IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

Zero trust using Network Micro Segmentation

IEEE INFOCOM 2021 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) | 978-1-6654-0443-3/21/$31.00 ©2021 IEEE | DOI: 10.1109/INFOCOMWKSHPS51825.2021.9484645

Nabeel Sheikh Mayur Pawar Victor Lawrence

Electrical and Computer Engineering Cybersecurity Dept Electrical and Computer Engineering
Stevens Institute of Technology PricewaterhouseCoopers LLP Stevens Institute Of Technology
Hoboken, NJ, USA Toronto, Canada Hoboken, NJ, USA
nsheikh@stevens.edu mayur.p.pawar@pwc.com vlawrenc@stevens.edu

Abstract—Current enterprise infrastructures are undergoing Zero trust is intended to provide a dynamically scalable
significant security transformations as traditional infrastructures security infrastructure that can be applied across many
and data centers are being replaced by cloud computing different types of organizations. A fundamental principle of
environments hosting dynamic workloads. Current network zero trust involves authorizing secure communication
security best practices are not well suited for traditional data between the resources, regardless of their environment and
centers where network micro segmentation is required. In this location, and assuming all network communication is a threat
paper, we present a novel network security architecture that until it is attested, authorized, and secured. This is not merely
supports zero trust approach, based on a concept that inspects an extension of security principles such as deny by default,
network traffic for port and protocol information to allow
least privileges, or role-based access control. Rather, it
authorized communication. This approach is demonstrated in a
cloud computing data center environment.
redefines the approach to ring-fence the application resources
to whitelist traffic between them, a fundamental principle in
Keywords - cybersecurity, micro-segmentation, cloud, transport, which resources to be protected are grouped together and
authentication, zero trust. securely isolated or partitioned to limit unauthorized access.
[1]
I. INTRODUCTION
In this paper, we have used Illumio a network micro-
In recent years, network-based cybersecurity attacks have segmentation tool to demonstrate Zero Trust at the network
increased in both frequency and severity, far outstripping layer, this tool uses the concept of labeling to write policies to
traditional defense methods. For example, a moderately-sized whitelist traffic between the source and the destination. The
commercial data center network can experience over 100,000 tool has two major components Policy Compute Engine (PCE)
security events per day [1- 4]. These attacks may be launched which is the brain of the tool and Virtual Enforcement Node
by a wide range of bad actors ranging from individual hackers (VEN) agent that send telemetry traffic information between
to cyber-gangs motivated to create social disruption to large the source and destination to the PCE. The policy compute
well-organized groups with political or financial intension. engine is used for writing and enforcing the policies based on
Additionally, these attacks have various goals, including the traffic information sent to whitelist the traffic between the
compromising critical network infrastructures such as the source and the destination. The tool takes over the host-based
Domain Name Server (DNS) Systems or a Software Defined firewall on the source and destination where the Virtual
Network (SDN) controller.[1] Enforcement Node (VEN) agents are installed and allow only
In response to the growing number and sophistication of the whitelisted traffic.
cybersecurity threats, a United States Presidential Executive
Order on Cybersecurity was issued in February 2013 [4]. This
order outlined a clear and present danger from cyber-attacks and
made Cyber Defense a national priority for organizations such
as the Department of Homeland Security and the National
Science Foundation. In particular, this Executive Order included
a call to action which tasked the National Institute of Standards
and Technology (NIST) with creating a set of voluntary policies
and guidelines to help develop the U.S. cybersecurity
framework [4]. In response to this request, numerous federal
agencies and industry representatives from the finance, utility,
and telecommunication sectors began to develop a
fundamentally different approach to cybersecurity, taking into
account dynamic environmental trends such as pervasive
mobility and big data analytics. The resulting report by NIST
proposed the so-called “zero trust model” for information
security. While this novel architecture is still in development, Figure 1: - High Level Zero Trust Eco System by Forrester
many of the elements described in this framework are not
commercially available at this time, significant progress has II. RELATED WORK
been made in recent years towards the development of tools to
Zero trust architecture involves compensating security controls
support zero trust architectures. The importance of
and threat models that no longer assume that actors, users,
cyberinfrastructure has since been reinforced by additional
systems, or services operating from within the security
Executive Orders in this area.

