零信任網絡架構建設及部分細節討論（企業高管必看！）

{"type":"doc","content":[{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"01 零信任初識","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"困境","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"傳統的IT組網中，網絡安全需求的落地往往把重心放在以下工作：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1. 精心設計的網絡結構，如：帶外管理網段/帶內生產網段的嚴格劃分、不同網段之間的嚴格隔離等；","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2. 在網絡邊界部署專用安全“盒子”設備上，如：F5、IPS、WAF、DDOS等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這些經典的網絡安全部署方案，長期以來起到了較好的安全防護作用。但隨着企業網絡規模的日益擴大、網絡攻擊技術的不斷髮展、雲技術/容器化的不斷髮展，傳統安全方案的缺點越來越明顯。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1. 整體防禦能力重邊界、輕縱深，面對攻擊者的橫向擴展束手無策","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"複雜的網絡部署環境造成過長的網絡邊界，單點突破往往難以100%杜絕，“容忍單點突破、杜絕全面失守”已成爲系統化安全建設的共識。而在過於強調邊界防護的傳統安全方案下，網絡邊界越來越容易成爲實際上的“馬奇諾防線”。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"攻擊者往往第一步會通過應用薄弱點（0day或nday）、水坑攻擊、釣魚郵件等手段繞過企業重兵部署的防禦邊界，找到突破點後，通過端口掃描探測更大的攻擊目標。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2. 檢測能力的侷限性","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"WAF、IPS、DDOS等安全防護設備，都是基於規則進行防護。攻擊者常用以下兩種方式來實現對防護的逃逸：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1）通過編碼、異形報文進行逃逸；","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2）通過大流量的攻擊報文，超出設備檢測能力逃逸。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、審計、權限控制的缺失","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當攻擊者或內部人員以正常業務操作途徑，嘗試惡意登錄、越權下載數據、破壞數據完整性時，現有的“盒子”設備欠缺防護能力。對於上述惡意操作，一般以以下方式進行管控：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1）確保業務系統對人員的最小授權；","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2）能夠通過審計能力，在事中或事後發現侵害行爲；","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3）通過動態風控手段，結合一定規則、用戶行爲特徵，實現侵害行爲的事前阻斷。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4、無法滿足企業服務上雲後的安全需求","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服務上雲已經成爲越來越多企業的必然選擇，公有云、混合雲部署場景下，雲上服務存在網絡界面扁平、攻擊面大、服務動態伸縮等特點，傳統的防護手段已無法適用。而現有云上的安全組、防火牆策略，則存在配置不靈活等問題。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"零信任","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"應對傳統企業防護方式的困境，零信任的思想及網絡架構的出現，給我們提供了另外一種防禦的思路。在過去的10年裏，零信任的演進也讓我們看到了問題解決的更多可能性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2010年時任Forrester研究機構的首席分析師John Kindervag提出了零信任（Zero Trust）的概念。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2017年Google對外宣佈基於零信任概念的新一代網絡安全架構BeyondCrop落地完成，外界普遍認爲此次Google網絡安全架構的改革，與Google在“極光行動”中總結的經驗教訓有關。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2019年9月，NIST發佈了Draft NIST Special Publication 800-207《Zero Trust Architecture》爲給出了零信任官方意義上的解讀。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020年2月NIST對其進行了更新，發佈了Draft (2nd) NIST Special Publication 800-207，細化了零信任架構的細節，更有力地推動了零信任思想的發展和落地。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任思想，引用NIST Special Publication 800-207中的一段話：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services. ”","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本質上講，“零信任”是一種思想，並不是一種“技術”，同時，也很難有一款產品，可以稱之爲“零信任產品”。但從另外一個角度思考，凡是符合零信任思想的安全產品甚至是網絡產品，也都可以稱之爲“零信任”產品。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任架構，就是利用“零信任”這個思想，所建立起來的企業網絡安全架構。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據NIST白皮書中的聲明，零信任架構應該遵循6項基本原則","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"All data sources and computing services are considered resources.