
Zero Trust Networks - pcr910303
https://crawshaw.io/blog/zero-trust
======
thanksforfish
This post is partially plugging
[https://tailscale.com](https://tailscale.com).

With everyone looking at remote work, tons of people must be questioning their
VPN strategy right now. I know we are.

I was going to complain that that's a close source product (as I don't want to
use something closed source for my network access controls) but it looks like
the code is on Github, just not linked in an obvious way from the website.
[https://github.com/tailscale/tailscale](https://github.com/tailscale/tailscale)

Has anyone used this or checked out the code? I may give it a spin.

~~~
gz5
A few solutions worth evaluating, especially w/ what is going on right now
with the increased demand to securely support remote work:

1\. Zscaler ZPA - closed source but from a market leader

2\. Palo Alto - subjective if true zero trust but if you already have PA...

3\. Akamai - based on a SDP acquisition which had good tech - not sure what
Akamai has done with it

4\. NetFoundry - both open source and SaaS options

5\. Nebula - strengths for east-west microservices. Open source from Slack.

6\. Tailscale - listed above. New but open source.

7\. Appgate - closed source but nice implementation of the use cases it
targets.

8\. Illumio - a more mature version of Nebula; also targeted at east-west.

9\. Centrify - closed source but solid option for IAM focused use cases.

10\. Perimeter81 - not familiar with it but is well regarded.

11\. Cloudflare - relatively new solution but leverages their network nicely

12\. Duo - certainly was a nice solution - not sure what Cisco has done with
it.

13\. ZeroTier - not familiar but adding per comments below

* Edits - added 11-13 per comments below in attempt to make this a more comprehensive list.

~~~
api
I typically don't shill around here, but why isn't ZeroTier on that list? I
suppose we don't have a giant marketing budget (yet). We do have a product
used by hundreds of thousands for years and it has microsegmentation and other
nifty stuff like multicast.

[https://www.zerotier.com/](https://www.zerotier.com/)

Also not everything on that list is the same. Some of those are app-level
gateways, IAM infrastructure, etc. That's a bag of stuff for different use
cases.

Some of that stuff is also cloud proxy based, not mesh based. Maybe some
people don't care but I'm heavily biased toward peer-to-peer mesh. I find it
offensively stupid for packets to travel 1000 miles to reach a system next to
me or in the same city. Of course I guess everything has a use case. I might
opt for a cloud proxy if the bandwidth were low, the users and/or customer
were non-technical, and it was all web stuff.

~~~
0az
I've been using ZeroTier for a small collection of two devices plus two
servers. Honestly, the main pain points I have are UX: Android and Dashboard.
Other than that, I have no complaints.

~~~
api
Yep, UX is gonna get some love, especially desktop GUIs. The current ones are
going to get led behind the barn for the Old Yeller treatment soon.

We have generally been focusing on behind the scenes tech more than GUIs so
far.

~~~
omnifischer
Thank you 'api. I have been using zt at the university group of about 60
users. Must say it is very reliable. As for UI, we are OK with it. But one
thing is firewall config is too complex. Not enough examples: Recently I saw
that zt-laduke posted a simple bridge tutorial on reddit. Would be great if
you made some examples in your wiki. 1\. Allow only samba traffic 2\. Allow
only ssh traffic 3\. Allow only RDP

I am sure is kinda popular at r/datahoarder and related communities. May be
you need to apply for a GSOC type project - so that academics start using it
(will then later get used in corporate).

------
lqs469
> I am leery of jargon. I am as guilty of using it as the next engineer, but
> there comes a point where there are just too many precise, narrowly-
> understood terms polluting your vocabulary. The circle of people you can
> talk to shrinks until going to the store to buy milk feels like an exercise
> in speaking a foreign language you took one intro course to in college. Less
> jargon is better.

Before reading the paper, That beginning has hit me, That's a brilliant
writing skill.

------
badrabbit
> Zero Trust networking means treating the internal network just like an
> external network: authenticate every connection, encrypt all traffic, log
> everything. Plan as if every machine (virtual or otherwise) as if it is
> sitting on a public IP address.

Everyone knows that's the ideal network, but in practice it takes a lot of
resources, that's why people prioritize internet exposed things. I mean,
outside of tech companies (even then..) Most companies don't even fix critical
security vulns internally fast enough. Behold exemptions galore!

My problem is this term is used way beyond netwoking to mean so many different
things. What the author describes is not what half security vendors think zero
trust means.

I don't dislike the term because it's a jargon but because the ambiguity
leaves too much room to turn it into another box people check to have a false
sense of security.

Something like "AAA resource access" (Authentication,Authorization,Auditing is
an very old networking concept from cisco land) might be a better term. You
gotta be unambiguous so it's easier to say "No, you have not implemented
that".

~~~
jiveturkey
My feelings exactly. I just wrote a similar comment before seeing yours. I'll
let mine stand because I cover some other points as well.

------
kerng
The entire "BeyondCorp" strategy from Google has probably done more harm then
good. Tons of smaller companies and well known startup paid their prices with
breaches left and right.

Removing or not deploying basic firewall controls to lock down traffic is ill
advised. Tons of exposed s3 buckets and other assets keep showing that.

Zero Trust is correct strategy of course, but it doesn't mean you have to open
up your network to the entire world- it's in addition to already established
best practices. Better to continue those traditional practices and be more
thorough via micro-segmenation for instance, and identity on top of it.

~~~
closeparen
BeyondCorp does not imply opening up your network to the entire world! If
anything, it means locking down your network tighter, because not even the
office is privileged. Production is a black box that you touch by
authenticating through the same reverse proxy tier, no matter where outside of
it you are. In effect, _nginx_ is your “VPN” server and _everyone_ has to use
it.

Plenty of companies paid dearly for trusting every device that merely needed
internet access.

~~~
kerng
Internet exposed bastion hosts to production, that have no IP whitelisting are
not the best idea, unfortunately not uncommon nowadays.

~~~
closeparen
That's what a VPN server is.

~~~
kerng
Organizations that have high value assets would deploy multiple layers of
these, not just one, basically depending on value of assets.

~~~
closeparen
You're gonna get some pretty fun pathological networking behaviors tunneling
VPNs on VPNs.

------
bvandewalle
Zero Trust Network is now used by every other security vendor that want to
rebrand themselves as hip.

------
jiveturkey
opening sentence:

> precise, narrowly-understood terms

ha! if only zero trust were precise! By narrowly-understood, the author means
"well understood by those that speak jargon, but impenetrable to outsiders".
In this case though, there's a nice irony in that statement.

------
fulafel
Aka common sense.

------
nif2ee
This company has been exploiting HN for so long on a systematic basis. Really
tells you how things work here.

------
nif2ee
@dang please will you ever take action against this excessive and systematic
exploitation of this company to market its products for free here?

------
nif2ee
@dang please will you ever take action against this excessive and systematic
exploitation of this company to market its products for free here?

