The Position of Safe ZTP in Zero Belief Networks

Spread the love

In at this time’s fast-paced and hyper-connected world, gone are the times when deploying community units required sending an knowledgeable to every location — a cumbersome, time-consuming, and error-prone course of that triggered important downtime and elevated operational prices. To surmount these limitations, Cisco gives a wide range of community orchestrators. These included Cisco Catalyst Middle (previously Cisco DNA Middle), SD WAN Supervisor (previously Cisco vManage), and Meraki Dashboard, which help companies in automating their campus community administration together with Day 0 provisioning. These orchestrators enable community directors to remotely deploy a lot of community units shortly and securely, with out requiring any human intervention. This not solely saves money and time but in addition liberates IT division sources, permitting them to redirect their efforts in the direction of different crucial areas.

Utilizing Catalyst Middle PnP, Cisco IT was capable of cut back annual deployment prices for some websites by roughly 25%, or greater than $1.6 million. Moreover, upgrading our 285 small and medium-sized workplaces with Cisco Catalyst Middle saved 570 man-hours per improve[1].

Along with Cisco community orchestrators for purchasers using a Do-It-Your self (DIY) strategy with homegrown instruments, Catalyst 9000 sequence switches provide assist for an assortment of open standard-based implementations for Day 0 community automation, equivalent to Preboot eXecution Setting (PXE) and Zero Contact Provisioning (ZTP). So, if you end up nonetheless manually configuring community units, it might be time to contemplate stepping out of the stone age and exploring the advantages of automation.

Day 0 community automation

When delving into the realm of open standard-based Day 0 community automation, it turns into clear that PXE, whereas a helpful approach, comes with a set of limitations, equivalent to solely permitting community units in addition from a network-based supply and never having the ability to ship configurations to units in the course of the PXE workflow. ZTP, alternatively, can be utilized to improve software program pictures and push configuration recordsdata, decreasing the prospect of human error and guaranteeing configuration consistency in an effort to get community units up and working.

Whereas ZTP and PXE are handy for automating the provisioning course of, they could inadvertently expose community units to potential threats. Lack of safe authentication and verification mechanisms in the course of the provisioning course of is among the main issues with these methods. Moreover, ZTP and PXE make the most of HTTP/TFTP to obtain the software program picture or configuration recordsdata, that are inherently insecure protocols as a result of they lack encryption. On account of these limitations, these methods may lead to unauthorized entry to the machine or a man-in-the-middle assault if the best safety measures aren’t put in place in the course of the machine provisioning.

Cyberattacks have elevated

In at this time’s quickly evolving digital panorama, the place enterprises are present process substantial transformation, cyberattacks have elevated amid the rise of cloud computing, hybrid and multi-cloud networks, and the rise of distant work. In keeping with the newest IBM Ponemon Institute 2023 Price of Knowledge Breach Research, the typical value of a knowledge breach reached an all-time excessive in 2023 of USD 4.45 million [2]. Moreover, in response to ITIC’s 2022 International Server {Hardware} Safety report, 76% of corporations cite Knowledge Breaches and Human Error because the main purpose of server, OS, software, and community downtime, and the hourly value of downtime has risen to over $300,000[3].

On condition that cybercriminals are continually devising new methods to infiltrate networks, the normal safety strategy, which assumes that all the things throughout the community perimeter is reliable, is not ample. That is additionally true for Day 0 community automation, the place it’s essential to validate the trustworthiness of the newly deployed machine, bootstrap server, and configurations pushed to the machine. With out implementing these safety measures, our networks are susceptible to a wide range of cyberattacks, together with the infamous zero-day exploits. To make sure maximal safety and decrease potential dangers, the Zero Belief precept of “by no means belief, at all times confirm” have to be carried out all through the whole provisioning course of.

Keep safety all through the provisioning course of

That is the place Safe Zero Contact Provisioning comes into play. Safe ZTP, as described in RFC 8572, is an enhanced model of ZTP that emphasizes sustaining safety all through the provisioning course of by decreasing the chance of safety breaches. Safe ZTP is a proactive strategy that employs sturdy authentication, a safe boot mechanism, and encrypted communication channels to reinforce the safety posture of a community whereas Day 0 community automation is in place.

How does Safe ZTP work?

