Zero Trust

Definition

Zero Trust is the concept/philosophy of not assigning any trust to physical networks, but instead to authenticated users.

In traditional networking, once a device is connected to a network, e.g. an Ethernet/wireless LAN within an organization, (at least some) implicit trust is assigned to it (i.e., fewer firewalls restrict connections between the device and services). This trust model does not work well in a world of disconnected sites, WFH, and BYOD.

In the Zero Trust model, devices are untrusted regardless of their physical location. Instead, users authenticate in a cryptographically secure way, and firewall policies are defined using identities instead of network addresses (i.e., these roles may connect to the fileshare instead of this CIDR network…).

Many “Zero Trust” solutions designed to replace traditional site-to-site VPNs are based on Wireguard and/or HTTPS as their secure transport protocol and on OIDC identity providers, such as Azure or Google, for authentication.

Providers

In general, all of these solutions use NAT hole punching (e.g. using STUN) to enable direct connections, and fall back to relay notes for very restrictive networks (e.g. those that prohibit the UDP connections required by Wireguard).

Hub-and-spoke

These networks resemble traditional VPNs, such as OpenVPN. Each virtual or physical site has a “connector” (gateway/proxy), which terminates encryption and routes traffic to the local subnet:

• [Cloudflare Zero Trust](…/Cloudflare Zero Trust/)
• Pangolin
• Twingate

Mesh

These networks run one connector per device/appliance:

• Tailscale
• Netbird

Features to compare

Reverse proxy

Some solutions support identity-aware reverse proxying, i.e. they can be configured to allow clientless resource access via a browser by authenticating the (same or different set of) users before allowing access:

• [Cloudflare Zero Trust](…/Cloudflare Zero Trust/) (Docs)
• Pangolin

[Open source](…/Open source/)

These providers are fully [open source](…/open source/) (client and server):

• Netbird
• Pangolin

Device security (posture checks)

Most providers can validate device security before allowing access (e.g. OS version, client version), some go further and can require specific endpoint security (e.g. anti-virus) software to be installed/up-to-date/enabled.