Zero-Trust Networking

A journey to Zero-Trust Networking

Who is this for?

Today, I’m pumped to spill the beans on my trials, tribulations, and the game-changer – my shift to a Zero-Trust Networking architecture. This one’s for the tech-savvy folks – engineers, teams, and maybe even some clients looking to spice up their tech game.

Let me kick things off with a little confession – I’m a sucker for hosting my own content and websites. But, let’s face it, the journey hasn’t always been smooth. We’ll be diving into the realm of key technologies that can jazz up your efficiency, security, and make managing your tech estate a breeze.

A Blast from the Past

Fasten your seatbelts for this wild ride back in time. Picture a small NAS server off a Dell that felt like it could fry an egg. Brimstone OS (aka XP), unsecured FTP, HTTP, port forwarding – you name it. To top it off, a TeamViewer session with a backstage pass to my entire network. Yeah, I was 15, cut me some slack.

Now, over 15 years later, I’d like to think I’ve levelled up. Everything’s dockerized off an L1 Hypervisor. Reverse SSL Proxies, Cloudflare integration are my go-to for app access, and the latest addition? A Zero Trust orchestration layer (TwinGate) for ninja-level management access without exposing my whole network.

Facing the Tech Dragons

Back in the day, it was trial and error. I went with what I knew, even if it wasn’t the best fit. I cobbled together a sub-optimal solution, ignoring security, power use, and data integrity – just to make things kinda work.

Data integrity threw me for a loop. All my info scattered across various hard drives, no backup, no redundancy. One fine morning, a drive decided to ghost me with loud clicks. Data recovery was a bust, and that’s when the lightbulb lit up – time for some serious practice upgrades.

Unraid and Zero-Trust Networking

Decluttering the Digital Chaos

By this time, you will be happy to know I’ve moved on from Windows XP to Windows Server –while stable it’s not quite the right fit. Enter UNRAID, a rock-solid Level 1 hypervisor managing not only the storage arrays but apps via slick dockerized containers that serve all functions as part of the network.

Managing the Tech Circus

Now, let’s give Docker its moment in the spotlight. It’s like magic, bundling an app with everything it needs to run smoothly inside a container. UNRAID and other L1 hypervisors eat this up, making everything more efficient and reducing resource hogging. Running costs? Down. Power draw? Down. We’re talking about a tech glow-up.

Fortifying the Digital Fortress

Ah, security – the unsung hero. Back then, I was playing fast and loose with unsecured protocols (Port Forwarding/HTTP). A separate computer played gatekeeper as a jump host to my walled garden network.

SSL to the Rescue

SSL and Zero-Trust Networking

My first move was beefing up security for public-facing internet services. Web server setup was a bit clunky – port forwarding, A record on the DNS – functional but leaving a trail of open ports to potentially vulnerable services. Enter the hero – a reverse proxy tunnelling requests through NGINX, encrypted end-to-end using Cloudflare as the NS Provider results in secure traffic from browser to reverse proxy, and depending on the subdomain, it routes traffic to the right destination. Bonus: Cloudflare as the Name Server brings in analytics, proxied IPs, and DDoS attack protection.

Zero Trust – Because We’re Paranoid Smart

The previous solution was golden for public-facing services, but my L1 Hypervisor interface, IPMI, and other toys shouldn’t be dance partners with the web. Remote managing them securely without exposing them to the big, bad internet was the challenge. Enter TeamViewer – a jump host, a centralized platform within the network, problem solved! Except, no. Cue three main issues.

  • More Hardware/More Power – More power, but not the fun kind. This translated to extra £££ on the electricity bill. A VM or an old laptop acting as a reboot guardian – neither a green solution.
  • No Redundancy – A laptop crash equals a lost remote access ticket. Homebound to restart or fix the device – not my idea of a party.
  • Attack Surface – A centralized platform with access to everything is a playground for trouble. If compromised, it’s like inviting chaos into your network.
  • Enter the Hero – Twingate. It’s time to ditch your VPN. A central Zero-Trust Networking orchestration layer, running on a docker container. Connectors can be scattered throughout the network on existing hardware, if not just throw in something as simple as a raspberry Pi, providing true redundancy. And here’s the magic – TwinGate sets up rules for access to devices, allowing granular control. This even spans to ports, don’t want SSH, just Block it.  No more all-access passes to my digital kingdom.

What’s Next on the Tech Odyssey

So, here I am, having learned a ton in this rollercoaster journey. I’ve evolved from a tech chaos to what I proudly believe is a sleek and robust solution.

power-supply-image-a-durber-post

But hold on, we’re not done yet. While I’ve trimmed power use to around 50 watts, there’s more efficiency to uncover. Everything on my system is CPU-centric, but a smarter move could be leveraging hardware acceleration – Intel Quick Sync and GPU assistance for video rendering. I Haven’t taken that plunge yet, but who knows? Maybe I’ll circle back in another post, exploring the wonders of hardware acceleration and specialized computing hardware.

Closing Thoughts

After all’s said and done, from humble beginnings to lessons in how things shouldn’t be done, this journey might just shift perspectives on managing services and solutions, in particular in the world of zero-trust networking. The quest for tech utopia is still in progress, and I’m ready for whatever the next adventure throws my way. Until then!

Alex

If you liked this post on Zero-Trust Networking, check out this post on how to tackle the CCNP ENCOR exams.