Palo Alto Networks Cybersecurity Academy

Perimeter-Based Security Models

Perimeter-based network security models date back to the early mainframe era (circa late 1950s), when large
mainframe computers were located in physically secure “machine rooms” that could be accessed by only a
relatively limited number of remote job entry (RJE) “dumb” terminals that were directly connected to the
mainframe and also located in physically secure areas. Today’s data centers are the modern equivalent of
machine rooms, but perimeter-based physical security is no longer sufficient for several obvious, but
important reasons:

• Mainframe computers predate the internet. In fact, mainframe computers predate ARPANET, which
predates the internet. Today, an attacker uses the internet to remotely gain access, rather than
physically breaching the data center perimeter.

• Data centers today are remotely accessed by literally millions of remote endpoint devices from
anywhere and at any time. Unlike the RJEs of the mainframe era, modern endpoints (including mobile
devices) are far more powerful than many of the early mainframe computers and are targets
themselves.

• The primary value of the mainframe computer was its processing power. The relatively limited data
that was produced was typically stored on near-line media, such as tape. Today, data is the target, it is
stored online in data centers and in the cloud, and it is a high value target for any attacker.

The primary issue with a perimeter-based network security strategy in which countermeasures are deployed
at a handful of well-defined ingress/egress points to the network is that it relies on the assumption that
everything on the internal network can be trusted. However, this assumption is no longer a safe one to make,
given modern business conditions and computing environments where:

• Remote employees, mobile users, and cloud computing solutions blur the distinction between
“internal” and “external”

• Wireless technologies, the proliferation of partner connections, and the need to support guest users
introduce countless additional pathways into the network branch offices that may be located in
untrusted countries or regions.

• Insiders, whether intentionally malicious or just careless, may present a very real security threat.

Perimeter-based approach strategies fail to account for:

• The potential for sophisticated cyber threats to penetrate perimeter defenses in which case they
would then have free passage on the internal network

• Scenarios where malicious users can gain access to the internal network and sensitive resources by
using the stolen credentials of trusted users

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

 • The reality that internal networks are rarely homogeneous, but instead include pockets of users and
resources with inherently different levels of trust/sensitivity that should ideally be separated in any
event (for example, research and development and financial systems versus print/file servers)

A broken trust model is not the only issue with perimeter-centric approaches to network security. Another
contributing factor is that traditional security devices and technologies (such as port-based firewalls)
commonly used to build network perimeters let too much unwanted traffic through. Typical shortcomings in
this regard include the inability to:

• Definitively distinguish good applications from bad ones (which leads to overly permissive access
control settings)

• Adequately account for encrypted application traffic

• Accurately identify and control users (regardless of where they’re located or which devices they’re
using)

• Filter allowed traffic not only for known application-borne threats but also for unknown ones

The net result is that re-architecting defenses in a way that creates pervasive internal trust boundaries is, by
itself, insufficient. You must also ensure that the devices and technologies used to implement these
boundaries actually provide the visibility, control, and threat inspection capabilities needed to securely enable
essential business applications while still thwarting modern malware, targeted attacks, and the unauthorized
exfiltration of sensitive data.

Zero Trust

Introduced by Forrester Research, the Zero Trust security model addresses some of the limitations of
perimeter-based network security strategies by removing the assumption of trust from the equation. With
Zero Trust, essential security capabilities are deployed in a way that provides policy enforcement and
protection for all users, devices, applications, data resources, and the communications traffic between them,
regardless of location.

In particular, with Zero Trust there is no default trust for any entity — including users, devices, applications,
and packets — regardless of what it is and its location on or relative to the enterprise network. Verification
that authorized entities are always doing only what they’re allowed to do also is no longer optional in a Zero
Trust model; it’s now mandatory.

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

The implications for these two changes are, respectively:

• The need to establish trust boundaries that effectively compartmentalize different segments of the
internal computing environment. The general idea is to move security functionality closer to the
different pockets of resources that require protection. This way it can always be enforced regardless of
the point of origin of associated communications traffic.

