In the enterprise networking today, there's a significant focus on zero trust. While a zero trust security framework is bolted on in many legacy vendors’ platforms, the Ericsson NetCloud SASE platform is designed from the ground up using zero trust building blocks. As a result, all the networking and security services offered on the platform, such as Secure Connect, SD-WAN, ZTNA (Zero Trust Network Access), HMF (Hybrid Mesh Firewall), and Advanced Web Security, are inherently built on this zero -trust foundation.
Let’s examine five key zero trust architecture implementations natively built into the platform.
No exposed public IPs and inside-out connections that limit attack surface
First of all, anything exposed to the internet represents an attack surface. Typically, the exposed public IP from a site, vehicle, or user connecting to the internet is the primary attack surface that gets targeted. The NetCloud SASE platform is designed in a way that no IP is visible to the internet from a site. A site could be a distributed branch location, a vehicle connecting users or devices, or a location with several IoT sensors deployed.
To illustrate with an analogy, imagine a house as a site. The doors and windows exposed to the outside world are the attack surfaces that attackers exploit. Now, what if the house had no visible doors or windows from the outside, making everything hidden or invisible? That's precisely how the NetCloud SASE platform is designed. By not exposing public IPs, it greatly limits the attack surface.
In addition, the NetCloud SASE platform only permits connections that are initiated from a trusted site and denies any connections initiated externally. To use the previous house analogy, it's like someone finding the invisible door of a house and knocking on it, but the door wouldn't open. The door will only open when a trusted person from inside the house brings someone in.
The NetCloud SASE platform minimizes any attack surface by using these two techniques.
Private NAT technique enhances security with Moving Target Defense
Moving Target Defense (MTD) is an innovative concept aimed at enhancing the defense capabilities of networks. MTD involves regularly and randomly changing the actual IP addresses of devices and users connected to a network, which helps minimize the risk of the real IP addresses being exposed to attackers in case of a security breach.
The NetCloud SASE platform uses a similar technique to map the real IP addresses of connected users and devices to different private IP addresses during session establishment. This mapping remains the same throughout the session and disappears after the session ends. When the next session is established, the private NAT technique assigns new private IP addresses to the users and devices. This approach effectively safeguards the real IP addresses of users and devices from exposure to potential attackers.
Authentication before providing access to a network
Authentication confirms that only the right users and devices with the right permissions can access network resources. The NetCloud SASE platform uses various authentication methods for users, sites, and devices. User authentication is carried out through Identity Provider (IdP) integration with SAML (Security Assertion Markup Language). The IdP stores the user's identity and determines their associated privileges. When a site attempts to connect to a network, the NetCloud SASE platform authenticates using a shared key to permit its connection to the network. For IoT devices with SIM (Subscriber Identify Module), NetCloud SASE will uses SIM-based authentication to allow connection to the network.
Granular layer 4 based access prevents lateral movement
One key difference between the NetCloud SASE platform and other legacy networking platforms is that when a connection is established on NetCloud SASE, it is done at layer 4 (TCP/UDP) of the OSI stack rather than at layer 3 (IP layer). Allowing access at layer 3 or at the network layer allows access to the entire network and all its resources, which can be very dangerous when a network is compromised. In fact, that is how lateral movement occurs in a traditional network when one part of the network is compromised.
NetCloud SASE is designed to operate at layer 4, regardless of the services it provides, such as SD-WAN, FWaaS (Firewall as a Service), ZTNA, or SWG (Secure Web Gateway). It enables users and devices to connect to specific resources and applications at layer 4 without granting access to the entire network, thus preventing lateral movement.
Continuous security inspection
Finally, NetCloud SASE continuously evaluates risk even after sessions are established. It conducts ongoing inspections of all traffic, including permitted connections, to mitigate threats. Furthermore, once access to an application is granted, trust is continually assessed based on changes in device posture. If any suspicious behavior is detected, access can be revoked in real time.
The NetCloud SASE platform is built on these five fundamental architectural building blocks, making it a highly secure foundation. NetCloud SASE services include Secure Connect, SD-WAN, ZTNA, Hybrid Mesh Firewall, and Advanced Web Security, all of which are delivered with these five core zero trust building blocks.
Learn more on our NetCloud SASE webpage.