Safe ZTP employs three-step validation, together with machine validation, server validation, and artifact validation, to securely onboard the machine. The diagram offered beneath illustrates the assorted steps concerned within the machine onboarding and provisioning course of inside a safe ZTP framework. Let’s take a more in-depth have a look at every of those steps:

Secire ZTP diagram

1. System Validation

Earlier than onboarding a brand new machine on the community, it’s essential to make sure that neither the machine nor its firmware has been tampered with or compromised to forestall provide chain or every other assaults, by which malicious actors try to introduce modified or malicious units into the community. Based mostly on the current IBM report, 15% of organizations recognized a provide chain compromise because the supply of a knowledge breach [2].Safe ZTP performs machine authentication previous to provisioning it in an effort to confirm the integrity and authenticity of a tool and to permit solely approved units to affix the community.For machine validation, Safe ZTP makes use of certificate-based authentication the place the machine sends the Belief Anchor Certificates (also referred to as a SUDI certificates put in within the machine in the course of the manufacturing course of) to the Safe ZTP server, and the server validates it with the general public certificates (offered by the producer) to make sure the machine’s authenticity.

2. Server Validation

Server validation is one other very important a part of the Safe ZTP. By confirming the server’s identification, the machine can guarantee that it’s speaking with an uncompromised, reliable server. This prevents unauthorized or malicious servers from intercepting or manipulating the provisioning course of. After verifying the machine, bootstrap server sends server certificates. The machine requests bootstrapping information with the flag “signed-data-preferred” after receiving the server certificates, indicating that the machine doesn’t belief the server. On this case, take into account that server validation is optionally available in Safe ZTP. If the community administrator decides to carry out server validation (which entitles server to obtain bootstrapping progress report), the server will ship the “redirect-data” with different bootstrapping information to the machine, offering its personal handle and the belief anchor. The machine verifies the server’s certificates and marks it as trusted server after receiving the belief anchor. Right here, if the system administrator opts to not validate the server, the server will as a substitute go on bootstrapping information instead of the “redirect-data”. As well as, the machine will proceed the bootstrapping course of assuming the server is untrusted.

3. Artifact Validation

Artifact validation is essential to make sure that the configuration recordsdata or software program pictures used to provision community units are genuine and haven’t been tampered with. As soon as the server validation is full (or skipped), the bootstrap server will ship the proprietor certificates, possession voucher, and onboarding info to the machine as bootstrapping information. Let’s talk about them intently to realize a greater understanding.

  • Possession Voucher (OV): The possession voucher artifact validates the proprietor certificates to confirm the identification of the machine’s proprietor. The machine manufacture indicators the OV and offers it to the shopper primarily based on the request. To generate the OV, the shopper should present the pinned-domain-cert and serial variety of the machine to the Cisco MASA server.
  • Proprietor Certificates (OC): Proprietor Certificates is an X.509 certificates that binds an proprietor identification to a public key, which a tool can use to validate signature over the conveyed info artifact. The proprietor certificates additionally holds all intermediate certificates that led to the “pinned-domain-cert” certificates specified within the possession voucher, permitting the OV to validate the OC.
  • Conveyed Data/Onboarding Data: Onboarding info offers information crucial for a tool to bootstrap itself and set up safe connections with different methods. Onboarding info specify particulars in regards to the boot picture a tool have to be working, an preliminary configuration the machine should commit, and scripts that the machine should efficiently execute. The onboarding info have to be signed by the machine’s proprietor utilizing OC.

Zero Belief is essential when performing Day 0 provisioning

Along with its many options, Safe ZTP goes past by providing audit trails and monitoring capabilities. This contains logging all provisioning occasions, configuration modifications, and consumer actions. By monitoring ZTP actions, community directors can shortly detect any suspicious exercise and take applicable motion.

As we wrap up our dialogue, it turns into clear that Zero Belief can be essential when performing Day 0 provisioning, and Safe ZTP is one of the best ways to make sure that zero belief rules are utilized whereas performing Day 0 provisioning utilizing a Do-It-Your self (DIY) strategy.

With the IOS-XE 17.11.1 launch, customers can now benefit from the safe Zero Contact Provisioning (ZTP) capabilities with Catalyst 9000 sequence switches. This thrilling function aligns with the specs outlined in RFC 8572, guaranteeing a safe and seamless provisioning expertise. For extra particulars about the best way to implement Safe ZTP, please refer the IOS-XE 17.11.1 Configuration Information.

Maintain Studying with these sources


  1. Cisco DNA Middle: Early Outcomes from Intent-based Networking
  2. Safety, Knowledge Breaches High Reason for Downtime in 2022
  3. IBM – Price of a Knowledge Breach Report 2023


Leave a Reply

Your email address will not be published. Required fields are marked *