• The need for trust boundaries to do more than just initial authorization and access control
enforcement. To “always verify” also requires ongoing monitoring and inspection of associated
communications traffic for subversive activities (such as threats).

Benefits of implementing a Zero Trust network include:

• Clearly improved effectiveness in mitigating data loss with visibility and safe enablement of
applications, and detection and prevention of cyber threats

• Greater efficiency for achieving and maintaining compliance with security and privacy mandates, using
trust boundaries to segment sensitive applications, systems, and data

• Improved ability to securely enable transformative IT initiatives, such as user mobility, BYOD/BYOA,
infrastructure virtualization, and cloud computing

• Lower total cost of ownership (TCO) with a consolidated and fully integrated security operating
platform, rather than a disparate array of purpose-built security point products

Core Zero Trust design principles

The core Zero Trust principles that define the operational objectives of a Zero Trust implementation include:

• Ensure that all resources are accessed securely, regardless of location. This principle suggests not only
the need for multiple trust boundaries but also increased use of secure access for communication to or
from resources, even when sessions are confined to the “internal” network. It also means ensuring
that the only devices allowed access to the network have the correct status and settings, have an
approved VPN client and proper passcodes, and are not running malware.

• Adopt a least privilege strategy and strictly enforce access control. The goal is to absolutely minimize
allowed access to resources as a means to reduce the pathways available for malware and attackers to
gain unauthorized access — and subsequently to spread laterally and/or infiltrate sensitive data.

• Inspect and log all traffic. This principle reiterates the need to “always verify” while also reinforcing
that adequate protection requires more than just strict enforcement of access control. Close and
continuous attention must also be given to exactly what is happening in “allowed” applications, and
the only way to do accomplish these goals is to inspect the content for threats.

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

 Key Terms
The principle of least privilege in network security requires that only the permission or access rights
necessary to perform an authorized task are granted.

Zero Trust conceptual architecture

The main components of a Zero Trust conceptual architecture (shown in Figure 1-7) include:

• Zero Trust Segmentation Platform. The Zero Trust Segmentation Platform is referred to as a network
segmentation gateway by Forrester Research. It is the component used to define internal trust
boundaries. That is, it provides the majority of the security functionality needed to deliver on the Zero
Trust operational objectives, including the ability to:

• Enable secure network access

• Granularly control traffic flow to and from resources
• Continuously monitor allowed sessions for any threat activity

Figure 1-7: Zero Trust conceptual architecture

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

 Although Figure 1-7 depicts the Zero Trust Segmentation Platform as a single component in a single
physical location, in practice – because of performance, scalability, and physical limitations – an
effective implementation is more likely to entail multiple instances distributed throughout an
organization’s network. The solution also is designated as a “platform” to reflect that it is an
aggregation of multiple distinct (and potentially distributed) security technologies that operate as part
of a holistic threat protection framework to reduce the attack surface and correlate information about
threats that are found.

• Trust zones. Forrester Research refers to a trust zone as a micro core and perimeter (MCAP). A trust
zone is a distinct pocket of infrastructure where the member resources not only operate at the same
trust level but also share similar functionality. Sharing of functionality such as protocols and types of
transactions is imperative because it is needed to actually minimize the number of allowed pathways
into and out of a given zone and, in turn, minimize the potential for malicious insiders and other types
of threats to gain unauthorized access to sensitive resources.

Examples of trust zones shown in Figure 1-7 include the user (or campus) zone, a wireless zone for
guest access, a cardholder data zone, database and application zones for multi-tier services, and a zone
for public-facing web applications.

Remember, too, that a trust zone is not intended to be a “pocket of trust” where systems (and
therefore threats) within the zone can communicate freely and directly with each other. For a full Zero
Trust implementation, the network would be configured to ensure that all communications traffic —
including traffic between devices in the same zone — is intermediated by the corresponding Zero Trust
Segmentation Platform.

