DoD Zero Trust Strategy for the network pillar
The DoD Zero Trust Strategy and Roadmap outlines a path for Department of Defense components and Defense Industrial Base (DIB) partners to adopt a new cybersecurity framework based on Zero Trust principles. Zero Trust eliminates traditional perimeters and trust assumptions, enabling a more efficient architecture that enhances security, user experiences, and mission performance.
This guide has recommendations for the 152 Zero Trust activities in the DoD Zero Trust Capability Execution Roadmap. The sections correspond with the seven pillars of the DoD Zero Trust model.
Use the following links to go to sections of the guide.
- Introduction
- User
- Device
- Applications and workloads
- Data
- Network
- Automation and orchestration
- Visibility and analytics
5 Network
This section has Microsoft guidance and recommendations for DoD Zero Trust activities in the network pillar. To learn more, see Secure networks with Zero Trust for more information.
5.1 Data flow mapping
The Azure Virtual Network service is a building block in your private network in Azure. In virtual networks Azure resources communicate with each other, the internet, and on-premises resources.
When you deploy a multiple hub-and-spoke network topology in Azure, Azure Firewall handles routing traffic between virtual networks. Also, Azure Firewall Premium includes security features like Trasport-Layer Security (TLS) inspection, network intrusion, detection, and prevention system (IDPS), URL filtering, and content filtering.
Azure network tools like Azure Network Watcher and Azure Monitor Network Insights help you map and visualize network traffic flow. Microsoft Sentinel integration enables visibility and control over organizational network traffic, with workbooks, automation, and detection capabilities.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 5.1.1 Define Granular Control Access Rules & Policies Pt1The DoD Enterprise working with the Organizations creates granular network access rules and policies. Associated Concept of Operations (ConOps) are developed in alignment with access policies and ensure future supportability. Once agreed upon, DoD Organizations will implement these access policies into existing network technologies (e.g., Next Generation Firewalls, Intrusion Prevention Systems, etc.) to improve initial risk levels. Outcomes: - Provide Technical Standards - Develop Concept of Operations - Identify Communities of Interest |
Azure Firewall Premium Use Azure Virtual Network and Azure Firewall Premium to control communication and routing between cloud resources, cloud and on-premises resources, and the internet. Azure Firewall Premium has threat intelligence, threat detection, and intrusion-prevention capabilities to secure traffic. - Segmentation strategy - Route a multi-hub-and-spoke topology - Azure Firewall Premium features Use Azure Firewall Policy Analytics to manage firewall rules, enable visibility into traffic flow, and perform detailed analytics on firewall rules. - Azure Firewall Policy Analytics Azure Private Link Use Azure Private Link to access Azure platform as a service (PaaS) over a private endpoint in a virtual network. Use private endpoints to secure critical Azure resources solely to virtual networks. Traffic from virtual network to Azure remains on the Azure backbone network. It’s not necessary to expose virtual network to the public internet to consume Azure PaaS services. - Secure networks: PaaS service boundary - Network security best practices Network security groups Enable flow logging on network security groups (NSGs) to obtain traffic activity. Visualize activity data in Network Watcher. - NSG flow logs Azure Virtual Network Manager Use Azure Virtual Network Manager for centralized connectivity and security configurations for virtual networks across subscriptions. - Azure Virtual Network Manager Azure Firewall Manager Azure Firewall Manager is a security management service for centralized security policy and route management for cloud-based security perimeters. - Azure Firewall Manager Azure Policy Use Azure Policy to enforce networking standards, such as traffic forced tunneling to Azure Firewall, or other networking appliances. Prohibit public IPs or enforce secure use of encryption protocols. - Definitions for Azure networking services Azure Monitor Use Azure Network Watcher and Azure Monitor Network Insights for a comprehensive and visual representation of your network. - Network Watcher - Network insights |