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有的數據源及計算服務，均被認爲是“資源”。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"2","normalizeStart":"2"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"All communication is secure regardless of network location.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不論處於什麼網絡位置，所有的通信都應以安全的方式進行。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"3","normalizeStart":"3"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"Access to individual enterprise resources is granted on a per-connection basis.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對於企業資源的訪問權限授予，應基於每個鏈接。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"4","normalizeStart":"4"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對“資源”的訪問授權，應取決於策略，包括了用戶的身份認證和發起請求系統的持續可觀測狀態，可能還包括了其他的行爲屬性。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"5","normalizeStart":"5"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"企業應確保其所擁有或與之相關聯的系統處於儘可能的安全狀態，並通過對其的持續監控確保它們總是儘可能的處於安全的狀態。","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"6","normalizeStart":"6"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"User authentication is dynamic and strictly enforced before access is allowed.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"用戶在訪問授權之前，必須進行強制的、動態的身份認證。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"爲什麼是零信任","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"企業採用了零信任的思想來搭建企業安全架構，因此應遵循下列假設","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"The enterprise private network is not trustworthy.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"企業內部網絡是不可信的","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"2","normalizeStart":"2"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"Devices on the network may not be owned or configurable by the enterprise.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網絡上的設備，可能不是企業所有的設備，或者無法由企業無法進行配置","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"3","normalizeStart":"3"},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"No device is inherently trusted.","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"沒有設備是天然被信任的","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"上述的3條假設，本質上完全推翻了傳統企業防護的思路：在邊界架設防護措施，並且無條件信任區域內部的流量","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當企業內部網絡不可信後，每一條請求都需要正確的權限才能夠到達目標資源，使得橫向擴散變得更加困難","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"建立企業設備信息庫，防止攻擊者通過竊取密碼或者令牌獲取訪問權限","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"引入設備信任評估，防止員工電腦因釣魚、水坑等攻擊手段致使設備被攻擊者控制，進而威脅企業網絡安全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"進而，我們將零信任對企業資產&數據資產的防護方式進行了歸納：已知的用戶，在安全可信的設備上，使用加密鏈路，通過預置的授權訪問到對應的資源。同時，採用零信任架構構建的企業安全架構，也可以不再關心服務部署方式與企業網絡結構。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"02 零信任全景","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"自我們的建設的過程中，總結出我們心目中相對完整的零信任網絡結構，大致如下圖，","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ee/eebabe2af787ea33bec8b9b9eb165520.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在數據平面層，我們需要通過網關（包括4層協議網關與7層協議網關），來實現數據的收口，以便實現權限的控制。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更爲安全或複雜的場景，可以輔以安全客戶端，來保證數據來源環境信息的可靠性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在管理平面層，零信任的核心思想在於認證、授權以及持續的信任評估，因此，對應的需要“單點登錄”來實現訪問源的身份認證，需要IAM（Identity & Access Management","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"）來實現權限管理，需要“風控中心”來進行持續的風險評估，通過“決策中心”將上述三部分進行串聯，實現一次訪問請求的權限授予。