The Role of iStatus ArpWatch™ In A Zero Trust Universe

Network administrators and cyber professionals are adopting zero trust networking as a moniker that essentially signals the end of perimeter security. Lets take a deeper dive into this concept and discuss what zero trust means and how it affects network security.

Essentially for the past 20+ years, we've operated in a mode where internal networks were most commonly protected with a NAT device on the edge of the network and where firewall rules were used to examine the state of connections. Connections originating outside the network were blocked by firewall rules, and devices on the trusted LAN were allowed to access the Internet.

With the proliferation of millions of IoT devices, we are now in a world where IoT devices, printers, cameras, Alexa's, etc. are added to secure network segments. Still, the OS on those devices (which may originate in foreign countries) are not necessarily things we should trust. Furthermore, network configurations have also become more complex with VPNs between offices, VPNs from work-from-home (WFH) users, and things like WiFi also bring increased risk to the sanctity and security of our protected LAN segments.

Making matters more complicated, we also now have IPv4 and IPv6 running along with proxies and other services allowing IPv4 transport over IPv6.

The idea of zero trust networking is that each device should be hardened and should not have open ports or services and that all access to/from devices are secured by authentication. 

The second core tenant of zero trust is that devices should also use encryption for all network activities, making them less susceptible to snooping, man-in-the-middle attacks, or DNS-based attacks.

Security Layers

So with this in mind, are we now in a new era where perimeter security has no place and where everything should be directly attached to the Internet?

Let's think about networks and network security. We first need to examine the role of modern firewalls and how layers of security are applied to networks to help maintain security.

There are many-many layers we use in securing networks which include but are not limited to:

  • Perimeter Security - Keeping the bad guys out of the network
  • Service Security - Ensuring that internet-exposed services are hardened
  • Transport Security - Encrypting data-in-motion
  • Intra-network Security - Implementing multiple VLANS to reduce exposure of servers and endpoints
  • Endpoint Security - Policies to restrict administrative access, antivirus, antimalware, endpoint firewalls, UEFI, disk encryption, and more
  • Minimal Rights - Where users are assigned minimal rights to network resources based on needs
  • MFA/2FA - Multi-factor/two-factor authentication adds a layer of security
  • IDS, IPS, SIEM, IDR - There are dozens of other security platforms which help secure networks by logging, monitoring file accesses, detecting intrusions, and responding to dangerous traffic
  • Data Backup - Data backups and replication are not necessarily part of a security strategy but are core elements used to recover from hardware failures or network security incidents

With all these security layers and zero trust, why do we care who is on the network?

Let's discuss this in the context of security within a security company where cash transfers are made to outlying banks. In this example, we shall say that this organization utilizes a zero trust model, where only trusted employees are allowed onto the grounds of the security company.

  • A barbed-wire fence stands guard around the perimeter of the location (this is like a firewall)
  • Security cameras are used to record all activities (like all the platforms used within an organization such as IDS, IPS, SIEM, IDR).
  • Employees show ID or swipe in to gain access. This is like 2FA, where the employee has a card (something they have) and a pin-code (something they know) to gain access.
  • Within the facility, there are numerous checks and balances where cash is carefully checked in and checked out. Then, only the necessary amount of money is sent to outlying banks. (this is similar to minimal rights in network security).
  • Armored trucks are used to transport the cash to the outlying banks (similar to encrypted communications).
  • Guards are frequently also armed with weapons to protect themselves against robbery. (there are some active denial systems used within network security [Intrusion Detection & Response, and Antivirus] where connections may be blocked for bad applications).

Even with all these things in place, it is well-understood that massive security breaches can still happen. For example, robbers tunnel into a facility, or multiple employees collaborate to circumvent security processes.

security layers and zero trust
iStatus ArpWatch detects rogue devices

So is zero trust the end-all-be-all for network security?

Unfortunately, zero trust isn't the total solution because zero-day vulnerabilities exist in devices that are on protected network segments, and hackers and malware leverage these zero-day vulnerabilities to move laterally within networks and frequently employ live-off-the-land techniques to evade detection by antivirus, antimalware, IDS, and firewalls. Hackers often use email as an attack vector and then combine that with zero-day malware or malware, allowing privilege escalation.

So how does iStatus ArpWatch help?

If we borrow an analogy of security systems, alarm systems typically utilize an array of sensors to protect a building. For example, cameras are used along with access control systems, glass-break sensors, and motion sensors. All of these things are combined to improve and enhance the security of systems.

Similarly, ArpWatch is a tool that can help detect unauthorized devices present on secure network segments. This is like detecting someone inside the locked bank transfer company using motion sensors. While the bank is locked, there should not be motion inside the locked bank. Similarly, we would not expect to see rogue/untrusted devices within a secured network segment. iStatus ArpWatch can stand guard over your networks 24/7, helping to give the IT team eyes and ears to monitor for rogue devices and to monitor for other types of attacks not easily visible to other forms of network security such as monitoring for DNS Changes or monitoring for man-in-the-middle attacks.

iStatus takes network security even further by allowing individual probes to be installed in high-security networks by installing a probe on each VLAN. This is similar to the concept that you would typically see dozens of motion sensors within a larger facility. This is architecturally superior to other methods, which typically either require a separate monitoring PC on each VLAN (which is expensive and impractical) and superior to other designs where centralized monitoring is used across multiple VLANS (where the monitoring itself then hugely increases the risk of breaches allowing traffic between otherwise-isolated VLANs.

In summary

Zero trust networks are a way to increase the security of business networks, but zero trust networks can fail when zero-day and unpatched vulnerabilities allow for the traversal of malware or when rogue devices are connected to network segments, allowing hackers to utilize low-level network attacks to launch man-in-the-middle, DNS, or directly access information which can be easily infiltrated offsite.

iStatus ArpWatch™ is a low-cost, easy-to-deploy solution that enables companies to quickly deploy additional layers of monitoring without the high cost of spinning up servers or IT managers to learn complex new systems.