Target 5.1.2 Define Granular Control Access Rules & Policies Pt2DoD Organizations utilize data tagging and classification standards to develop data filters for API access to the SDN Infrastructure. API Decision Points are formalized within the SDN architecture and implemented with non-mission/task critical applications and services. Outcome: - Define Data Tagging Filters for API Infrastructure |
Application security groups Use application security groups to configure network security as an extension of application structure. Group virtual machines (VMs) and define network security policies, based on the groups. - Application security groups Azure service tags Use service tags for Azure VMs and Azure Virtual Networks to restrict network access to Azure services in use. Azure maintains IP addresses associated with each tag. - Azure service tags Azure Firewall Azure Firewall Manager is a security management service for centralized security policy and route management for cloud-based security perimeters (firewall, DDoS, WAF). Use IP groups to manage IP addresses for Azure Firewall rules. - Azure Firewall Manager - IP groups Azure Virtual Network Manager Virtual Network Manager is a management service to group, configure, deploy, view, and manage virtual networks globally across subscriptions. - Common use cases Azure Network Watcher Enable Network Watcher to monitor, diagnose, and view metrics. Enable or disable logs for Azure infrastructure-as-a-service (IaaS) resources. Use Network Watcher to monitor and repair the network health of IaaS products like VMs, VNets, application gateways, load balancers, and more. - Azure Network Watcher |
5.2 Software defined networking
Virtual networks are the foundation of private networks in Azure. With a virtual network (VNet), an organization controls communication between Azure resources and on-premises. Filter and route traffic, and integrate with other Azure services like Azure Firewall, Azure Front Door, Azure Application Gateway, Azure VPN Gateway, and Azure ExpressRoute.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 5.2.1 Define SDN APIsThe DoD enterprise works with the Organizations to define the necessary APIs and other programmatic interfaces to enable Software Defined Networking (SDN) functionalities. These APIs will enable Authentication Decision Point, Application Delivery Control Proxy, and Segmentation Gateways automation. Outcomes: - SDN APIs are standardized and implemented - APIs are functional for AuthN Decision Point, App Delivery Control Proxy, and Segmentation Gateways |
Azure Resource Manager Deploy and configure Azure networks using Azure Resource Manager (ARM) APIs. Azure management tools: Azure portal, Azure PowerShell, Azure Command-Line Interface (CLI), and templates use the same ARM APIs to authenticate and authorize requests. - Azure Resource Manager - Azure REST API references Azure roles Assign built-in Azure roles for networking resource management. Follow least-privilege principles and assign roles just-in-time (JIT) via PIM. - Azure built-in roles |
Target 5.2.2 Implement SDN Programable InfrastructureFollowing the API standards, requirements, and SDN API functionalities, DoD Organizations will implement Software Defined Networking (SDN) infrastructure to enable automation tasks. Segmentation Gateways and Authentication Decision Points are integrated into the SDN infrastructure along with output logging into a standardized repository (e.g., SIEM, Log Analytics) for monitoring and alerting. Outcomes: - Implemented Application Delivery Control Proxy - Established SIEM Logging Activities - Implemented User Activity Monitoring (UAM) - Integrated with Authentication Decision Point |
Azure networking resources Secure external access to applications hosted in a virtual network (VNet) with: Azure Front Door (AFD), Azure Application Gateway, or Azure Firewall. AFD and Application Gateway have load-balancing and security features for Open Web Application Security Project (OWASP) Top 10 and bots. You can create custom rules. Azure Firewall has threat intelligence filtering at Layer 4. - Cloud native filtering and protection for known threats - Networkng architecture design Microsoft Sentinel Azure Firewall, Application Gateway, ADF, and Azure Bastion export logs to Sentinel, or other security information and event management (SIEM) systems for analysis. Use connectors in Sentinel or Azure Policy to enforce this requirement across an environment. - Azure Firewall with Sentinel - Azure Web App Firewall connector to Sentinel - Find Sentinel data connectors Microsoft Entra application proxy Deploy application proxy to publish and deliver private applications on your on-premises network. Integrate secure hybrid access (SHA) partner solutions. - Application proxy - Deploy application proxy - SHA partner integrations Microsoft Entra ID Protection Deploy Microsoft Entra ID Protection and bring sign-in risk signals to Conditional Access. See Microsoft guidance 1.3.3 in User. Microsoft Defender for Cloud Apps Use Defender for Cloud Apps to monitor risky web application sessions. - Defender for Cloud Apps |