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl
978-1-6654-0443-3/21/$31.00 ©2021 IEEE
 IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

perimeter should be trusted by default, and instead everything whitelisted or denied), and the policy administrator enforces
must be verified before operations. Zero trust involves "least them.
privilege" – only providing access on a need basis. The result of
this approach is ring-fencing application resources within the Policy administrator (PA) [9]: This component is
perimeter, also called micro-segmentation, whereby the responsible for establishing and/or shutting down the
network is broken into small network zones, each of which communication path between a source and a destination (via
requires authorization to access. commands to relevant PEPs). It performs authentication and
Most application resources use Peer-to-Peer (P2P) models, authorization or validates the credential used by a source to
including Windows/Linux operating systems and mesh network access a resource. It is closely coupled with PE and relies on
architectures. Decentralized Peer-to-Peer communications its decision algorithm to whitelist communication.
break the network micro-segmentation model, which voids the
zero trust approach. Peer-to-Peer systems also share data with Policy enforcement point (PEP) [9]: This component is
little or no authentication/authorization; therefore breaking the responsible for opening, monitoring, and eventually closing
concept of least privilege. connections between a source and a destination resource. The
When public and private cloud services work together and PEP communicates with the PA to receive policy decisions/
unify to deliver a service that is not common, this also breaks updates from the PE. This is a single logical component in
the segmentation model. Zero trust architecture but may be broken into two different
components: source (e.g., agent on an application workload)
We deployed three virtual machines named VirtualMachine1, and destination (e.g., gateway component in front of resource
VirtualMachine2, Virtualmachine3 in Microsoft’s Azure that controls access). Beyond the PEP is the trust zone hosting
environment that were connected to the internet and their the enterprise resource. If the communication is authorized
deployment was successful. In the Illumio tool, these virtual
and authenticated, the PA signals the PEP to open the
machines are named as R-App, R-DB, R- Web as per their roles
communication. If the session is denied (or a previous
in the application stack.
approval is countermanded), the PA signals to the PEP to
III. FORMAL DEFINITION OF THE COMPONENTS close the communication. Some architecture may treat the PE
and PA as a single service; however, it can be divided into
Numerous logical components make up a Zero Trust
two logical components. The PA communicates with the PEP
ecosystem in an enterprise. As shown in figure 1, these
via the control plane when creating the communication path.
components may be operated on an on-premises environment
or through a cloud-based environment. The conceptual
In addition to the core components in an enterprise
framework model in Figure 2 shows the basic relationship
implementing zero trust, several data sources provide input to
between the components and their interactions with each other.
the policy engine when making access decisions. These include
From Figure 2, the policy decision point (PDP) is broken down
internal local data sources as well as external (i.e., no
into two logical components: the policy engine and the policy
enterprise-controlled or -created) data sources. These can
administrator (defined below). The Zero Trust’s logical
include:[9]
components uses a control plane to write and enforce policies,
Continuous Diagnostics and Mitigation (CDM) system: They
while application data is transferred via a data plane. [9]
gather information about the enterprise asset's current state and
apply updates to configuration and software components. An
enterprise Continuous Diagnostic Mitigation (CDM) system
provides the policy engine with the information about the asset
making an access request, such as whether it is running the
appropriate patched operating system (OS), the integrity of
enterprise-approved software components, or the presence of
non-approved components and whether the asset has any
known vulnerabilities. Continuous diagnostic mitigation
systems (CDM) are also responsible for identifying and
potentially enforcing a subset of policies on no enterprise
devices active on enterprise infrastructure.
Industry compliance system: These systems ensure that the
enterprise remains compliant with any regulatory regime that it
may fall under (e.g., Federal Information Security Management
Figure 2: - Core Zero trust Logical Components Act (FISMA), healthcare or financial industry information
security requirements).
Threat intelligence feed(s): The information provided these
Policy engine (PE)[9]: This component is the brain, systems can be from multiple sources that take data from
responsible to provide access to a resource from a given internal and/or multiple external sources and provide
source. The PE uses telemetry network traffic data as well as information about newly discovered attacks or vulnerabilities
input from external sources like Continuous Diagnostic that are used in the policy decision making This also includes
Mitigation (CDM) systems, threat intelligence services as newly discovered vulnerabilities, newly identified
input to a trust algorithm that whitelists access between viruses/malwares and reported attacks that the policy engine
resources. It is integrated with the policy administrator will use to deny access to from enterprise assets.
component. The policy engine computes access decisions (as