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當安全客戶端存在時，則對應的需要其管理的服務端。服務端實現了客戶端的管理與信息的收集，並以此整理“設備信息庫”。客戶端的管理與可控，則是以PKI爲基礎來實現的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於上述各組件，列舉出其所包含的功能點，如下所列","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7f/7f826aca85bd7fed928a6f4276e5ea12.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此處只列舉了如“安全客戶端”、“安全網關”、“決策中心”、“管理平臺”等組件的功能點，而類似於SSO，PKI等，由於技術相對成熟，因此不再羅列。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於各個組件功能點的詳細描述，也會在後文中逐漸展開。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"03 零信任建設思路","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"參照零信任思想（對每一條流量進行認證、授權以及持續的信任評估）建設的企業網絡，基本上可以簡化成下圖","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/17/17c821e5b8cfd73a5dcfcf0552a02a65.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於上圖，我們得到了零信任最簡化的實現方式--“訪問授信”，同時配以“安全審計”所達成的動態風控。此時只要在流量收口處（網關）執行決策中心所作出的放過/攔截的決策，則可以達成最初步的零信任框架。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"採用上述框架，可以實現對Layer7流量的基本控制。選擇7層流量作爲零信任網絡建設的入手處，原因在於：","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"企業中，普遍存在7層網關，即企業的反向代理集羣，流量收口工作已經初步實現","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"7層協議開放度較高，如HTTP，通過cookie的支持，可以自由攜帶認證授權相關信息，實現起來相對簡單。","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此，在建設最初的零信任框架時，我們需要完成下列組件的建設：","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

組件名稱	簡要說明
7層網關/HTTP代理	實現流量收口，同時作爲策略執行點（PEP）的存在，執行對流量的放過/攔截動作，甚至於更擴展的特性，例如投毒
決策中心	決策中心，作爲策略決策點（PDP）的存在，需要完成當前流量的認證、授權以及風險識別的工作
風控中心	這一部分，作爲實現零信任思想中“持續信任評估”理念的組件，實際上，在零信任建設初期，也可以暫時缺失或者放緩建設步子
管理平臺	作爲權限配置、策略配置的管理平臺（PAP），提供給業務管理員配置的入口，同時也是提供給安全管理員管理操作的平臺

"}}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於零信任網絡處於建設初期，最可靠的實踐場所是公司的辦公網，即內網。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在具體的辦公場景中，也存在着大量無法通過7層網關實現管控的場景，因此，需要，因此數據平面的整體的網絡結構也大致擴充如下：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/b4/b4135cafe58310ded69f766fa0f1f14a.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在引入Layer4層的網關之後，需要迫切考慮到的一個問題就是，4層流量並不像7層流量一樣具有可擴展性，身份標識無法通過或者說很難通過4層流量攜帶並傳遞至網關。因此，方案就變成了，在用戶原始報文之外，封裝一層，將用戶身份憑證封裝在內。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"引入了原始流量封裝的需求，我們就不得不引入另外一個零信任中頗爲重要的角色：安全客戶端。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全客戶端與4層流量網關之間通過合理的身份認證與密鑰協商，建立起可信的傳輸隧道，之後將用戶身份認證憑證與原始數據包封裝後通過可信傳輸隧道發送至4層流量網關，而4層流量網關在獲取用戶身份憑證後，根據授權結果，判定是否將原始用戶流量向後端轉發。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在流量封裝與可信傳輸通道建立之外，安全客戶端的另外一個作用，則可以對訪問方所處的環境，進行客觀可信的評估。如安全補丁的安裝狀況、安全配置是否合規等，這些重要信息，將作爲決策中心評估是否可以進行權限授予的重要依據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在此時，我們在零信任網絡的建設中，將增加如下組件：","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

組件名稱	簡要說明
4層網關	實現4層流量收口，同時作爲策略執行點（PEP）的存在，執行對流量的放過/攔截動作
安全客戶端	自客戶端上實現身份認證，與4層網關之間建立可信傳輸隧道，封裝原始流量以攜帶身份認證憑證。同時，實現客戶端環境信息的收集，提供給決策中心用以實現授權評估
安全控制檯	即客戶端對應的server，實現對客戶端的管理，包括身份認證、版本管理、信息收集等
資產信息庫	根據客戶端信息收集，結合公司資產管理（CMDB），詳細記錄資產健康狀態與全生命週期跟蹤

