Zero Trust Networking Basics
Table of Contents
The Castle-and-Moat Model
For decades, network security followed a simple model: build a strong perimeter and trust everything inside it. The corporate network was the castle. The firewall was the moat. If you were inside the perimeter - connected to the corporate LAN or WiFi - you were trusted. If you were outside, you were not.
This model made intuitive sense when corporate networks were physically contained. Employees worked in offices. Servers sat in on-premises data centers. The network had clear boundaries. Being "inside" meant you had physical access to the building and an ethernet cable or a WPA2 password.
VPN extended this model to remote workers. The VPN tunnel punched through the moat and placed the remote user "inside" the castle. Once connected, the remote user had the same network access as someone sitting in the office. Same internal IP range, same access to file servers and databases, same trust level.
Why the Perimeter Failed
The castle-and-moat model collapsed under three pressures.
Cloud migration. When applications moved from on-premises servers to cloud providers, the castle lost its contents. The data was no longer inside the perimeter. The firewall still protected the office network, but the things worth protecting were somewhere in AWS, Azure, or Google Cloud. The moat protected an increasingly empty castle.
Remote work. When a significant portion of the workforce operates from home networks, coffee shops, and airports, the concept of a trusted perimeter dissolves. Every remote connection is a hole in the wall. VPN concentrators became bottlenecks, and "just VPN into the office" became impractical at scale.
Lateral movement after breach. The critical flaw in perimeter security is what happens after an attacker gets inside. In a castle-and-moat model, an attacker who compromises one internal machine has broad network access. They can move laterally - from the compromised workstation to file servers, databases, domain controllers. The perimeter that kept them out does nothing to contain them once they are in.
graph TD
subgraph "Castle-and-Moat Model"
A[Firewall - the moat] --> B[Corporate LAN - trusted zone]
B --> C[All internal devices trusted]
C --> D[Compromised device]
D --> E[Lateral movement to file server]
E --> F[Lateral movement to database]
F --> G[Domain controller compromised]
end
subgraph "The Problem"
H[One breach = full access]
I[Cloud apps outside perimeter]
J[Remote workers bypass perimeter]
end
D --> H
I --> K[Perimeter protects nothing]
J --> K
The castle-and-moat failure - once an attacker breaches the perimeter, lateral movement is unrestricted
Zero Trust Principles
Zero trust replaces the binary inside/outside trust model with continuous verification. The core principles are straightforward.
Never trust, always verify. No user, device, or application is trusted by default, regardless of network location. Every access request is authenticated and authorized before it is granted. Being on the corporate WiFi does not grant implicit trust.
Least-privilege access. Users and devices receive only the minimum access needed for their current task. A marketing employee does not get access to the engineering database. An engineering laptop does not get access to the HR file share. Access is scoped as narrowly as possible.
Assume breach. Design the network and access controls as if an attacker is already inside. This means segmenting resources, encrypting internal traffic, logging all access, and monitoring for anomalies. If a device is compromised, the blast radius should be contained to the resources that device specifically needs.
Implementation Approaches
Zero trust is a set of principles, not a specific product. There are several implementation approaches, each addressing different aspects of the architecture.
Identity-aware proxy (BeyondCorp model). Google pioneered this approach with their internal BeyondCorp project. Instead of a VPN that places users on the internal network, an identity-aware proxy sits in front of every application. To access an internal tool, the user authenticates to the proxy, which verifies their identity, checks their device's security posture (patched OS, active antivirus, encrypted disk), and grants access to that specific application only. No network-level access is granted.
Software-defined perimeter (SDP). SDP creates dynamic, one-to-one network connections between a user and a resource. The resource is invisible to unauthorized users - they cannot even detect its existence on the network. When an authorized user authenticates, the SDP controller provisions a direct, encrypted connection to that specific resource.
Micro-segmentation. The network is divided into small, isolated segments. Each segment contains a small number of related resources. Traffic between segments is filtered by policy. A compromised device in one segment cannot reach resources in another segment without passing through a policy enforcement point.
graph TD
subgraph "Identity-Aware Proxy"
A[User request] --> B[Identity verification]
B --> C[Device posture check]
C --> D{Authorized?}
D -->|Yes| E[Access to specific app only]
D -->|No| F[Access denied]
end
subgraph "Micro-Segmentation"
G[Segment A - Web servers] ---|Policy check| H[Segment B - App servers]
H ---|Policy check| I[Segment C - Database]
G -.-x|Blocked| I
end
subgraph "Continuous Verification"
J[Session established] --> K[Ongoing behavior monitoring]
K --> L{Anomaly detected?}
L -->|Yes| M[Re-authenticate or revoke]
L -->|No| N[Continue session]
end
Zero trust implementation approaches - identity proxy controls application access, micro-segmentation limits lateral movement, continuous monitoring catches anomalies
How Zero Trust Relates to WiFi
In a zero trust architecture, the WiFi network is just a transport layer. Being connected to the corporate SSID provides IP connectivity but not access to any resources. Every application, file share, and service requires separate authentication and authorization.
This fundamentally changes the threat model for WiFi attacks. In a castle-and-moat network, compromising the WiFi password gives an attacker access to everything on the internal network. In a zero trust network, compromising the WiFi password gives the attacker... an IP address. They still cannot access anything without valid credentials for each specific resource.
This does not mean WiFi security becomes irrelevant. An attacker on the network can still perform reconnaissance, attempt credential theft via DNS spoofing, and exploit any services that have not been fully migrated to the zero trust model. But the blast radius of a WiFi compromise is dramatically smaller in a zero trust environment.
The practical implication for network administrators: zero trust reduces your dependence on WiFi as a security boundary. You still want strong WiFi security (WPA3, PMF, WIDS), but you no longer need WiFi to be the primary defense against unauthorized access to corporate resources.
Micro-Segmentation
Micro-segmentation is the zero trust principle most directly applicable to WiFi network design. Instead of one flat network where all devices can communicate with all other devices, you create isolated segments with controlled access between them.
In a WiFi context, this translates to multiple SSIDs or VLANs, each with different access policies. A common segmentation scheme includes a corporate SSID for employee devices (access to internal resources after authentication), a guest SSID for visitors (internet only, no internal access), an IoT SSID for sensors, cameras, and smart devices (access to their management platform only), and a BYOD SSID for personal devices (limited access, internet plus specific collaboration tools).
Each segment is isolated at the network layer. A device on the IoT VLAN cannot communicate with devices on the corporate VLAN. A guest device cannot reach internal file shares. If a compromised IoT sensor is used as a pivot point, it can only reach other IoT devices - not the corporate network.
Practical Zero Trust for Small Organizations
Full zero trust architecture requires significant investment in identity infrastructure, policy engines, and endpoint management. For small organizations, a pragmatic approach focuses on the highest-impact changes.
MFA everywhere. Multi-factor authentication is the single most effective zero trust control. If every application requires MFA, compromised passwords alone do not grant access. Start with email, cloud storage, and VPN. Expand to every application that supports it.
VLAN segmentation. Most prosumer routers and all enterprise routers support VLANs. Separate your network into at minimum three segments: trusted devices, IoT, and guest. This limits lateral movement without requiring expensive infrastructure.
Cloud-native access controls. If your organization uses Google Workspace, Microsoft 365, or similar cloud platforms, use their built-in conditional access policies. These policies can require MFA, check device compliance, and restrict access by location - basic zero trust controls without additional infrastructure.
Encrypt everything. Use HTTPS for all internal web applications. Use encrypted protocols for file sharing. Enable WiFi encryption (WPA3 where possible). Treat the network as hostile even when it is your own.
Getting Started
Zero trust is a journey, not a destination. No organization achieves full zero trust overnight. The practical approach is incremental.
Start by mapping your current trust boundaries. Where does your network currently grant implicit trust? What resources are accessible to anyone on the corporate WiFi without additional authentication? Those implicitly trusted resources are your highest-priority targets for zero trust controls.
Next, identify your most sensitive resources and implement strong authentication for them first. Financial systems, customer databases, intellectual property repositories - these should require MFA and device verification before any other systems.
Then expand outward. Add more resources to the zero trust perimeter. Implement network segmentation. Deploy endpoint posture checks. Each step reduces the attack surface and limits the damage from any single compromise.
Zero trust does not eliminate the need for WiFi security, network monitoring, or threat detection. It adds a layer of defense that does not depend on the network perimeter holding. When the perimeter fails - and it eventually will - zero trust ensures that the failure does not mean total compromise.
Get the BLEShark Nano - $36.99+