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl
 IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

controls that you can use to perform network segmentation in

Azure. [3]

Below are the three common segmentation patterns

available in Microsoft’s Azure environment to deploy
workloads:

1. Single Virtual Network

2. Multiple Virtual Networks with peering
Figure 3: - Maturity model 3. Multiple Virtual Networks in a hub-and-spoke
model
Network and system activity logs: This system monitors
network traffic, aggregates asset logs, resource access Each of these provides a different type of isolation and
activities, and other events that provide real-time (or near real- connectivity. As to which one works best for your organization
time) visibility and feedback on the security posture of
is a planning decision is based on your organization's needs.
enterprise architectures

Data access policies: These are the policies and standards

about access to enterprise resources. These set of rules could be
encoded in (via management interface) or dynamically
generated by the policy engine. These policies are the starting
point for authorizing access to a resource as they provide the
basic access privileges for accounts and applications/services in
the enterprise.

Enterprise public key infrastructure (PKI): This system is Figure 4: - Segmentation Patterns
responsible for generating and logging certificates issued by the
enterprise to resources, subjects, services, and applications. The recommended approach [2] in Azure is to use Azure
This also includes the global certificate authority and the DDoS Protection Service, Azure Firewall, and Azure Web
Federal PKI, which may or may not be integrated with the Application Firewall to provide comprehensive threat
enterprise PKI. protection. This setup of having an internet boundary using
these services is important in a segmentation architecture since
ID management system: This system creates, stores, and it essentially segments your application stack away from the
manages enterprise user accounts and identity records (e.g., internet while providing carefully inspected traffic to/from it.
lightweight directory access protocol (LDAP) server). This
system contains user identities (e.g., name, email address, In addition to internet connectivity, your application stack on
certificates) and other enterprise attributes such as role, access Azure might need connectivity back to your IT footprint in your
attributes, and assigned assets. This system often integrates on-premises datacenter(s) and/or other public clouds. You have
with other systems (such as a PKI) for artifacts associated with multiple options to achieve that: you can choose to have direct
user accounts that may be part of a larger federated community. connectivity using Express Route, use our VPN Gateway, or
have a more unified distributed connectivity experience
Security information and event management (SIEM) using Azure Virtual WAN. The same concept of segmenting
system: This system logs, alerts, and stores security-centric away your application stack applies here so that any threats that
information for later analysis. This data is then used to refine might affect your datacenter or on-premises network will have
enterprise policies and warn of possible attacks against the a harder time propagating to your cloud platform (and vice-
assets. versa) [2].
Illumio’s technology [7] decouples security from the
IV. DESCRIPTION OF THE SOLUTION/ DESIGNS
underlying network and hypervisor. This security approach can
In the Maturity model [3], all data is ultimately accessed be easily adapted across a variety of enterprise environments,
over the network infrastructure. Networking controls can including private data centers, private clouds, and public
provide critical controls to enhance visibility and help prevent clouds.
bad actors from moving laterally across the network once the
network is compromised. Networks should be segmented Illumio Adaptive Security Platform (ASP) [7] uses the context
based on the business criticality and requirements (including (state, relationships, etc.) of workloads (bare-metal and virtual
deep in network micro-segmentation) to provide real-time servers, etc.) in the computing environment and keeps security
threat protection, end-to-end encryption, monitoring; policies intact.
analytics should be employed.
Microsoft’s Azure provides a wide and diverse range of
network segmentation controls available to help create an
isolated and protected environment. Here are the three basic

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl
 IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

Unlike traditional firewalls that use imperative As shown in Figure 7, the three servers are online in our
programming techniques due to static networking constructs, environment and deployed successfully in the Illumio tool
the Illumio Adaptive Security Platform is based on where each server has been given a specific role and the
declarative programming and computes security in real- Environment is E-Prod i.e., a production environment and it
time.[5] is synced with three virtual machines in Azure portal.

Figure 5: - Three Virtual machines deployment

As shown in Figure 5, the three Virtual machines have been

deployed successfully in the Azure environment and they are
connected to the internet and have been deployed in an East
US location. These servers can SSH (secure shell) and RDP
(remote desktop), a connection can be established according
to the rules and policy assigned to them. These three servers
are the Application server, Database server, and Web server
in our production environment in the Illumio tool.