Target 5.2.3 Segment Flows into Control, Management, and Data PlanesNetwork infrastructure and flows are segmented either physically or logically into control, management, and data planes. Basic segmentation using IPv6/VLAN approaches is implemented to better organize traffic across data planes. Analytics and NetFlow from the updated infrastructure is automatically fed into Operations Centers and analytics tools. Outcomes: - IPv6 Segmentation - Enable Automated NetOps Information Reporting - Ensure Configuration Control Across Enterprise - Integrated with SOAR |
Azure Resource Manager Azure Resource Manager is a deployment and management service with a management layer to create, update, and delete resources in an Azure account. - Azure control and data planes - Multitenant control planes - Azure operational security Microsoft Sentinel Connect Azure network infrastructure to Sentinel. Configure Sentinel data connectors for non-Azure networking solutions. Use custom analytics queries to trigger Sentinel SOAR automation. - Threat response with playbooks - Detection and response for Azure Firewall with Logic Apps See Microsoft guidance in 5.2.2. |
Advanced 5.2.4 Network Asset Discovery & OptimizationDoD Organizations automate network asset discovery through the SDN infrastructure limiting access to devices based on risk based methodical approaches. Optimization is conducted based on the SDN analytics to improve overall performance along with provide necessary approved access to resources. Outcomes: - Technical Refreshment/Technology Evolution - Provide Optimization/Performance Controls |
Azure Monitor Use Azure Monitor network insights to see a comprehensive visual representation of network resources, including topology, health, and metrics. See Microsoft guidance in 5.1.1. Microsoft Defender for Cloud Defender for Cloud discovers and lists an inventory of provisioned resources in Azure, other clouds, and on-premises. - Multicloud environment - Manage resource security posture Microsoft Defender for Endpoint Onboard endpoints and configure device discovery to collect, probe, or scan your network to discover unmanaged devices. - Device discovery overview |
Advanced 5.2.5 Real-Time Access DecisionsSDN Infrastructure utilizes cross Pillar data sources such as User Activity Monitoring, Entity Activity Monitoring, Enterprise Security Profiles and more for real-time access decisions. Machine learning is used to assist decision making based on advanced network analytics (full packet capture, etc.). Policies are consistently implemented across Enterprise using unified access standards. Outcomes: - Analyze SIEM Logs with Analytics Engine to Provide Real-Time Policy Access Decisions - Support Sending Captured Packets, Data/Network Flows, and other Specific Logs for Analytics - Segment End-to-End Transport Network Flows - Audit Security Policies for Consistency across Enterprise |
Complete activities 5.2.1 - 5.2.4. Microsoft Sentinel Detect threats by sending networking logs to Sentinel for analysis. Use capabilities such as threat intelligence, advanced-multistage attack detection, threat hunting, and built-in queries. Sentinel automation enables operators to block malicious IP addresses. - Detect threats with analytics rules - Azure Firewall connector for Sentinel Azure Network Watcher Use Azure Network Watcher to capture network traffic to and from virtual machines (VMs) and Virtual Machine Scale Sets. - Packet capture Microsoft Defender for Cloud Defender for Cloud assesses compliance with network security controls prescribed in frameworks, such as Microsoft Cloud Security Benchmark, DoD Impact Level 4 (IL4) and IL5, and National Institute of Standards and Technology (NIST) 800-53 R4/R5. - Security Control: Network security Conditional Access Use Conditional Access insights and reporting workbook to understand the effects of organizational Conditional Access policies. - Insights and reporting |
5.3 Macro segmentation
Azure subscriptions are high-level constructs that separate Azure resources. Communication between resources in different subscriptions is explicitly provisioned. Virtual network (VNet) resources in a subscription provide network-level resource containment. By default, VNets can’t communicate with other VNets. To enable network communication between VNets, peer them and use Azure Firewall to control and monitor the traffic.
