Zero Trust Architektur-Beispiele
Umfassende Zero Trust Architekturbeispiele mit Authentifizierung, Netzsegmentierung und Zugriffskontrolle
Key Facts
- Category
- Security
- Items
- 3
- Format Families
- sample
Sample Overview
Umfassende Zero Trust Architekturbeispiele mit Authentifizierung, Netzsegmentierung und Zugriffskontrolle This sample set belongs to Security and can be used to test related workflows inside Elysia Tools.
💻 Zero Trust Identitätsauthentifizierung
🔴 complex
⭐⭐⭐⭐⭐
Mehr-Authentifizierung mit adaptiver Risiko-Bewertung
⏱️ 40 min
🏷️ authentication, mfa, risk-assessment, jwt, session-management
// Zero Trust Identity Authentication System
// Multi-factor authentication with adaptive risk assessment
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
const speakeasy = require('speakeasy');
const argon2 = require('argon2');
class ZeroTrustAuthSystem {
constructor(options = {}) {
this.jwtSecret = options.jwtSecret || process.env.JWT_SECRET;
this.tokenBlacklist = new Set();
this.sessionStore = new Map(); // sessionId -> session data
this.riskEngine = new RiskAssessmentEngine(options.risk);
this.mfaProvider = new MFAProvider(options.mfa);
this.config = {
passwordPolicy: {
minLength: 12,
requireUppercase: true,
requireLowercase: true,
requireNumbers: true,
requireSymbols: true,
preventReused: true
},
sessionTimeout: options.sessionTimeout || 15 * 60 * 1000, // 15 minutes
maxFailedAttempts: options.maxFailedAttempts || 5,
lockoutDuration: options.lockoutDuration || 30 * 60 * 1000, // 30 minutes
...options
};
}
async authenticate(credentials, context) {
try {
// Step 1: Validate credentials
const user = await this.validateCredentials(credentials.username, credentials.password);
if (!user) {
throw new Error('Invalid credentials');
}
// Step 2: Risk assessment
const riskScore = await this.riskEngine.assess({
userId: user.id,
credentials,
context,
timestamp: Date.now()
});
console.log(`Risk assessment score: ${riskScore} for user ${user.id}`);
// Step 3: Adaptive authentication based on risk
const authResult = await this.performAdaptiveAuthentication(user, riskScore, context);
if (!authResult.success) {
throw new Error('Authentication failed');
}
// Step 4: Create session with enhanced security
const session = await this.createSecureSession(user, authResult, riskScore, context);
// Step 5: Issue tokens
const tokens = await this.issueTokens(user, session, riskScore);
return {
user: this.sanitizeUser(user),
session: session,
tokens,
riskScore,
mfaRequired: authResult.mfaRequired,
passwordChangeRequired: authResult.passwordChangeRequired
};
} catch (error) {
console.error('Authentication error:', error);
throw error;
}
}
async validateCredentials(username, password) {
// Retrieve user from database (simplified)
const user = await this.getUserByUsername(username);
if (!user) {
return null;
}
// Check if account is locked
if (user.lockUntil && user.lockUntil > Date.now()) {
throw new Error(`Account locked until ${new Date(user.lockUntil).toISOString()}`);
}
// Verify password with secure comparison
const isValid = await argon2.verify(user.passwordHash, password);
if (!isValid) {
await this.handleFailedLogin(user);
return null;
}
// Check if password needs to be changed
if (user.passwordChangeRequired && user.lastPasswordChange) {
const daysSinceChange = (Date.now() - user.lastPasswordChange) / (1000 * 60 * 60 * 24);
if (daysSinceChange > 90) {
user.passwordChangeRequired = true;
}
}
// Reset failed attempts on successful login
user.failedAttempts = 0;
user.lockUntil = null;
await this.updateUser(user);
return user;
}
async performAdaptiveAuthentication(user, riskScore, context) {
const result = {
success: false,
mfaRequired: false,
passwordChangeRequired: false,
additionalVerification: false
};
// Base requirements
if (riskScore < 30) {
// Low risk - standard authentication
result.success = true;
result.passwordChangeRequired = user.passwordChangeRequired || false;
} else if (riskScore < 60) {
// Medium risk - require MFA
if (user.mfaEnabled && context.mfaToken) {
const mfaValid = await this.mfaProvider.verify(user.mfaSecret, context.mfaToken);
if (mfaValid) {
result.success = true;
result.mfaRequired = true;
result.passwordChangeRequired = user.passwordChangeRequired || false;
}
} else {
result.mfaRequired = true;
}
} else {
// High risk - require MFA + additional verification
result.additionalVerification = true;
if (user.mfaEnabled && context.mfaToken) {
const mfaValid = await this.mfaProvider.verify(user.mfaSecret, context.mfaToken);
if (mfaValid) {
// Additional verification: device fingerprint, behavioral analysis, etc.
