Stop Trusting Your Internal Network: A DevOps Guide to Zero-Trust in 2018
Let's be brutally honest: your perimeter firewall is a lie. For the last decade, we built infrastructure like medieval castles—thick walls on the outside, soft and unguarded on the inside. We assumed that if a packet came from 192.168.x.x or the private VLAN, it was friendly. In 2018, with the GDPR enforcement deadline less than three months away (May 25th is coming fast), that assumption isn't just outdated; it's a liability.
I recently audited a setup for a SaaS provider in Oslo. They had a formidable Cisco ASA at the edge, but their internal MongoDB instance had no authentication because "it's on the private network." When a developer's laptop was compromised via a phishing email, the attacker rode the VPN right into the database. No exploits needed. Just an open door labeled "Internal Trust."
This is why we need Zero-Trust. Google's BeyondCorp papers started this conversation, but you don't need Google-scale infrastructure to implement it. You just need to stop trusting IP addresses and start verifying identity, every single time.
The Three Pillars of Zero-Trust for VPS Hosting
Zero-Trust isn't a product you buy; it's a mindset that assumes the network is hostile. Even the cable connecting your servers. Even the switch. Here is how we apply this to a Linux environment.
1. Identity is the New Perimeter (SSH Hardening)
If you are still using passwords for SSH, you are wrong. If you are using SSH keys without 2FA, you are risky. In a Zero-Trust model, possessing a private key isn't enough; we need to verify the human behind the key.
We implement Two-Factor Authentication (2FA) on the SSH level using libpam-google-authenticator. This ensures that even if a developer's laptop (and their SSH keys) are stolen, the attacker cannot pivot to your CoolVDS production node.
Implementation:
# Install the PAM module (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install libpam-google-authenticator
# Configure it for your user
google-authenticator
Once you have your QR code scanned, you must tell the SSH daemon to require both the public key and the verification code. Edit /etc/ssh/sshd_config:
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes
And in /etc/pam.d/sshd, add the following line at the bottom:
auth required pam_google_authenticator.so
Now, every login attempt requires a YubiKey or Google Authenticator code. This adds milliseconds to your login flow but adds years to your life expectancy as a sysadmin.
2. Micro-Segmentation via Iptables
Standard VPS providers give you a "private network" and tell you it's secure. At CoolVDS, we tell you to treat our private network like the public internet. Why? Because neighbor noise isn't just about CPU steal; it's about attack surface.
Do not allow your web server to talk to your database server on all ports. Allow it to talk only on port 3306, and only from the specific IP of the web worker. We use `iptables` to enforce this strictly. `ufw` is nice for beginners, but for granular Zero-Trust, we write raw rules.
# Flush existing rules
iptables -F
# Default policy: DROP everything.
# If we don't explicitly allow it, it dies.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback (critical)
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections (so you don't lock yourself out)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH only from your VPN or management IP
iptables -A INPUT -p tcp -s 203.0.113.50 --dport 22 -j ACCEPT
# Database: Allow access ONLY from the Web Server Private IP
iptables -A INPUT -p tcp -s 10.10.0.5 --dport 3306 -j ACCEPT
# Log dropped packets (for auditing/Datatilsynet compliance)
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Pro Tip: Always run `iptables-save` after applying rules. There is nothing more embarrassing than rebooting a hardened server only to find it wide open because the config wasn't persistent.
3. Encryption in Transit (Internal SSL)
In 2018, Let's Encrypt has made SSL trivial for public facing sites. But Zero-Trust demands we encrypt the traffic between our servers too. If an attacker manages to sniff the traffic on the virtual switch, they should see garbage, not SQL queries.
For MySQL/MariaDB, enable SSL. It adds overhead, yes. But modern CPUs (like the Xeons we run in our Oslo datacenter) handle AES-NI instructions so efficiently that the latency impact is negligible—often less than 2ms.
Configuring MariaDB for SSL:
[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
require_secure_transport=ON
The "CoolVDS" Factor: KVM vs. Containers
You cannot build a secure house on a swamp. Security architecture relies heavily on the isolation provided by the hypervisor. This is where the choice of virtualization matters immensely.
Many budget providers in Europe still rely on OpenVZ or LXC containers for their VPS offerings. In these environments, you share the kernel with every other customer on the host. If a kernel-level exploit hits (remember Dirty COW?), isolation breaks down.
At CoolVDS, we strictly use KVM (Kernel-based Virtual Machine). Each VPS runs its own isolated kernel. This is a fundamental requirement for a Zero-Trust model. You cannot trust the host kernel; you must bring your own. Combined with our NVMe storage backend, the I/O penalty of full virtualization is gone. You get the security of a dedicated server with the flexibility of the cloud.
| Feature | Container VPS (OpenVZ) | CoolVDS (KVM) |
|---|---|---|
| Kernel Isolation | Shared (Risky) | Isolated (Secure) |
| IPTables Modules | Limited/Restricted | Full Control |
| Encryption Performance | Variable | Native AES-NI Pass-through |
| SELinux Support | Often Disabled | Fully Supported |
GDPR and Data Sovereignty
With the GDPR deadline in May, "Privacy by Design" (Article 25) is the law. Hosting your data on a US-controlled cloud adds a layer of legal complexity regarding data transfers. By keeping your infrastructure in Norway—specifically in our Oslo facility connected directly to NIX—you simplify compliance. Your data stays within the EEA (via Norway's alignment), governed by Norwegian privacy laws which are historically stricter than the EU average.
Zero-Trust isn't just about hackers; it's about demonstrating to the Datatilsynet that you took every technical measure possible to protect user data. If you are breached, having a `LOG` record of dropped packets and strict access controls changes the conversation from "gross negligence" to "sophisticated attack."
Conclusion
The days of the soft internal network are over. Treat every server as if it is directly connected to a hostile public Wi-Fi hotspot. Implement 2FA on SSH, drop all unnecessary traffic by default, and encrypt your database connections.
Security is a trade-off between convenience and safety. We handle the hardware safety—giving you isolated KVM instances and DDOS protection. The rest is configuration.
Ready to harden your infrastructure? Deploy a KVM-based CoolVDS instance in Oslo today and start building your Zero-Trust architecture on solid ground.