"}}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當企業具備了安全客戶端的能力時，零信任網絡則可以在它的安全屬性之外，展現它的附加價值—提效，網絡無邊界。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"何爲“零信任”，即對一切區域、一切請求，均保持不信任的狀態，需要對其進行身份認證、合理授權以及持續的信任評估。而此處提到的“一切區域”，自然也包括企業“內網”。因而，當零信任不在區別對待“內網”、“公網”時，通過零信任網絡建設使得企業業務訪問安全得到一定程度的保證後，其訪問即可以不受“內網”限制。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由此，數據平面的網絡結構，也可以大致演化爲下圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/eb/ebbbe5742cf791d5c64e2496a74468a2.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"相對於4層流量的管控而言，7層流量的管控，可以更細粒度一些，甚至可以做成API網關，而4層流量的管控，只能做到五元組級別。因此，相對來講，L7的OA系統，更容易做到“網絡無邊界”。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但從另外一個角度思考，“內網”客觀上，也作爲一個環境存在，確實將提高攻擊者攻擊成本，因而，對於敏感業務的訪問，將其保留在“內網”仍不失爲一個好的選擇。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在解決了辦公場景下的大部分問題後，下一步我們將面臨的問題是，分佈在辦公區、生產網等各處的“啞終端”入網安全性問題。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"近些年，各方報告均顯示，IoT安全問題日趨嚴重，RCE漏洞使其成爲殭屍網絡的重災區。因其扮演的網絡角色相對容易被忽視，而產品安全的能力又良莠不齊，很容易成爲攻擊者的突破口，進而造成更嚴重的網絡安全事故。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最簡單的限制方式，是對啞終端的IP進行限制，使其能夠訪問資源最小化。當啞終端因IP變化或其他更復雜原因，則需要考慮引入證書對其設備與流量進行認證，相對而言，這部分的建設成本會比較高，但如果企業有私有的PKI系統的話，將會節省很大一部分建設成本。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"總結上述信息，我們得出了一個零信任建設需求的優先級列表，供參考：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"實現企業網絡的基本隔離，至少應該達成區域間的隔離","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"構建零信任管理平臺，包括策略配置管理（或引入IAM），構建策略模型，建立基本的訪問准入準則","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"構建零信任決策中心，包括身份認證（SSO）、策略查詢（IAM）與授權、風險評估等","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"依託於企業7層流量代理網關，聯動決策中心，實現對企業7層業務流量的基本管控","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"實現安全客戶端，此步驟中，至少應實現認證與可信隧道能力，以此達成與4層網關聯動的能力。客戶端信息與環境檢查，如安全性檢查、病毒查殺等能力，則可以考慮通過採購的方式補足","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4層流量網關的搭建，聯動決策中心，與零信任客戶端一同實現4層流量的認證與授權","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"建立企業的PKI/CA系統，以此來保障客戶端可信與加密隧道安全","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"建立完善的風險識別體系，使零信任網絡具備持續信任評估能力，在必要時刻，持續信任評估能力可以縮短MTTD與MTTR","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"啞終端管控能力覆蓋","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下文會根據所列需求，展開講述各組件的建設細節。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"04 零信任管理平臺","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在構建零信任策略配置管理平臺之前，先需要確定策略模型與管理方式","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在策略模型的建立上，採用了語言中“主語”+“謂語”+“賓語”+“修飾語”的方式，引入了4個單位：Subject、Action、Resource、Environment，因此簡稱之爲SARE模型","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"S-Subject 授權主體","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"A-Action 授權可執行動作","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"R-Resource 授權可訪問資源","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"E-Environment 滿足授權條件/環境","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"授權原則：","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"S","attrs":{}},{"type":"text","text":"CAN DO ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"A","attrs":{}},{"type":"text","text":"ON ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"R","attrs":{}},{"type":"text","text":"IF ","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"E","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"主體對象（認證）：可以包括用戶/組，IP，設備，服務等","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"資源對象：服務，API等。此處設計，爲保證兼容4/7層流量授權","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"執行動作：接入，Method，CMD等。同樣，爲兼容4/7層流量授權","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"條件環境：網段，時間，地理位置，設備信息/健康狀態等，條件信息可多樣化，可定製","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如下圖中實例：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/59/59f7493103dac0d9cf8fc542b47ae963.