The Firewall is a Lie: Why You Need Zero-Trust Now
Let’s be honest. If your security strategy in 2017 relies entirely on a perimeter firewall and a prayer, you are already compromised. The old "Castle and Moat" strategy—where everything inside the LAN is trusted and everything outside is hostile—is obsolete. Why? Because the attackers are already inside. Phishing emails, compromised developer laptops, or a single vulnerability in a web app turn your "secure" internal network into a playground for escalation.
Google has been preaching the "BeyondCorp" model since 2014. The concept is simple: Trust nothing. Verify everything. Even if a request comes from 192.168.1.5, treat it as if it's coming from a hacker in a basement in halfway across the world.
With the EU's General Data Protection Regulation (GDPR) enforcement date set for May 2018, Norwegian companies have just over a year to get their data handling strictly under control. Datatilsynet (The Norwegian Data Protection Authority) will not accept "but we had a firewall" as an excuse for a data breach.
Here is how we implement a Zero-Trust architecture on a Linux VPS environment today, using tools available in CentOS 7 and Ubuntu 16.04.
1. Identity is the New Perimeter (Hardening SSH)
The first rule of Zero Trust is strong identity verification. Passwords are garbage. They get leaked, guessed, or brute-forced. If you are managing servers via SSH with a password, stop.
We need to enforce key-based authentication and, for critical systems, Multi-Factor Authentication (MFA) at the SSH level.
Configuration: SSH Keys + Google Authenticator
First, install the PAM Google Authenticator module:
apt-get install libpam-google-authenticator # Ubuntu/Debian
yum install google-authenticator # CentOS 7
Run google-authenticator on the server to generate your QR code. Then, lock down your /etc/ssh/sshd_config. We don't want root logging in, and we definitely don't want passwords.
# /etc/ssh/sshd_config
Port 2222 # Security by obscurity isn't security, but it reduces log noise
Protocol 2
PermitRootLogin no
MaxAuthTries 3
# The Critical Part
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
Finally, edit /etc/pam.d/sshd to require the code:
auth required pam_google_authenticator.so
Now, to access the server, you need the private key AND the code from your phone. If a developer loses their laptop, the key alone is useless.
2. Micro-Segmentation: Trust No Neighbor
In a standard setup, if one server in your cluster gets infected, it scans the local subnet and infects the database. In a Zero-Trust model, the web server should only talk to the database on port 3306, and nothing else. Not ping, not SSH, not HTTP.
CoolVDS Pro Tip: This is why virtualization technology matters. We use KVM (Kernel-based Virtual Machine) for our instances. Unlike OpenVZ or LXC containers used by budget hosts, KVM provides true hardware isolation. A compromised kernel on a neighbor's container won't leak into your memory space. Security starts at the hypervisor.
We use iptables (or the newer nftables, though widespread adoption is still slow) to explicitly whitelist connections. Default policy must be DROP.
# Flush existing rules
iptables -F
# Set Default Policy to Drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow Loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow Established Connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (on our custom port)
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allow Web Traffic (Public facing)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# ZERO TRUST: Only allow DB connection from specific App Server IP
iptables -A INPUT -p tcp -s 10.0.0.5 --dport 3306 -j ACCEPT
# Save rules
service iptables saveIf the web server at 10.0.0.5 gets compromised, the attacker cannot probe the database server on any port other than 3306.
3. Encryption Everywhere (Mutual TLS)
"But it's a private network!" is a dangerous mindset. In Zero Trust, we assume the network is tapped. Traffic between your Load Balancer and your Backend, or your App and your Database, must be encrypted.
With Let's Encrypt leaving beta last year, there is no excuse for unencrypted HTTP, even internally. However, for true Zero Trust, we use Mutual TLS (mTLS). This means the server verifies the client's certificate, and the client verifies the server's.
Here is a snippet for Nginx acting as a backend that requires a client certificate (e.g., from the Load Balancer):
server {
listen 443 ssl;
server_name internal-api.coolvds.local;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Verify the Client (Load Balancer)
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client on;
location / {
try_files $uri $uri/ =404;
}
}4. The VPN Wrapper
Management interfaces (PhpMyAdmin, Jenkins, Admin Panels) should never be exposed to the public internet. Ever.
In 2017, the most robust way to handle this is an OpenVPN server acting as a gateway. You don't connect to Jenkins; you connect to the VPN, which pushes a route to the Jenkins internal IP.
| Feature | Public Exposure | VPN / Zero Trust |
|---|---|---|
| Attack Surface | Entire Internet | Authenticated Users Only |
| Auth Layers | Application Login | Certificate + VPN Auth + App Login |
| Latency | Low | +5-10ms (Negligible on CoolVDS) |
The Infrastructure Requirement
Implementing Zero Trust requires compute overhead. Encryption (SSL/TLS) costs CPU cycles. Packet filtering costs CPU cycles. If you are running this on a budget VPS with "shared" CPU cores where the host oversells resources by 400%, your latency will spike every time you shake hands via TLS.
This is where hardware choice becomes a security feature. CoolVDS instances run on enterprise hardware with AES-NI instruction sets enabled, allowing the CPU to offload encryption math natively. This keeps your crypto-heavy Zero Trust architecture fast, even when pushing gigabits of data.
Furthermore, for Norwegian clients, keeping data within our Oslo borders ensures you aren't fighting cross-border data transfer headaches under the incoming GDPR framework.
Final Thoughts
Zero Trust isn't a product you buy; it's a discipline. It's assuming that despite your best efforts, a breach will happen, and designing your system so that the breach is contained immediately.
Start small. harden your SSH today. Set up a VPN for your admin tools tomorrow. And stop trusting your local network.
Ready to build a fortress? Deploy a high-performance, KVM-isolated instance on CoolVDS today and get full root access to build your security architecture properly.