3.11 Zero Trust WAN
| Field |
Value |
| Document ID |
SDWAN-SEC-3.11 |
| Version |
1.0 |
| Last Updated |
December 2025 |
| Author |
Network Architecture Team |
| Classification |
Internal Use |
1. Executive Summary
This section documents the Zero Trust Network Access (ZTNA) principles applied to Abhavtech's SD-WAN deployment. The Zero Trust WAN architecture eliminates implicit trust based on network location and instead enforces continuous verification of identity, device health, and context before granting access to resources.
1.1 Zero Trust Principles
+------------------------------------------------------------------+
| ZERO TRUST CORE PRINCIPLES |
+------------------------------------------------------------------+
| |
| +------------------+ +------------------+ +------------------+
| | NEVER TRUST | | ALWAYS VERIFY | | LEAST PRIVILEGE |
| +------------------+ +------------------+ +------------------+
| | No implicit trust| | Every access | | Minimum access |
| | from location | | request verified | | required |
| +------------------+ +------------------+ +------------------+
| |
| +------------------+ +------------------+ +------------------+
| | ASSUME BREACH | | VERIFY EXPLICITLY| | SECURE DEFAULTS |
| +------------------+ +------------------+ +------------------+
| | Design for | | MFA, cert-based | | Default deny |
| | compromise | | authentication | | policy |
| +------------------+ +------------------+ +------------------+
| |
+------------------------------------------------------------------+
1.2 Zero Trust WAN Architecture
+------------------------------------------------------------------+
| ZERO TRUST WAN ARCHITECTURE |
+------------------------------------------------------------------+
| |
| Traditional Network Zero Trust WAN |
| +------------------+ +------------------+ |
| | Perimeter-Based | | Identity-Based | |
| | - Castle & Moat | | - Verify Always | |
| | - Trust internal | | - Trust Nothing | |
| | - Implicit access| | - Explicit policy| |
| +------------------+ +------------------+ |
| |
| Zero Trust WAN Components: |
| +----------------------------------------------------------+ |
| | | |
| | +----------+ +----------+ +----------+ +----------+ | |
| | | Identity | | Device | | Context | | Policy | | |
| | | Verify | | Health | | Aware | | Engine | | |
| | +----+-----+ +----+-----+ +----+-----+ +----+-----+ | |
| | | | | | | |
| | +-------------+-------------+-------------+ | |
| | | | |
| | +------v------+ | |
| | | Access | | |
| | | Decision | | |
| | +------+------+ | |
| | | | |
| | +------v------+ | |
| | | Grant/Deny | | |
| | | + Log | | |
| | +-------------+ | |
| | | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
2. Identity Verification
2.1 Device Identity
+------------------------------------------------------------------+
| DEVICE IDENTITY VERIFICATION |
+------------------------------------------------------------------+
| |
| Device Authentication Methods: |
| +----------------------------------------------------------+ |
| | Method | Use Case | Trust Level | |
| +----------------------------------------------------------+ |
| | Certificate (X.509) | WAN Edge routers | Highest | |
| | OTP Token | ZTP onboarding | High | |
| | Serial + Chassis ID | PnP bootstrap | Medium | |
| +----------------------------------------------------------+ |
| |
| Device Identity Flow: |
| +------------------+ |
| | WAN Edge Router | |
| | Serial: XXX | |
| | Cert: Signed | |
| +--------+---------+ |
| | |
| v |
| +------------------+ +------------------+ |
| | Certificate |---->| SD-WAN Manager | |
| | Validation | | Identity DB | |
| +------------------+ +------------------+ |
| | | |
| v v |
| +------------------+ +------------------+ |
| | Device Trusted | | Policy Applied | |
| +------------------+ +------------------+ |
| |
+------------------------------------------------------------------+
2.2 User Identity Integration
! ISE Integration for User Identity
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa accounting exec default start-stop group radius
radius server ISE-PRIMARY
address ipv4 10.254.1.10 auth-port 1812 acct-port 1813
key ABHAV-RADIUS-KEY
radius server ISE-SECONDARY
address ipv4 10.254.1.11 auth-port 1812 acct-port 1813
key ABHAV-RADIUS-KEY
aaa group server radius ISE-SERVERS
server name ISE-PRIMARY
server name ISE-SECONDARY
!