• Management infrastructure. Centralized management capabilities are crucial to enabling efficient

administration and ongoing monitoring, particularly for implementations involving multiple distributed
Zero Trust Segmentation Platforms. A data acquisition network also provides a convenient way to
supplement the native monitoring and analysis capabilities for a Zero Trust Segmentation Platform. By
forwarding all session logs to a data acquisition network, this data can then be processed by any
number of out-of-band analysis tools and technologies intended, for example, to further enhance
network visibility, detect unknown threats, or support compliance reporting.

Key Zero Trust criteria and capabilities

The heart of any Zero Trust network security architecture is the Zero Trust Segmentation Platform, so you
must choose the correct solution. This module identifies a set of key criteria and capabilities for IT security
managers and architects to consider when they select a Zero Trust Segmentation Platform, including:

• Secure access. Consistent secure IPsec and SSL VPN connectivity is provided for all employees,
partners, customers, and guests wherever they’re located (for example, at remote or branch offices, on
the local network, or over the internet). Policies to determine which users and devices can access
sensitive applications and data can be defined based on application, user, content, device, and device
state.

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

 • Inspection of all traffic. Application identification accurately identifies and classifies all traffic,
regardless of ports and protocols, and evasive tactics such as port hopping or encryption. This
inspection eliminates methods that malware may use to hide from detection and provides complete
context into applications, associated content, and threats.

• Least privileges access control. The combination of application, user, and content identification
delivers a positive control model that allows organizations to control interactions with resources based
on an extensive range of business-relevant attributes, including the specific application and individual
functions being used, user and group identity, and the specific types or pieces of data being accessed
(such as credit card or Social Security numbers). The result is truly granular access control that safely
enables the correct applications for the correct sets of users while automatically preventing unwanted,
unauthorized, and potentially harmful traffic from gaining access to the network.

• Cyber threat protection. A combination of anti-malware, intrusion prevention, and cyber threat
prevention technologies provides comprehensive protection against both known and unknown threats,
including threats on mobile devices. Support for a closed-loop, highly integrated defense also ensures
that inline enforcement devices and other components in the threat protection framework are
automatically updated.

• Coverage for all security domains. Virtual and hardware appliances establish consistent and cost-
effective trust boundaries throughout an organization’s entire network, including in remote or branch
offices, for mobile users, at the internet perimeter, in the cloud, at ingress points throughout the data
center, and for individual areas wherever they might exist.

Implementing a Zero Trust design

Implementation of a Zero Trust network security model doesn’t require a major overhaul of an organization’s
network and security infrastructure. A Zero Trust design architecture can be implemented in a way that
requires only incremental modifications to the existing network and is completely transparent to your users.
Advantages of such a flexible, non-disruptive deployment approach include minimizing the potential impact
on operations and being able to spread the required investment and work effort over time.

To get started, you can configure a Zero Trust Segmentation Platform in listen-only mode to obtain a detailed
picture of traffic flows throughout the network, including where, when, and the extent to which specific users
are using specific applications and data resources.

Now that you are armed with a detailed understanding of the network traffic flows in the environment, the
next step is to define trust zones and incrementally establish corresponding trust boundaries based on relative
risk and/or sensitivity of the data involved:

• Deploy devices in appropriate locations to establish internal trust boundaries for defined trust zones

• Configure the appropriate enforcement and inspection policies to effectively put each trust boundary
“online”

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net

From there, you can then progressively establish trust zones and boundaries for other segments of the
computing environment based on their relative degree of risk. Examples where secure trust zones can be
established are:

• IT management systems and networks (where administrators often hold the proverbial “keys to the
kingdom” and a successful breach could lead to compromise of the entire network)

• Partner resources and connections (business-to-business, or B2B)

• High-profile, customer-facing resources and connections (business-to-consumer, or B2C)

• Branch offices in risky countries or regions, followed by all other branch offices

• Guest access networks (both wireless and wired)

• Campus networks

Zero Trust principles and concepts need to be implemented at major access points to the internet. You will
have to replace or augment legacy network security devices with a Zero Trust Segmentation Platform at this
deployment stage to gain all of the requisite capabilities and benefits of a Zero Trust security model.

© 2020 Palo Alto Networks Cybersecurity Academy http://paloaltonetworksacademy.net