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"根據圖中信息，得到策略描述：LiLei、HanMeimei以及三年二班全體同學，都可以在每天的早7點到晚18點之間，在學校計算機室中（計算機室網段10.10.0.0/16）中，訪問http://r.zerotrust.com/student_info，但僅限於通過Get請求或Post請求。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在管理方式上，則引入Realm概念，用以標識唯一管理單元。自我們的建設經驗來看，該單元可以包括域名以及IP。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在Realm之下，我們使用Service來標識該管理單元下服務。一個域名或IP下，可以通過不同的端口，對外開放出不同的服務，如HTTP服務、SSH服務等。但在此處注意的是，端口（Port）的重要性，要高於服務協議（Protocol），因爲端口決定了流量的走向。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"策略Policy則歸屬於各個Service，且每個Service中可以存在多條Policy，Policy之間相對獨立，但存在先後順序關係。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"策略中會包含我們上述所說的SARE模型，同樣的，我們也允許每條策略中包含多個Subject、Resource以及Environment。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後，爲了方便管理，我們引入了Realms的概念，類似於文件夾的使用方式，用以對Realm進行歸類，方便查看管理。但此概念非必須。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最終，我們形成的管理方式如下圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/e9/e9d958e181048a5d7bb64873eea894d5.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"05 零信任決策中心","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任決策中心的建設，分爲“認證”、“授權”以及“風險評估”部分的建設。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於認證，我們在建立策略模型的時候提到過，認證的主體，包括但不限於“用戶”、“服務”、“設備”甚至“IP”等。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/7e/7ed8d7f31efed12be18eda9e1824e5be.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對用戶認證的場景","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在聊及用戶認證時，我們常會想到1993年，漫畫家 Peter Steiner的一幅畫：On the Internet, nobody knows you're a dog","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/22/22983b8e7cb4a605459b91821bcd9e83.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"因此，單純的賬號認證，沒有任何意義，因爲賬號（憑證）≠身份。當該賬號背後有確切對應的身份，且可以確定當前賬號的使用者可以與之關聯時，認證纔有意義。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在建設零信任決策中心的認證部分是，我們強烈建議其與企業現有的SSO系統相結合，原因如下：","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"可以複用當前完善的賬號體系","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"可以複用SSO已經實現了的多因子認證能力，甚至借其實現梯度認證能力","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"可以複用SSO提供的登錄態，當業務也接入SSO的時候，避免因此而產生的多次登錄","attrs":{}}]}]}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對服務認證的場景","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對服務認證的場景，普遍存在於生產網絡內部，服務與服務之間的調用與信息互換。此處有兩種實現方式：","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"原始流量中攜帶服務簽名，由此可得服務唯一ID，在網關或服務側以此爲依據進行服務認證","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"使用“客戶端”方式，對服務進行可信代理，封裝認證憑證，通過4層流量網關實現認證","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果企業當前的基礎架構已經實現容器化，則基於容器化的隔離與認證方案將更有利於服務間的認證與授權。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對設備認證的場景","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"例如打印機入網、可視化大屏入網以及其他啞終端類設備入網。此類認證方式，可結合Radius實現，也可以通過設備證書方式實現。前者實現起來更加快捷，適用性也較強，後者安全性更高，但相對實現成本也很高。","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對IP認證的場景","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對IP而言，不應稱之爲“認證”，因爲不存在任何認證過程，也不存在可信身份。但此場景最終被實現的原因是，我們終歸有一些或暫時、或永久不能解決的場景，無法對明確的主體進行授權，而爲保證這部分流量或業務不會因爲零信任網絡建設而受到影響，我們對之進行了妥協。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"但無論如何，對IP授權不應廣泛地被使用，因爲IP授權無法得到有效的權限收斂，也很難進行風險持續評估與審計。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於授權，我們試圖用兩條“鏈”來闡述我們所實現的授權過程","attrs":{}}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"策略鏈","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"假設場景如下：訪問主體LiLei，爲三年級一班的同學，自寢室IP 10.33.27.135訪問http://r.zerotrust.com/english獲取學習材料（此處假設Environment都滿足的情況下，關於Environment鏈，將單獨描述。同時爲了簡化場景，此處Action也暫不予以考慮）","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對HTTP Service r.zerotrust.com存在6條策略","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