! SAML Integration for vManage
security
saml
idp <IDP_METADATA>
sp entity-id https://vmanage.abhavtech.com
mfa required
!
!
3. Device Health Verification
3.1 Posture Assessment
+------------------------------------------------------------------+
| DEVICE POSTURE ASSESSMENT |
+------------------------------------------------------------------+
| |
| Assessment Components: |
| +----------------------------------------------------------+ |
| | Component | Check | Action | |
| +----------------------------------------------------------+ |
| | Software Version | Approved version | Block/Upgrade | |
| | Security Config | Hardening baseline | Remediate | |
| | Certificate Status | Valid, not expired | Block | |
| | Compliance State | Policy adherent | Quarantine | |
| +----------------------------------------------------------+ |
| |
| Posture Flow: |
| +------------------+ +------------------+ |
| | Device Connects |---->| Posture Check | |
| +------------------+ +--------+---------+ |
| | |
| +---------------+---------------+ |
| | | | |
| +------v------+ +------v------+ +------v------+ |
| | Compliant | | Non-Comply | | Unknown | |
| | Full Access | | Remediate | | Quarantine | |
| +-------------+ +-------------+ +-------------+ |
| |
+------------------------------------------------------------------+
3.2 Continuous Posture Monitoring
! Continuous Device Health Monitoring
event manager applet DEVICE-HEALTH-CHECK
event timer watchdog time 300
action 1.0 cli command "show version | include Version"
action 2.0 cli command "show crypto pki certificates"
action 3.0 cli command "show sdwan control connections"
action 4.0 syslog msg "Device health check completed"
!
! Alert on Compliance Deviation
event manager applet CONFIG-CHANGE-ALERT
event syslog pattern "CONFIG_I"
action 1.0 syslog msg "Configuration change detected - verify compliance"
action 2.0 snmp-trap strdata "Config change - posture revalidation needed"
!
4. Context-Aware Access
4.1 Contextual Factors
| Factor |
Description |
Use in Policy |
| Location |
Geographic/network location |
Geo-restrictions |
| Time |
Time of access request |
Business hours policy |
| Device Type |
Corporate vs BYOD |
Access level |
| Risk Score |
Calculated risk |
Dynamic policy |
| Application |
Target application |
App-specific rules |
| Behavior |
User activity patterns |
Anomaly detection |
4.2 Context-Based Policy
+------------------------------------------------------------------+
| CONTEXT-AWARE ACCESS POLICY |
+------------------------------------------------------------------+
| |
| Access Request Evaluation: |
| |
| +----------+ +----------+ +----------+ +----------+ |
| | WHO | | WHAT | | WHERE | | WHEN | |
| | Identity | | Resource | | Location | | Time | |
| +----+-----+ +----+-----+ +----+-----+ +----+-----+ |
| | | | | |
| +-------------+-------------+-------------+ |
| | |
| +------v------+ |
| | Risk Score | |
| | Calculation | |
| +------+------+ |
| | |
| +--------------+--------------+ |
| | | | |
| +------v------+ +-----v------+ +-----v------+ |
| | Low Risk | | Med Risk | | High Risk | |
| | Full Access | | Limited | | MFA + Log | |
| +-------------+ +------------+ +------------+ |
| |
+------------------------------------------------------------------+
4.3 Dynamic Policy Configuration
! Context-Aware Data Policy
policy
data-policy CONTEXT-AWARE-ACCESS
vpn-list VPN-10-EMPLOYEE
! After-hours access requires additional verification
sequence 10
match
source-ip 0.0.0.0/0
time-range AFTER-HOURS
action accept
set
service firewall
log
count AFTER-HOURS-ACCESS
!
!
! Geographic restriction - block non-approved countries
sequence 20
match
source-ip PREFIX-BLOCKED-COUNTRIES
action drop
log
count GEO-BLOCKED
!
!