const additionalValid = await this.performAdditionalVerification(user, context);
if (additionalValid) {
result.success = true;
result.mfaRequired = true;
result.passwordChangeRequired = user.passwordChangeRequired || false;
}
}
}
}
return result;
}
async performAdditionalVerification(user, context) {
// Device fingerprinting
const deviceFingerprint = this.generateDeviceFingerprint(context);
const deviceTrusted = await this.isDeviceTrusted(user.id, deviceFingerprint);
if (!deviceTrusted) {
// Require device registration or additional approval
return false;
}
// Behavioral biometrics (simplified)
const behaviorValid = await this.analyzeBehavior(user.id, context);
return behaviorValid;
}
async createSecureSession(user, authResult, riskScore, context) {
const sessionId = this.generateSecureToken();
const session = {
id: sessionId,
userId: user.id,
username: user.username,
roles: user.roles,
permissions: user.permissions,
riskScore: riskScore,
createdAt: Date.now(),
lastActivity: Date.now(),
expiresAt: Date.now() + this.config.sessionTimeout,
// Security context
ipAddress: context.ipAddress,
userAgent: context.userAgent,
deviceFingerprint: this.generateDeviceFingerprint(context),
// Authentication context
mfaVerified: authResult.mfaRequired,
additionalVerification: authResult.additionalVerification,
// Session security
maxInactiveTime: this.config.sessionTimeout,
requireReauth: riskScore > 70,
// Audit trail
loginTime: Date.now(),
loginMethod: authResult.mfaRequired ? 'mfa' : 'password',
riskLevel: this.getRiskLevel(riskScore)
};
// Store session
this.sessionStore.set(sessionId, session);
// Log session creation
await this.logSecurityEvent('SESSION_CREATED', {
sessionId,
userId: user.id,
riskScore,
context: this.sanitizeContext(context)
});
return session;
}
async issueTokens(user, session, riskScore) {
const now = Math.floor(Date.now() / 1000);
// Access token - short lived
const accessTokenPayload = {
sub: user.id,
username: user.username,
email: user.email,
roles: user.roles,
permissions: user.permissions,
sessionId: session.id,
riskScore: riskScore,
type: 'access',
iat: now,
exp: now + (15 * 60), // 15 minutes
iss: 'zero-trust-auth',
jti: this.generateSecureToken()
};
const accessToken = jwt.sign(accessTokenPayload, this.jwtSecret, {
algorithm: 'HS256'
});
// Refresh token - longer lived
const refreshTokenPayload = {
sub: user.id,
sessionId: session.id,
type: 'refresh',
iat: now,
exp: now + (7 * 24 * 60 * 60), // 7 days
iss: 'zero-trust-auth',
jti: this.generateSecureToken()
};
const refreshToken = jwt.sign(refreshTokenPayload, this.jwtSecret, {
algorithm: 'HS256'
});
// ID token - contains identity information
const idTokenPayload = {
sub: user.id,
name: user.name,
email: user.email,
picture: user.picture,
email_verified: user.emailVerified,
auth_time: now,
session: session.id,
risk_score: riskScore,
type: 'id',
iat: now,
exp: now + (60 * 60), // 1 hour
iss: 'zero-trust-auth',
jti: this.generateSecureToken()
};
const idToken = jwt.sign(idTokenPayload, this.jwtSecret, {
algorithm: 'HS256'
});
return {
accessToken,
refreshToken,
idToken,
expiresIn: 15 * 60
};
}
async validateToken(token, expectedType = null) {
try {
const decoded = jwt.verify(token, this.jwtSecret, {
algorithms: ['HS256']
});
// Check if token is blacklisted
if (this.tokenBlacklist.has(decoded.jti)) {