To learn more, see secure and govern workloads with network-level segmentation.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 5.3.1 Datacenter Macro SegmentationDoD Organizations implement data center focused macro-segmentation using traditional tiered (web, app, db) and/or service based architectures. Proxy and/or enforcement checks are integrated with the SDN solution(s) based on device attributes and behavior. Outcomes: - Log Actions to SIEM - Establish Proxy/Enforcement Checks of Device Attributes, Behavior, and other Data - Analyze Activities with Analytics Engine |
Azure networking Design and implement Azure networking services, based on established architectures, like enterprise-scale landing zones. Segment Azure virtual networks (VNets) and follow Azure network security best practices. Use network security controls as packets cross various VNet boundaries. - Best practices for network security - Sovereignty and Azure landing zones - Network topology and connectivity - Networking and connectivity recommendations Microsoft Entra ID Protection Deploy Microsoft Entra ID Protection and use device and risk signals in your Conditional Access policy set. See Microsoft guidance 1.3.3 in User and 2.1.4 in Device. Microsoft Sentinel Use connectors to consume logs from Microsoft Entra ID, networking resources to send to Microsoft Sentinel for audit, threat hunting, detection, and response. Enable User Entity Behavior Analytics (UEBA) in Sentinel. See Microsoft guidance in 5.2.2 and 1.6.2 in User. Microsoft Defender XDR Integrate Microsoft Defender for Endpoint with Microsoft Defender for Cloud Apps and block access to unsanctioned apps. - Integrate Defender for Cloud Apps with Defender for Endpoint - Discover and block shadow IT |
Target 5.3.2 B/C/P/S Macro segmentationDoD Organizations implement base, camp, post, and station macro-segmentation using logical network zones limiting lateral movement. Proxy and/or enforcement checks are integrated with the SDN solution(s) based on device attributes and behavior. Outcomes: - Establish Proxy/Enforcement Checks of Device Attributes, Behavior, and other Data - Log Actions to SIEM - Analyze Activities with Analytics Engine - Leverage SOAR to Provide RT Policy Access Decisions |
Complete activity 5.3.1. Microsoft Sentinel Use Azure Firewall to visualize firewall activities, detect threats with AI investigation capabilities, correlate activities, and automate response actions. - Azure Firewall |
5.4 Micro segmentation
Network security groups (NSGs) and application security groups (ASG) provide network security micro segmentation for Azure networks. ASGs simplify traffic filtering, based on application patterns. Deploy multiple applications in the same subnet and isolate traffic based on the ASGs.
To learn more, see secure and govern workloads with network-level segmentation.
DoD Activity Description and Outcome | Microsoft guidance and recommendations |
---|---|
Target 5.4.1 Implement Micro segmentationDoD Organizations implement Micro-Segmentation infrastructure into SDN environment enabling basic segmentation of service components (e.g., web, app, db), ports, and protocols. Basic automation is accepted for policy changes including API decision making. Virtual hosting environments implement micro-segmentation at the host/container level. Outcomes: - Accept Automated Policy Changes - Implement API Decision Points - Implement NGF/Micro FW/Endpoint Agent in Virtual Hosting Environment |
Complete activity 5.3.1. Azure Firewall Premium Use Azure Firewall Premium as the NextGen Firewall (NGF) in your Azure network segmentation strategy. See Microsoft guidance in 5.1.1. Application security groups In network security groups (NSGs), you can use application security groups to configure network security as an extension of application structure. Simplify network security policies by associating Azure resources for the same application using application security groups. - Secure and govern workloads with network-level segmentation - Application security groups Azure Kubernetes Service Require Azure Container Networking Interface (Azure CNI) for applications in Azure Kubernetes Service (AKS) using built-in definitions in Azure Policy. Implement container-level microsegmentation for containers in AKS using network policies. - Networking concepts for AKS - Configure Azure CNI Overlay networking - Secure traffic between pods using network policies - AKS policy reference Microsoft Defender for Servers Onboard Azure virtual machines (VMs), VMs in other cloud hosting environments, and on-premises servers to Defender for Servers. Network protection in Microsoft Defender for Endpoint blocks host-level processes from communication with specific domains, host names, or IP addresses matching Indicators of Compromise (IoC). - Plan your Defender for Servers deployment - Protect your network - Create indicators |