! High-risk applications require additional inspection
sequence 30
match
app-list HIGH-RISK-APPS
action accept
set
service firewall
service utd
count HIGH-RISK-INSPECTED
!
!
!
!
!
5. Microsegmentation
5.1 Zero Trust Segmentation Model
+------------------------------------------------------------------+
| ZERO TRUST MICROSEGMENTATION |
+------------------------------------------------------------------+
| |
| Traditional Flat Network: |
| +----------------------------------------------------------+ |
| | All devices can communicate freely | |
| | Lateral movement possible after breach | |
| +----------------------------------------------------------+ |
| |
| Zero Trust Microsegmentation: |
| +----------------------------------------------------------+ |
| | +------+ +------+ +------+ +------+ | |
| | | User | | User | | Server| | Server| | |
| | | SGT 3| | SGT 6| | SGT 10| | SGT 11| | |
| | +--+---+ +--+---+ +--+---+ +--+---+ | |
| | | | | | | |
| | +-----+-----+-----+-----+-----+-----+ | |
| | | | | | |
| | +-----v-----+-----v-----+-----v-----+ | |
| | | Policy Enforcement Point (PEP) | | |
| | | Evaluate every flow against | | |
| | | SGT matrix policy | | |
| | +-----------------------------------+ | |
| | | |
| | Access: SGT 3 -> SGT 10: ALLOW (specific ports) | |
| | SGT 3 -> SGT 11: DENY (no business need) | |
| | SGT 6 -> SGT 11: ALLOW (executive access) | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
5.2 SGT-Based Zero Trust Policy
! Zero Trust SGT Matrix
! Default: DENY ALL
! Employee to Standard Servers - Specific Services Only
cts role-based permissions from 3 to 10
ip access-list role-based EMPLOYEE-TO-SERVER
permit tcp any any eq 80
permit tcp any any eq 443
permit tcp any any eq 3389
deny ip any any log
!
! Employee to Critical Servers - DENY
cts role-based permissions from 3 to 11
ip access-list role-based DENY-ALL
deny ip any any log
!
! Executive to Critical Servers - ALLOW with logging
cts role-based permissions from 6 to 11
ip access-list role-based EXEC-TO-CRITICAL
permit ip any any log
!
! IoT to Servers - Minimal Access
cts role-based permissions from 7 to 10
ip access-list role-based IOT-TO-SERVER
permit tcp any any eq 443
deny ip any any log
!
! Default Policy - Deny All Unknown
cts role-based permissions default
ip access-list role-based DEFAULT-DENY
deny ip any any log
!
6. Continuous Verification
6.1 Session Monitoring
+------------------------------------------------------------------+
| CONTINUOUS SESSION MONITORING |
+------------------------------------------------------------------+
| |
| Session Lifecycle: |
| |
| +----------+ +----------+ +----------+ +----------+ |
| | Session |---->| Initial |---->| Periodic |---->| Terminate| |
| | Request | | Verify | | Revalidate | | Session | |
| +----------+ +----------+ +----------+ +----------+ |
| |
| Continuous Checks: |
| +----------------------------------------------------------+ |
| | Check | Frequency | Action on Failure | |
| +----------------------------------------------------------+ |
| | Session Active | Real-time | Terminate | |
| | User Authenticated | 5 minutes | Re-authenticate | |
| | Device Posture | 15 minutes | Quarantine | |
| | Behavior Anomaly | Continuous | Alert + Review | |
| | Certificate Valid | Hourly | Block | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
6.2 Anomaly Detection
! Behavioral Anomaly Detection
! Monitor for unusual patterns
event manager applet ANOMALY-DETECTION
event syslog pattern ".*TCAM.*full.*"
action 1.0 syslog priority critical msg "Potential DoS - TCAM exhaustion"
action 2.0 snmp-trap strdata "Security anomaly detected"
!
! Traffic Baseline Deviation
ip sla monitor 100
type udp-jitter dest-addr 10.100.1.1 dest-port 5000
threshold 100
timeout 5000
frequency 60
!
! Alert on Significant Deviation
track 100 ip sla 100
event manager applet BASELINE-DEVIATION
event track 100 state down
action 1.0 syslog msg "Network behavior deviation detected"
!