throw new Error('Token has been revoked');
}
// Check token type if specified
if (expectedType && decoded.type !== expectedType) {
throw new Error(`Expected ${expectedType} token, got ${decoded.type}`);
}
// Validate session
if (decoded.sessionId) {
const session = this.sessionStore.get(decoded.sessionId);
if (!session || session.expiresAt < Date.now()) {
throw new Error('Session expired');
}
// Update last activity
session.lastActivity = Date.now();
this.sessionStore.set(decoded.sessionId, session);
// Check if re-authentication is required
if (session.requireReauth && decoded.exp - Math.floor(Date.now() / 1000) < (5 * 60)) {
throw new Error('Re-authentication required');
}
}
return decoded;
} catch (error) {
console.error('Token validation error:', error);
throw error;
}
}
async revokeToken(token) {
try {
const decoded = jwt.decode(token);
this.tokenBlacklist.add(decoded.jti);
// Remove session if access token
if (decoded.sessionId) {
this.sessionStore.delete(decoded.sessionId);
}
await this.logSecurityEvent('TOKEN_REVOKED', {
jti: decoded.jti,
userId: decoded.sub,
type: decoded.type
});
return true;
} catch (error) {
console.error('Token revocation error:', error);
return false;
}
}
async refreshToken(refreshToken) {
try {
const decoded = jwt.verify(refreshToken, this.jwtSecret, {
algorithms: ['HS256']
});
if (decoded.type !== 'refresh') {
throw new Error('Invalid token type');
}
// Check session validity
const session = this.sessionStore.get(decoded.sessionId);
if (!session || session.expiresAt < Date.now()) {
throw new Error('Session expired');
}
// Get user
const user = await this.getUserById(decoded.sub);
if (!user) {
throw new Error('User not found');
}
// Re-assess risk
const context = this.getSessionContext(session);
const newRiskScore = await this.riskEngine.assess({
userId: user.id,
sessionId: decoded.sessionId,
context,
timestamp: Date.now(),
tokenRefresh: true
});
// Issue new tokens
const newTokens = await this.issueTokens(user, session, newRiskScore);
// Revoke old refresh token
this.tokenBlacklist.add(decoded.jti);
return {
...newTokens,
session: session,
riskScore: newRiskScore
};
} catch (error) {
console.error('Token refresh error:', error);
throw error;
}
}
generateDeviceFingerprint(context) {
const components = [
context.userAgent || '',
context.language || '',
context.timezone || '',
context.screenResolution || '',
context.colorDepth || '',
context.plugins || ''
];
return crypto
.createHash('sha256')
.update(components.join('|'))
.digest('hex');
}
async isDeviceTrusted(userId, deviceFingerprint) {
// Check if device fingerprint is in trusted list
const trustedDevices = await this.getTrustedDevices(userId);
return trustedDevices.includes(deviceFingerprint);
}
async addTrustedDevice(userId, deviceFingerprint, deviceName) {
const trustedDevices = await this.getTrustedDevices(userId);
if (!trustedDevices.includes(deviceFingerprint)) {
trustedDevices.push({
fingerprint: deviceFingerprint,
name: deviceName,
addedAt: Date.now()
});
await this.saveTrustedDevices(userId, trustedDevices);
await this.logSecurityEvent('DEVICE_TRUSTED', {
userId,
deviceFingerprint,
deviceName
});
}
}
generateSecureToken(length = 32) {
return crypto.randomBytes(length).toString('hex');
}
getRiskLevel(riskScore) {
if (riskScore < 30) return 'low';
if (riskScore < 60) return 'medium';
if (riskScore < 80) return 'high';