Figure 8: - Remote desktop connection between two servers

As shown in Figure 8, a remote desktop connection is done

on the Windows Server R2 2012 version where the
Figure 6: - Zero trust in Illumio Tool VirtualMachine1 having an IP address of 52.186.139.94 and
VirtualMachine2 having an IP address of 52.152.222.92 are
As shown in Figure 6, we have three servers that are connected on port 3389 on priority 300 having TCP protocol.
connected to the internet and Azure portal, successful The inbound and outbound security groups where both the
deployment of these three servers in Illumio tool. The virtual machine have a priority rule number 100 in Azure
VirtualMachine1 is named as R-App, VirtualMachine2 as R- portal where they can ping to each other anywhere and
DB, and Virtualmachine3 as R-Web in Illumio tool, where connection between them is successful to and can
the red line indicates that there can be no connection send/receive packets/queries between them.
established between them and no packets/queries can be sent
between those servers whereas the green line indicates that
there is a successful connection between them and have the
ability to send and receive data to/from the public internet.
Any time you expose a resource to a network you increase
threat risk, and with internet exposure, this is further
compounded by a large set of a possible threats.[2]

Figure 9: - Virtualmachine3 Remote desktop connection

As shown in Figure 9, Virtualmachine3 remote desktop

connection has been done having an IP address of
52.186.143.232 and the connection is established on port
3389 on priority number 300 on Windows Server 2012
Figure 7: - Connectivity in Illumio tool having TCP protocol. It has a security group inbound and
outbound rules set up where it can connect to anyone and can

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl
 IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

send/receive queries/packets from the internet set on priority on a network. SSL (Secure Shell) helps guarantee that the data
rule 100. will not be altered in transit by that third party.

Figure 10: - Private Connection between two servers

As shown in Figure 10, Virtualmachine3 (R-Web) can connect Figure 12: - Remote desktop between two virtual machines
to VirtualMachine2 (R-DB) and there is a successful remote
desktop connection between them on private address 10.0.3.4 As shown in Figure 12, a remote desktop connection has
of R-DB and 10.0.4.4 of R-Web i.e., they cannot receive/send been established between VirtualMachine1 (R-App) and
queries/packets to public and internet, and the only private Virtualmachine3 (R-Web), as we can see these two virtual
connection is allowed between these two servers having ICMP machines can send/receive queries/packets and
as a protocol. VirtualMachine2 (R-DB) cannot connect to these machines
and internet as the protocol policy and rule has been set that
the packets/queries can only be sent/receive to those servers
which are trusted.

Figure 13: - Packets sent between two servers

Figure 11: - VirtualMachine2 Disconnected from Internet
As shown in Figure 13, the total number of packets sent to
R-Web and there is a loss of 0% of packets during this
ICMP is used to test the reachability of the systems. Although
connection. Thus, these two servers trust each other
ICMP messages are contained within standard IP packets,
according to the protocol and policy level set on the Illumio
ICMP messages are usually processed as a special case,
tool and the network segmentation is successful between
distinguished from normal IP processing. In many cases, it is
them without the loss of queries/packets. The results show
necessary to inspect the contents of the ICMP message and
that the successful simulation of micro-segmentation while
deliver the appropriate error message to the application
sending a data packet with no packet loss. These results
responsible for transmitting the IP packet that prompted the
indicate there is no collision and congestion in network
ICMP message to be sent. [6]
traffic.
Many commonly used networks utilities are based on ICMP
messages. The traceroute command can be implemented by VI. DRAWBACKS
transmitting IP datagrams with specially set IP TTL(Time to In terms of real-world deployment of network based micro-
live) header fields, and looking for ICMP time exceeded in segmentation, it is difficult to map business-based
transit and Destination unreachable messages generated in segmentation to networking requirements. The organization's
response. The related ping utility is implemented using the network infrastructure should be ready to adapt and
ICMP echo request and echo reply messages. [8] participate in the configuration.
As shown in Figure 11, VirtualMachine2 is disconnected from
the Internet and only ICMP is allowed between your workloads. VII. CONCLUSION
R-Web, R-App, R-DB can send/ receive packets or queries on
In this paper, we have analyzed and implemented the zero
their private connection between them.
trust concept in our environment. We created a three-tier
Experiment Results
application (Web, application, and database tier) in the Azure
V. EXPERIMENTAL RESULTS environment for our experimental purpose and collecting
data whitelisted traffic between the servers. Whitelisting
SSL (Secure Shell) allows web browsers and web servers to
traffic means allowing servers to communicate with each
communicate over a secure connection. The data is encrypted
other only on the port and protocol that it is supposed to; thus,
when being exchanged between the source and the destination
demonstrating the foundation of zero trust at the network
level.