7. Zero Trust Remote Access
7.1 ZTNA for Remote Workers
+------------------------------------------------------------------+
| ZTNA REMOTE ACCESS |
+------------------------------------------------------------------+
| |
| Traditional VPN: |
| +------------------+ +------------------+ |
| | Remote User |---->| VPN Gateway | |
| | Full Network | | Full Access | |
| | Access | | Once Connected | |
| +------------------+ +------------------+ |
| |
| Zero Trust Network Access: |
| +------------------+ +------------------+ |
| | Remote User |---->| ZTNA Broker | |
| +------------------+ +--------+---------+ |
| | |
| +------------------------+------------------------+ |
| | | | |
| +------v------+ +------v------+ +------v---+ |
| | App 1 | | App 2 | | App 3 | |
| | Authorized | | Authorized | | Denied | |
| +-------------+ +-------------+ +----------+ |
| |
| Per-application access based on identity and context |
| |
+------------------------------------------------------------------+
7.2 ZTNA Configuration (Umbrella SIG)
! ZTNA via Umbrella SIG
! Per-application access control
! Step 1: Establish SIG Tunnel
interface Tunnel100
description "Umbrella SIG - ZTNA"
ip address negotiated
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile UMBRELLA-IPSEC
!
! Step 2: Route specific applications through ZTNA
! Corporate apps via ZTNA inspection
ip route 10.0.0.0 255.0.0.0 Tunnel100
! Step 3: Policy enforcement at SIG
! (Configured in Umbrella dashboard)
! - User identity verification
! - Device posture check
! - Application-specific access rules
! - Continuous monitoring
8. Zero Trust Implementation Roadmap
8.1 Maturity Model
| Level |
Description |
Abhavtech Status |
| Level 1 |
Basic segmentation |
✅ Complete |
| Level 2 |
Identity-based access |
✅ Complete |
| Level 3 |
Device health verification |
✅ Complete |
| Level 4 |
Context-aware policies |
🔄 In Progress |
| Level 5 |
Full zero trust |
📋 Planned Q2 2026 |
8.2 Implementation Phases
+------------------------------------------------------------------+
| ZERO TRUST IMPLEMENTATION |
+------------------------------------------------------------------+
| |
| Phase 1: Foundation (Complete) |
| +----------------------------------------------------------+ |
| | - Network segmentation (VPNs) | |
| | - Device authentication (certificates) | |
| | - User authentication (ISE integration) | |
| +----------------------------------------------------------+ |
| |
| Phase 2: Enhanced Controls (Current) |
| +----------------------------------------------------------+ |
| | - SGT-based microsegmentation | |
| | - Device posture assessment | |
| | - Continuous monitoring | |
| +----------------------------------------------------------+ |
| |
| Phase 3: Advanced Zero Trust (Q2 2026) |
| +----------------------------------------------------------+ |
| | - Full ZTNA deployment | |
| | - Behavioral analytics | |
| | - Automated policy adjustment | |
| +----------------------------------------------------------+ |
| |
+------------------------------------------------------------------+
9. Best Practices Summary
9.1 Identity Best Practices
- Require MFA for all administrative access
- Use certificate-based device authentication
- Integrate with centralized identity provider (ISE)
- Implement just-in-time access for privileged operations
9.2 Segmentation Best Practices
- Default deny between all segments
- Use SGT for granular microsegmentation
- Document all allowed flows with business justification
- Regularly audit and prune access rules
9.3 Verification Best Practices
- Continuously monitor device health
- Implement behavioral analytics
- Log all access decisions for audit
- Automate response to anomalies
References
| Document |
Description |
Location |
| NIST SP 800-207 |
Zero Trust Architecture |
nist.gov |
| Cisco Zero Trust Guide |
Implementation guide |
cisco.com |
| Forrester ZTX |
Zero Trust framework |
forrester.com |
| Abhavtech Security Policy |
Internal zero trust policy |
SharePoint |
Document Version: 1.0
Last Updated: December 2025
Classification: Internal Use
Document ID: SDWAN-SEC-3.11