Target 5.4.2 Application & Device Micro segmentationDoD Organizations utilize Software Defined Networking (SDN) solution(s) to establish infrastructure meeting the ZT Target functionalities: logical network zones, role, attribute, and conditional based access control for user and devices, privileged access management services for network resources, and policy-based control on API access. Outcomes: - Assign Role, Attribute, & Condition Based Access Control to User & Devices - Provide Privileged Access Management Services - Limit Access on Per Identity Basis for User and Device - Create Logical Network Zones |
Microsoft Entra ID Integrate applications with Microsoft Entra ID. Govern access with app roles, security groups, and access packages. See Microsoft guidance 1.2 in User. Conditional Access Design Conditional Access policy sets for dynamic authorization based on user, role, group, device, client app, identity risk, and application resource. Use authentication contexts to create logical network zones, based on user and environmental conditions. See Microsoft guidance 1.8.3 in User. Privileged Identity Manager Configure PIM for just-in-time (JIT) access to privileged roles and Microsoft Entra security groups. See Microsoft guidance 1.4.2 in User. Azure Virtual Machines and SQL databases Configure Azure Virtual Machines and SQL instances to use Microsoft Entra identities for user sign in. - Sign in to Windows in Azure - Sign in to Linuz VM in Azure - Authentication with Azure SQL Azure Bastion Use Bastion to connect securely to Azure VMs with private IP addresses from the Azure portal, or by using native secure shell (SSH), or a remote desktop protocol (RDP) client. - Bastion Microsoft Defender for Server Use just-In-time (JIT) access to VMs to protect them from unauthorized network access. - Enable JIT access on VMs |
Advanced 5.4.3 Process Micro segmentationDoD Organizations utilize existing micro-segmentation and SDN automation infrastructure enabling process micro-segmentation. Host-level processes are segmented based on security policies and access is granted using real-time access decision making. Outcomes: - Segment Host-Level Processes for Security Policies - Support Real-Time Access Decisions and Policy Changes - Support Offload of Logs for Analytics and Automation - Support Dynamic Deployment of Segmentation Policy |
Complete activity 5.4.2. Microsoft Defender for Endpoint Enable network protection in Defender for Endpoint to block host-level processes and applications from connecting to malicious network domains, IP addresses, or compromised host names. See Microsoft guidance 4.5.1. Continuous access evaluation Continuous access evaluation (CAE) enables services like Exchange Online, SharePoint Online, and Microsoft Teams to subscribe to Microsoft Entra events like account disablement and high-risk detections in Microsoft Entra ID Protection. See Microsoft guidance 1.8.3 in User. Microsoft Sentinel Use connectors to consume logs from Microsoft Entra ID, networking resources to send to Microsoft Sentinel for audit, threat hunting, detection, and response. See Microsoft guidance in 5.2.2 and 1.6.2 in User. |
Target 5.4.4 Protect Data In TransitBased on the data flow mappings and monitoring, policies are enabled by DoD Organizations to mandate protection of data in transit. Common use cases such as Coalition Information Sharing, Sharing Across System Boundaries and Protection across Architectural Components are included in protection policies. Outcomes: - Protect Data In Transit During Coalition Information Sharing - Protect Data in Transit Across System High Boundaries - Integrate Data In Transit Protection Across Architecture Components |
Microsoft 365 Use Microsoft 365 for DoD collaboration. Microsoft 365 services encrypt data at rest and in transit. - Encryption in Microsoft 365 Microsoft Entra External ID Microsoft 365 and Microsoft Entra ID enhance coalition sharing with easy onboarding and managing access for users in other DoD tenants. - B2B collaboration - Secure guest sharing Configure cross-tenant access and Microsoft cloud settings to control how users collaborate with external organizations. - Cross-tenant access - Microsoft cloud settings Microsoft Entra ID Governance Govern external user access lifecycles with entitlement management. - External access with entitlement management Microsoft Defender for Cloud Use Defender for Cloud to assess continuously and enforce secure transport protocols for cloud resources. - Cloud security posture management |
Next steps
Configure Microsoft cloud services for the DoD Zero Trust Strategy: