm about the user’s request.
- The forwarder VM holds details about the Bold Reports site’s location within the Cluster Network.
5. Secure Connection Establishment:
- The forwardervm provides connection details (such as IP address) to the user’s laptop.
- The forwardervm and user’s laptop establishes a secure connection.
By following this workflow, users can securely connect to the Bold Reports site via SyncVPN, even when it’s hosted within a private cluster.