Nettica VPN Knowledge Base

Build Your Own Secure Cloud!

Have a Question?

Search or ask here!

What is “Zero Trust”?

It’s Coming From Inside the House!

Unfortunately, not all attacks originate outside the company network. Bad actors have many ways to gain access to networks and make themselves look like they belong there. Zero Trust is a security strategy that recognizes this fact, and implements internal practices to minimize the damage that can be done if a bad actor does get past the firewall.

Principles of Zero Trust

The main principles of Zero Trust are:

  • Continuous monitoring and validation Zero Trust authenticates both users and devices, whether they are located remotely or inside the firewall, and users must reauthenticate at regular intervals.
  • Device access control Zero Trust does not only authenticate users, it also authenticates devices, and restricts device access permissions right along with those of the users.
  • Least privilege Zero Trust only grants users and devices the access permissions they absolutely need.
  • Microsegmentation Instead of a single, shared internal network, Zero Trust breaks the network up into smaller segments, each with its own access controls. This prevents “lateral movement”, or using access to one segment as a way to gain access to another.
  • Multifactor/2-factor Authentication (MFA/2FA) MFA means adding additional authentication steps before granting access to a user. A common MFA scheme is requiring a user to provide their password and then enter a code sent to the user’s phone or email, but there are others. MFA significantly decreases the chance that a bad actor can access the network even if they learn the user’s password.

How Does Nettica VPN Implement Zero Trust Principles?

  • Continuous monitoring and validation We authenticate users using OAuth2 regardless of whether they are located remotely or inside the firewall. They must reauthenticate at regular intervals. The device’s VPN connections are validated with each packet sent or received, and if a packet cannot be authenticated, it is rejected. However, for your privacy, we do not monitor those connections.
  • Device access control Nettica VPN uses an “allow-list” access scheme. Users must be specifically invited to each network based on the email address with which they log in to Nettica VPN. Devices may be added to the network automatically when an authorized user logs in with that device, but the Devices page allows the administrator to disable and enable individual devices.
  • Least privilege Nettica Users who are properly authenticated can create their device and join a network, if there are any available to their account. Nettica Admins and Owners can create networks, invite users, and perform all functions expected of an Admin. Admins can invite users to specific individual networks, or to all the networks on the Admin’s account.
  • Microsegmentation Each Nettica VPN network is logically isolated from all other Nettica VPN networks, even if those networks are on the same physical segment, or even hosted on the same device. Nettica VPN actively prevents traffic from moving from one VPN network to another.
  • Multifactor/2-factor Authentication (MFA/2FA) Apple, Google, and Microsoft all support multifactor authentication. See their login pages for details. Nettica VPN’s private authentication provider does not (?) support MFA, which is another reason we recommend you use Apple, Google, or Microsoft instead.