PCNSA – 1.3

Given a network design scenario, apply the Zero Trust security model and describe how it relates to traffic moving through your network.

Palo Alto PCNSA Study Guide v10

Traditional Security Model

In the traditional security model, internal devices, users, and applications were inherently trusted. No verification of the traffic once on the network was performed because it was trusted. Since most cyberattacks now come from compromised internal machines, this model is no longer effective.

Zero Trust Model

Trust but verify.

Just like President Regan and President Gorbachev said during negotiations to reduce both nations’ nuclear stockpiles, we must trust but verify. Palo Alto’s mantra for Zero Trust is “never trust, always verify.” All traffic, both north-south and east-west, must be analyzed by the security hardware. Just because traffic is on UDP port 53 doesn’t mean that it’s really DNS and even if it is, it isn’t always benign.

Access control in Zero Trust is “need-to-know” and must be strictly enforced. Logging and inspection of all traffic is a requirement.