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl
 IEEE INFOCOM WKSHPS: ICCN 2021: IEEE International Workshop on Intelligent Cloud Computing and Networking

Communications (GreenCom) and IEEE Cyber,

During the implementation, we learned that by using the Physical and Social Computing (CPSCom) and IEEE
concept of labeling, policies can be written to whitelist the Smart Data (SmartData), Halifax, NS, Canada, 2018, pp.
traffic between the source and the destination, thus further 211-218, doi: 10.1109/Cybermatics_2018.2018.00065.
micro-segmenting the enterprise network to control the traffic [13] H. K. Molia and R. Agrawal, "A conceptual exploration
between the source and the destination. of TCP variants," 2014 2nd International Conference on
Emerging Technology Trends in Electronics,
Future work uses a test scenario of high traffic compared to Communication and Networking, Surat, India, 2014, pp.
low traffic in the network so that performance comparisons 1-6, doi: 10.1109/ET2ECN.2014.7044985.
can be obtained. Another approach the performance of a zero [14] https://www.illumio.com
trust security model based on micro-segmentation using
brands from other vendors such as NSX VMware.

VIII. ACKNOWLEDGEMENT
The authors gratefully acknowledge the support of all the
references mentioned below, especially Illumio on which
zero trust approach was successfully tested. The authors also
gratefully acknowledge the support of Stevens Institute of
Technology and PricewaterhouseCoopers LLP Canada.
IX. REFERENCES
[1] https://www.blackridge.us/sites/default/files/IEEE-
Implementing-Zero-Trust-Cloud-Networks-with-
Transport-Access-Control.pdf
[2] https://www.researchgate.net/journal/Advances-in-
Science-Technology-and-Engineering-Systems-Journal-
2415-6698
[3] https://www.microsoft.com/security/blog/2020/06/15/ze
ro-trust-part-1- networking/
[4] U.S. Presidential Executive Order, “Improving critical
infrastructure cybersecurity”, (February 12, 2013),
http://www.whitehouse.gov/thepress-
office/2013/02/12/executive-order-improving-
criticalinfrastructure-cybersecurity (last accessed
February 25, 2015)
[5] https://www.microsoft.com/enus/security/business/zero
-trust
[6] https://www.uk.insight.com/en-gb/content-and-
resources/articles/cloud-hub/2017-07-31-micro-
segmentation-on-microsoft-azure-and-nsg
[7] https://en.wikipedia.org/wiki/Illumio
[8] https://en.wikipedia.org/wiki/Internet_Control_Message
_Protocol
[9] NIST Special Publication 800-207 - Scott Rose Oliver
Borchert Stu Mitchell Sean Connelly
[10] C. DeCusatis, P. Liengtiraphan, A. Sager and M. Pinelli,
"Implementing Zero Trust Cloud Networks with
Transport Access Control and First Packet
Authentication," 2016 IEEE International Conference on
Smart Cloud (SmartCloud), New York, NY, 2016, pp. 5-
10, doi: 10.1109/SmartCloud.2016.22.
[11] M. Mujib and R. F. Sari, "Performance Evaluation of
Data Center Network with Network Micro-
segmentation," 2020 12th International Conference on
Information Technology and Electrical Engineering
(ICITEE), Yogyakarta, 2020, pp. 27-32, doi:
10.1109/ICITEE49829.2020.9271749.
[12] L. Deri and A. Del Soldato, "An Architecture for
Distributing and Enforcing IoT Security at the Network
Edge," 2018 IEEE International Conference on Internet
of Things (iThings) and IEEE Green Computing and

thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on May 09,2024 at 12:00:15 UTC from IEEE Xplore. Restrictions appl