序號	Subject	Resource	Result	備註
1	10.200.27.0/24	http://r.zerotrust.com/api	Access	api爲服務對外提供接口，授權給其他服務調用
2	10.200.33.0/24	http://r.zerotrust.com/english	Denied	english資源被明確禁止從學校機房中訪問
3	英語教學組	http://r.zerotrust.com/teacher	Access	英語教學組可以訪問teacher資源進行教學準備
4	三年級	http://r.zerotrust.com/english	Access	全體三年級學生可以訪問english資源
5	LiLei	http://r.zerotrust.com/admin	Access	Lilei同學作爲網站管理員，可以訪問admin資源
6	教務處	http://r.zerotrust.com/english	Access	教務處老師可以訪問english資源，進行資源評估

"}}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"LiLei同學此次訪問的授權過程，可如下圖所示：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"策略鏈中，存在可以滿足授權（不論Access或者Denied）的情況時，授權且退出鏈","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/a4/a4c32b2684ede9b26983dddbb5966ade.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"環境鏈","attrs":{}}]}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當引入環境條件時，授權將變得更復雜起來。但我們認爲環境條件的存在時有必要的，通過環境條件的配置，可以實現授權條件的更細粒度約束，也讓整個授權配置變得更加靈活。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"假設一條訪問策略中存在4個環境條件","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

序號	條件	屬性	詳細描述
1	IP：10.200.28.0/24	Requisite	訪問必須源於教學樓內
2	Device in CMDB：True	Sufficient	設備屬於學校資產
3	SMS Verify：True	Requisite	訪問經過短信驗證
4	Access Time: Mon-Fri, 07:00-18:00	Requisite	只有在週中的教學時間可以訪問

"}}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以看到，環境條件中，引入“屬性”概念。屬性被我們賦予Requisite或Sufficient，分別表示“必要不充分條件”及“充分不必要條件”。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4條環境策略所形成的環境鏈，可以表示成下圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4e/4eb04444b95dfd27c2e69c3aefb82cc8.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於授權時的風險評估，雖然是零信任思想中較重要的一部分，但如果缺失這部分能力，網絡也可以正常工作，是提高網絡安全性錦上添花的功能組件。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"授權時的風險評估，區別於“持續的信任評估”，是一項實時的工作，因此，可以評估的信息，均爲靜態的、實時的信息，如訪問源設備操作系統版本、補丁安裝情況、最近一次病毒查殺結果、是否安裝DLP軟件等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此部分工作，很大程度上依賴於安全客戶端的信息採集。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當風險評估結果顯示，訪問源安全性不足，此次授權結果將被更改，甚至直接被拒絕訪問。但同時，應當給予用戶充分的反饋以幫助用戶改善環境安全，提升風險評估等級。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"06 零信任L7網關","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"依託於企業成熟的代理網關（Nginx），可以實現L7網關的快速搭建。以當前企業中常用到的一種網絡結構爲例","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/1c/1cfc02ab38e253e97a8d8ef22f2bed8f.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"LVS（Linux Virtual Server）作爲負載均衡器，將流量負載，而後實現SSL卸載、日誌記錄以及定製化需求配置（如HTTP至HTTPS跳轉等）。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"中間層代理服務器（Nginx）則作爲WEB服務網關，將流量代理至真正上游應用中。在更精細化場景中，這一層也可以用作API網關，因此選型也相對多樣化，如OpenResty、Tengine、Kong等。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們所要實現的零信任7層流量網關，在此結構下，則可以與第二層代理服務器相結合。複用第二層代理服務器的優點如下：","attrs":{}}]},{"type":"numberedlist","attrs":{"start":"1","normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"成熟且穩定的網絡結構","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"無需在網絡中增加一層，降低鏈路中的損耗","attrs":{}}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"專業的SRE、網絡、運維、故障處理團隊守護","attrs":{}}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在這裏，使用Lua完成了網關策略執行點（PEP）的快速開發。