The Fat Pipe - All of the Packet Pushers Podcasts

The following is a transcript of the audio you can listen to in the player above. Welcome to Briefings in Brief, an unsponsored summary of a briefing we received from a vendor. We publish them when we think the briefing was especially interesting. Today’s briefing summary is about startup Araali Networks, one of the most interesting startups I’ve chatted with in a while. Abhishek Singh, CEO and co-founder, gave me Ethan Banks and Drew Conry-Murray at Packet Pushers an overview of their approach to modern application security on March 31, 2021. To set up what Araali Networks does, we need to first discuss zero trust network access. I’m going to tell this story from my perspective, which might vary a bit from your take, as I think ZTNA means different things to different people, and definitely to different vendors, as vendors will define zero trust in a way that just so happens to match a product they want to sell, which confuses it for the rest of us. So from my perspective (and you’re free to disagree), what is zero trust? If you go on instinct, the term zero trust implies an infrastructure that doesn’t allow any endpoint to talk to any other endpoint without a good reason. And if that’s as far as your thinking goes, then zero trust feels like network admission control where you do some endpoint profiling, wrap it in a user context, develop a decent understanding of what that endpoint/user likely is, and then dump it in the right group. You’ve already got controls applied to that group, so off you go. The problem with that approach is that no matter the profiling, that endpoint isn’t actually known to you. A profile is like a stereotype. A stereotype might be accurate generally, but will get a lot of details–possibly important details–wrong. If you’re with me so far, then maybe you think microsegmentation is zero trust. The microsegmentation approach relies less on stereotypes–profiling–and more on observation. What’s on the wire between these two endpoints? Oh, I see this IP talking to this other IP on these ports, and that seems right. It’s a web server talking to a database server. It’s directory services hitting the local DNS server. Etc. A tool observes the network wire, builds a trial policy based on those observations, a human reviews the policy and tweaks it as needed, and then the policy becomes active. Good traffic is allowed, previously unseen traffic is assumed to be bad and dropped. And we do this granularly on a host by host basis, watching source and destination IPs and ports. The enforcement might happen in a hypervisor switch. It might happen in a host’s individual firewall. That’s (roughly) microsegmentation. That sounds like it could be zero trust, right? Well, we’ve stereotyped again, just at a more detailed level. We’re assuming that the comms happening inside of the connections between those IPs and ports is all legit. Oh, I get it, Ethan. You’re saying there could be some malware on a host using a legit channel to do bad things, so we can’t actually trust at an IP and port level, either. Yes, that’s my point or at least part of it. There are lots of ways to combat malware. But what about how that malware gets installed on a host to begin with? Have you ever thought about a zero trust posture for public-facing connections? Wait, what? We know the internet is full of bad actors, Ethan. Of course we don’t trust the internet. Yeah, but we do in a lot of cases, because we have to. We have to open up port 443 to the internet at some point, right? Yes…right. But can we also open port 443 to anyone while maintaining a zero trust posture? True zero trust. You mean like throwing an IPS inline, Ethan?