1
00:00:02,440 --> 00:00:05,880
Zero trust network access means different things to different folks.

2
00:00:05,880 --> 00:00:08,720
Every security vendor in the world today seems to have a

3
00:00:08,720 --> 00:00:10,910
zero trust network access solution,

4
00:00:10,910 --> 00:00:15,760
and the definition of such can vary from product to product.

5
00:00:15,760 --> 00:00:20,000
I like to use the Gartner definition of zero trust network access,

6
00:00:20,000 --> 00:00:23,090
and that is that it's a product or a service that creates an

7
00:00:23,090 --> 00:00:27,920
identity and context‑based logical access boundary around an

8
00:00:27,920 --> 00:00:29,810
application or set of applications.

9
00:00:29,810 --> 00:00:33,590
Fundamentally, it's the implementation of the principle of least privilege.

10
00:00:33,590 --> 00:00:34,780
At the end of the day,

11
00:00:34,780 --> 00:00:41,740
it's granting access only for what an application or service might require.

12
00:00:41,740 --> 00:00:45,710
Zero trust is implemented with Always On VPN using a variety of

13
00:00:45,710 --> 00:00:48,260
features or capabilities of Always On VPN.

14
00:00:48,260 --> 00:00:51,630
The first is traffic filters, and traffic filters are

15
00:00:51,630 --> 00:00:55,040
traditional kind of Layer 3/Layer 4 access controls.

16
00:00:55,040 --> 00:00:56,650
You can control access by, you know,

17
00:00:56,650 --> 00:00:59,530
source and destination IP address, the protocol,

18
00:00:59,530 --> 00:01:02,440
source and destination ports as well.

19
00:01:02,440 --> 00:01:07,390
You can also leverage application filters, meaning that you can restrict access

20
00:01:07,390 --> 00:01:13,600
by the executable, by the package family name, or even restricted to system

21
00:01:13,600 --> 00:01:19,710
access. With Always On VPN and zero trust, you can use a combination of traffic

22
00:01:19,710 --> 00:01:24,240
and application filters to enforce policy.

23
00:01:24,240 --> 00:01:29,230
An important caveat is that unfortunately, today, traffic filters do

24
00:01:29,230 --> 00:01:32,430
not work with IPv6. That just seems to be broken.

25
00:01:32,430 --> 00:01:37,970
If you're assigning an IPv6 address to an endpoint over the VPN and expecting

26
00:01:37,970 --> 00:01:42,490
VPN access over IPv6, traffic filters simply don't work.

27
00:01:42,490 --> 00:01:44,440
It actually breaks the VPN connection.

28
00:01:44,440 --> 00:01:49,830
So unfortunately, if you're using IPV6 today for Always On VPN,

29
00:01:49,830 --> 00:01:53,480
you will not be able to take advantage of traffic filters. Before we get

30
00:01:53,480 --> 00:01:56,870
on to implementing our zero trust policies with traffic and application

31
00:01:56,870 --> 00:02:00,490
filters, I want to talk about some of the things to really think about

32
00:02:00,490 --> 00:02:02,280
before you go down this path.

33
00:02:02,280 --> 00:02:05,500
There are many advantages to implementing zero trust, of course,

34
00:02:05,500 --> 00:02:09,600
and the first is limited network access reduces your attack

35
00:02:09,600 --> 00:02:12,710
surface. So if an endpoint is compromised,

36
00:02:12,710 --> 00:02:14,760
you know, with malware or ransomware,

37
00:02:14,760 --> 00:02:19,230
specifically, the access to the internal network is dramatically reduced.

38
00:02:19,230 --> 00:02:23,800
It may only have access to a couple of resources and just a subset of services

39
00:02:23,800 --> 00:02:27,560
on your internal network, so that's obviously quite positive.

40
00:02:27,560 --> 00:02:31,140
Traffic enforcement is done on the endpoint, meaning if

41
00:02:31,140 --> 00:02:33,270
there's traffic that is being blocked,

42
00:02:33,270 --> 00:02:36,770
it's being blocked on the client device, so it doesn't ever come

43
00:02:36,770 --> 00:02:39,920
over the VPN tunnel, and that can reduce, you know,

44
00:02:39,920 --> 00:02:42,840
noise on your internal network and internal logs,

45
00:02:42,840 --> 00:02:46,540
it reduces the traffic on your VPN tunnels, of course, and

46
00:02:46,540 --> 00:02:49,130
that has some positive benefits as well.

47
00:02:49,130 --> 00:02:51,540
And as you'll see in the next demonstration,

48
00:02:51,540 --> 00:02:55,590
it's fairly easy to configure policies, at least basic policies, using

49
00:02:55,590 --> 00:02:59,220
Intune. Now, with regards to disadvantages, of course,

50
00:02:59,220 --> 00:03:02,800
all of this comes at a cost, and any time you have increased complexity,

51
00:03:02,800 --> 00:03:07,360
it's going to make the solution more difficult to manage and support and

52
00:03:07,360 --> 00:03:11,260
troubleshoot and all of that, so keep that in mind. Also,

53
00:03:11,260 --> 00:03:12,780
these policies are fixed policies,

54
00:03:12,780 --> 00:03:16,990
meaning there's no just‑in‑time access. Once you apply a policy to an endpoint,

55
00:03:16,990 --> 00:03:19,580
that's the policy. And if you need to make changes to it,

56
00:03:19,580 --> 00:03:22,910
you will need to remove the VPN profile and reapply it.

57
00:03:22,910 --> 00:03:25,570
If you're using Intune, not a problem.

58
00:03:25,570 --> 00:03:30,090
We've extolled the virtues of Intune quite a bit to this point in

59
00:03:30,090 --> 00:03:33,050
that it simplifies the management a great deal,

60
00:03:33,050 --> 00:03:38,030
meaning you can change your zero trust policies in Intune, and the

61
00:03:38,030 --> 00:03:39,980
clients just take care of themselves, right?

62
00:03:39,980 --> 00:03:43,110
So they'll just sync with Intune, get the new policy, and you're good to go.

63
00:03:43,110 --> 00:03:47,170
But if you're managing Always On VPN using SCCM and

64
00:03:47,170 --> 00:03:51,110
PowerShell or something else, then that burden is on you,

65
00:03:51,110 --> 00:03:56,870
the administrator, to have to go out, remove the VPN profile,

66
00:03:56,870 --> 00:03:59,540
and then recreate it using the new policy.

67
00:03:59,540 --> 00:04:03,150
And this can be challenging at scale if you're constantly adding and

68
00:04:03,150 --> 00:04:07,080
removing applications or you're moving internal infrastructure, and so

69
00:04:07,080 --> 00:04:11,540
applications are now located in a different subnet, and so all of that

70
00:04:11,540 --> 00:04:14,830
increases the administrative overhead a great deal.

71
00:04:14,830 --> 00:04:18,300
And finally, and again, you'll see this here in the next demonstration,

72
00:04:18,300 --> 00:04:22,570
is that true granular access control using application and

73
00:04:22,570 --> 00:04:26,630
traffic filters is just not supported in Intune. It's just

74
00:04:26,630 --> 00:04:27,940
prohibitively difficult.

75
00:04:27,940 --> 00:04:37,000
So it really requires that you use XML to manage and control your zero trust policies.