同時，插件的方式集成到代理服務器中，保證了開發與部署的獨立性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了保證訪問性能，降低網絡損耗，在網關中我們使用了授權信息緩存的方式，即將個人認證信息以JWT形式存儲至用戶cookie中，將授權信息短時保存在網關的緩存中。這種方式一定程度上犧牲了安全性，但安全與性能之間，總需要保持一定的平衡，進行一定程度的取捨。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"另外，在零信任思想中，所有網絡傳輸均需要被加密，包括零信任網關至上游服務之間的通信。Google通過內部開發的高性能認證和加密框架LOAS（Low Overhead Authentication System，低開銷認證系統）實現零信任網關至上游服務之間的雙向認證和加密。但我們評估了開發成本與安全性，決定採用一種較爲取巧的方式來保證上游服務器的安全，即通過防火牆策略保證上游服務只信任來自零信任網關的流量。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最後補充一個細節，不建議零信任網關攔截非授權原因造成的403返回碼，也不建議零信任網關攔截非網關配置所造成的502返回碼，因爲這兩部分返回碼的攔截，將會給零信任網關的運維造成非常多的不必要工作量。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"07 零信任安全客戶端","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任安全客戶端的建設，一方面爲了滿足4層流量的身份憑證傳輸以及可信的隧道傳輸能力，另一方面，爲了實現訪問源環境信息的採集。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"認證及隧道傳輸部分，我們建議在能力允許的範圍內，儘量以研發的方式實現，因爲這部分將與4層流量網關產生聯動，而4層流量網關又需要與企業先前建設的管理平臺及決策中心進行聯動，因此定製化較強。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最基礎的安全客戶端應該具備以下能力：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"身份認證","attrs":{}},{"type":"text","text":"：將身份信息提供至服務端，由服務端聯動SSO或LDAP，完成身份認證。此處可引入多因子認證來保證認證身份的可靠性。身份認證後，客戶端將保存服務端下發的身份憑證，並在請求流量中，攜帶身份憑證，以便網關根據身份完成合理授權。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"流量代理","attrs":{}},{"type":"text","text":"：客戶端通過創建虛擬網卡，代理指定網段流量（這裏我們假定10.0.0.0/8網段），並將報文進行封裝，以攜帶身份認證信息。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/9c/9cd71e344b8d8b927072cabe1a812699.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"加密隧道","attrs":{}},{"type":"text","text":"：通過與網關的協商/交換密鑰，建立TLS1.2通信隧道，保證通道的安全性與可靠性。進而將虛擬網卡封裝好的報文傳輸至網關側。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"客戶端與網關及服務端聯動時序如下圖：","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/3a/3a0c36f6de0cfd0adba08a3656df7587.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在基礎功能完備情況下，則需要考慮客戶端實現信息收集及其他附加功能，如配置下發、病毒查殺等。最爲簡單快捷的方案，是通過商業產品採購，如DLP、UEM、殺軟等進行能力補足。通過唯一設備標識，與商業產品形成聯動，訪問商業產品服務端接口，獲取對應的客戶端詳細信息。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而不論以何種方式獲取設備信息，至少應該包括：","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備的唯一標識","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備登記/初次入網時間","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備MAC與IP地址信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備硬件信息","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備操作系統類型及其精確的版本號","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備關鍵安全配置情況","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"設備最後一次可靠殺毒時間及結果","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對應的，服務端在收集到這些信息後，應當以唯一標識爲索引，建立起設備全生命週期狀況跟蹤，包括重要硬件替換等，直至設備被標識銷燬。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"08 零信任L4網關","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任四層流量網關的建設，完全依賴於安全客戶端的建設進度。沒有4層流量網關的安全客戶端，尚能完成用戶環境信息收集，但沒有安全客戶端的網關，則無法完成任何工作。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任4層流量網關應具備能力如下：","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"流量還原","attrs":{}},{"type":"text","text":"：自TLS隧道中獲取報文，將外層封裝部分（Private DataLen與Private Data）摘除後，還原用戶請求報文。