Explore the future of zero-trust security in industrial networks. Learn how Trout Software's Demilitarized LAN (DLAN) Overlay enables scalable segmentation, device/user trust, and granular control, overcoming challenges of legacy systems and rising connectivity demands.
Content
Introduction to Overlay Demilitarized LAN
The foundational BeyondCorp whitepaper, published in 2014, highlighted the vulnerabilities of traditional perimeter security models. Over the past decade, zero-trust principles have seen significant adoption in IT and DevOps sectors, but their implementation in industrial networks has been slower and more challenging. Industrial networks struggle with zero-trust adoption due to limited controls over end assets and the high cost of changing physical network topologies. As digital transformation demands increased connectivity, traditional security tools like firewalls and VLANs cannot adequately address the new challenges.
Trout proposes a different approach: assuming industrial networks are inherently insecure (Zero Trust) and advocating for an Overlay Demilitarized LAN (DLAN) model, also referred to as Enclaves. This approach aims to provide a scalable transition to secure industrial networks.
Traditional Security Models and Their Limitations
Traditional security models distinguish between external (risky) and internal (trusted) environments, using perimeter security to protect internal resources. In industrial settings, digitalization has gradually reached operational assets (Operational Technology, OT). Industrial companies have traditionally segmented their networks into zones using VLANs and perimeter firewalls. However, VLAN-based segmentation is not designed to enforce access control policies across devices. A robust factory network should be designed under the assumption that one asset has been compromised, which VLANs fail to achieve.
Principles Behind Overlay Demilitarized LANs
The Overlay Demilitarized LANs (or Enclaves) approach is based on five principles:
Microsegmentation: Reduce network segment size to the minimal number of assets that need to communicate without enforcing security controls, defined as a Demilitarized LAN (DLAN).
Network Overlay: Deploy a virtual network that closely resembles the current topology, allowing a seamless transition to a more secured, zero-trust environment.
Encrypted Traffic: Front every DLAN with a proxy to route traffic between DLANs or to the Internet, with protocol break capacities to enforce granular controls and visibility.
Authenticated Communications: Use client certificates tied to machines to authenticate assets and ensure end-to-end encryption. Enforce user authentication via existing mechanisms (OIDC) or new ones (HTTP Knocking).
These principles are designed to create a zero-trust environment, enabling best-in-class and agile connectivity.
Components of an Overlay Demilitarized LAN
The components of an Overlay Demilitarized LAN (or Enclaves) include:
Device Identity: Use client certificates issued by a trusted Certificate Authority (CA) to ensure the identity of machines within the network.
Device Certificate Management: A central system to issue and manage machine certificates securely.
User Certificates: Modern desktop environments provide strong, biometric-based authentication mechanisms linked with SSL certificates.
HTTP Knocking: A fallback option for authentication via a web interface when a federated authentication system is not available.
OIDC Authentication: Authentication of users based on OpenID Connect (OIDC) mechanisms.
Access Control Engine: Integrates with authentication mechanisms to enforce permissions based on comprehensive criteria.
Building a Network Overlay
To build a network overlay:
DLAN Namespace: Associate a URL with a DLAN, enabling access to assets within the DLAN via a URL prefix.
DNS Proxy: Deploy a DNS proxy to control the DNS table and insert new entries and routes, migrating the network from the current structure to the overlay sequentially.
Forward & Reverse Proxy: Front a DLAN with a proxy to provide comprehensive Layer 7 visibility into communications between users and devices.
Device Firewalls: Use attached firewalls as uncomplicated hardware units directly affixed to the asset, offering minimalistic traffic management.
Encrypted Tunnels: Establish encrypted tunnels between the edge firewall and the proxy to secure connections that lack native support for proxies.
End-to-End Example for Overlay Demilitarized LAN Implementation
Define a DLAN: Provide visibility into network traffic and identify the boundaries of the DLAN.
Define a Namespace: Assign a unique name to the DLAN and dynamically generate a certificate using the Public Key Infrastructure (PKI) and the Certificate Authority (CA).
Configure Access Control Engine: Establish user and group access to the DLAN based on Role-Based Access Control (RBAC) methods.
Visibility and Monitoring: Route traffic through the proxy to provide comprehensive visibility into communications.
Agile Access: Incorporate a notification mechanism to detect new access attempts and offer a simple solution for granting temporary access when necessary.
Lock in New State with Asset Firewall: Configure the firewall to accept traffic only from the proxy, ensuring all communications are monitored and controlled.
Conclusion
The Overlay Demilitarized LAN (DLAN), also referred to as Enclaves, offers a scalable transition to secure industrial networks by assuming that industrial networks are inherently insecure. By applying the principles of microsegmentation, network overlay, encrypted traffic, and authenticated communications, industrial network teams can deploy best-in-class and agile connectivity. This approach addresses the limitations of traditional security models and provides a robust solution for the evolving challenges of digital transformation in industrial settings.
Other Reports From Trout