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"授權請求","attrs":{}},{"type":"text","text":"：自Private Data中獲取用戶身份憑證、設備唯一標識等信息，並以此向零信任決策中心請求此次訪問授權結果","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"會話管理","attrs":{}},{"type":"text","text":"：依照授權中心判定結果，決定流量轉發/攔截","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"相對於7層流量網關，可以與現有網絡組件相結合，4層流量網關則需要完全從頭搭建，因此需要綜合考慮性能及吞吐量問題。合理計算並部署集羣資源，正確的負載均衡實現，充分可靠的監控及報警設施都是保障服務穩定的必要措施。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"另外，需要值得注意的是，4層流量網關目前不具有降級功能，降級意味着企業服務對外完全敞開。因此，當緊急事件發生時，需要考慮其替代方案，如VPN等。最壞情況，也需要保證“逃生門”可用。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"09 零信任風險識別","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任風險識別，旨在通過持續的信息收集及分析，完成信任的持續評估","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"而在開篇時曾經講到，企業引入零信任思想及網絡架構，以解決傳統安全架構中無法解決的問題，但我們不否認傳統安全手段在某些領域的有效性。因而，零信任網絡的出現，並非替代傳統安全設施，而是期待與傳統安全措施相結合，以產生更爲快捷、有效的防禦機制。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/fa/fa5892fd1ce3a9674ee30cf9cf8ebf28.jpeg","alt":"零信任網絡架構建設及部分細節討論（企業高管必看！）","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"綜合來看，我們建議使用與SIEM（安全信息和事件管理工具）相結合的方式來實現信息的收集與分析，最終達成信任持續評估的目的。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SIEM作爲企業網絡防禦的核心部分，可以與零信任網絡形成更爲有效的閉環：","attrs":{}}]},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任網絡向SIEM輸入更爲有價值的分析數據","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"SIEM作爲事件分析與處置決策發起者","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任網絡作爲最終事件處置執行點存在","attrs":{}}]}],"attrs":{}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下表列舉了零信任與SIEM聯動後，對於各類安全攻擊的防禦措施及處置方式。","attrs":{}}]},{"type":"embedcomp","attrs":{"type":"table","data":{"content":"

安全攻擊類型	緩解措施	如何將零信任網絡和SIEM集成
端口掃描/ 網絡偵察	封鎖並通知	零信任網絡阻止所有未經授權的網絡活動，並可以記錄所有連接請求以供SIEM系統使用。
拒絕服務DDoS攻擊	封鎖並通知	由於零信任網絡需要對請求進行授權，未經授權的請求會被重定向至SSO，因此DDoS攻擊不會對業務產生衝擊。同時，這些需要認證的請求也會被SIEM記錄下來，用作DDoS攻擊的分析識別。
惡意使用授權資源	檢測和定位	零信任網絡允許授權用戶訪問授權資源，SIEM系統以及其他風控系統將持續對用戶活動進行分析，異常行爲被識別後可以藉助零信任網絡的風控能力禁止授權用戶訪問，直到用戶異常行爲消失或事件被處理。
惡意訪問未授權資源	檢測並封鎖	零信任網絡中只允許用戶訪問已授權的資源，當大量未授權請求被識別時，將觸發風控能力，對惡意請求主體進行降權或封鎖。
使用被盜憑證	封鎖並通知	零信任網絡將會綜合多種信息給予授權，而非簡單的基於身份的授權，使得憑證盜用後難以獲取想用的權限。同時，盜用憑證後的多種異常行爲會被零信任網絡記錄，並在SIEM中得以彙總分析。
內網的橫向擴散	封鎖並通知	基於零信任網絡的隔離特點，內網的橫向擴散將很大程度上被遏制。其他主機將對受控主機呈現不可見狀態。同時，當受控主機呈現橫向主機發現特徵時，將被記錄下來並分析識別。

"}}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"除此之外，零信任平臺中，需提供了人工風控入口，彌補自動識別缺陷，可實施登錄態踢出、黑名單添加等動作，作爲應急處置的手段存在。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"10 其他零信任組件","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"相對於上述組件的建設，零信任關於網絡隔離部分，各個企業的實施方式不同，因此本文不再深入介紹。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"PKI/CA設施建設，本文中默認爲企業基礎設施建設，也不在贅述。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"關於啞終端覆蓋部分，我們也正在積極探索，但尚未完成相關部分的建設，因此待方案成熟後再進行補充。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":1},"content":[{"type":"text","text":"11 結語","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"零信任網絡建設，是一項艱難且長期的工作，建設過程中涉及許多同SRE團隊、網絡團隊甚至業務團隊協作完成的工作，但其可見的效果值得企業投入並持續迭代。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文僅作爲我們實踐過程中的一些經驗的記錄，拋磚引玉，後續也將有更多的建設細節呈現出來，希望同大家分享，並共同探討零信任網絡建設方法，共同解決建設過程中遇到的困難。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"如果本文章對你有幫助的話 可以三連一波支持下作者哦 感謝各位大佬！！","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/4b/4bcbc513431cdd8755f4f3ca4d528cc8.gif","alt":"","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ab/ab5da14454a25c1453ae843c88b07540.gif","alt":null,"title":"點擊並拖拽以移動","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"​","attrs":{}}]}]}