return 'critical';
}
// Helper methods (would interact with database)
async getUserByUsername(username) {
// Database implementation
return {
id: 'user_123',
username: username,
passwordHash: '$2b$12$LQv3c1yqBWVHxkd0LHAkOYqBmw6DR3Ly.wVmQ.3f/8XIi2lE',
email: '[email protected]',
name: 'John Doe',
roles: ['user'],
permissions: ['read', 'write'],
mfaEnabled: true,
mfaSecret: 'JBSWY3DPEHPK3PXP',
passwordChangeRequired: false,
lastPasswordChange: Date.now() - (30 * 24 * 60 * 60 * 1000),
failedAttempts: 0,
lockUntil: null
};
}
async getUserById(userId) {
// Database implementation
return {
id: userId,
username: 'john_doe',
passwordHash: '$2b$12$LQv3c1yqBWVHxkd0LHAkOYqBmw6DR3Ly.wVmQ.3f/8XIi2lE',
email: '[email protected]',
name: 'John Doe',
roles: ['user'],
permissions: ['read', 'write'],
mfaEnabled: true,
mfaSecret: 'JBSWY3DPEHPK3PXP',
passwordChangeRequired: false,
lastPasswordChange: Date.now() - (30 * 24 * 60 * 60 * 1000),
failedAttempts: 0,
lockUntil: null
};
}
async updateUser(user) {
// Database implementation
console.log('Updating user:', user.id);
}
async handleFailedLogin(user) {
user.failedAttempts++;
if (user.failedAttempts >= this.config.maxFailedAttempts) {
user.lockUntil = Date.now() + this.config.lockoutDuration;
await this.logSecurityEvent('ACCOUNT_LOCKED', {
userId: user.id,
failedAttempts: user.failedAttempts,
lockUntil: user.lockUntil
});
}
await this.updateUser(user);
}
async getTrustedDevices(userId) {
// Database implementation
return [];
}
async saveTrustedDevices(userId, devices) {
// Database implementation
console.log('Saving trusted devices for user:', userId);
}
async logSecurityEvent(event, data) {
// Security logging implementation
const logEntry = {
timestamp: new Date().toISOString(),
event,
data,
severity: this.getEventSeverity(event)
};
console.log('Security event:', logEntry);
// Would send to SIEM, logging service, etc.
}
getEventSeverity(event) {
const severityMap = {
'SESSION_CREATED': 'info',
'TOKEN_REVOKED': 'warning',
'ACCOUNT_LOCKED': 'high',
'DEVICE_TRUSTED': 'info',
'RISK_HIGH': 'high'
};
return severityMap[event] || 'info';
}
sanitizeContext(context) {
const sanitized = { ...context };
// Remove sensitive information
delete sanitized.password;
delete sanitized.token;
delete sanitized.mfaSecret;
return sanitized;
}
sanitizeUser(user) {
const sanitized = { ...user };
// Remove sensitive information
delete sanitized.passwordHash;
delete sanitized.mfaSecret;
return sanitized;
}
getSessionContext(session) {
return {
sessionId: session.id,
userId: session.userId,
ipAddress: session.ipAddress,
userAgent: session.userAgent,
deviceFingerprint: session.deviceFingerprint
};
}
async analyzeBehavior(userId, context) {
// Simplified behavioral analysis
// In practice, this would analyze typing patterns, mouse movements, etc.
return Math.random() > 0.1; // 90% pass rate for demo
}
}
class RiskAssessmentEngine {
constructor(options = {}) {
this.rules = options.rules || this.getDefaultRules();
this.weights = options.weights || { ...this.getDefaultWeights() };
this.model = new MLModel(options.model);
this.enabled = options.enabled !== false;
}
async assess(context) {
if (!this.enabled) {
return 25; // Default medium risk
}
const scores = await Promise.all([
this.assessLocationRisk(context),
this.assessDeviceRisk(context),
this.assessBehavioralRisk(context),
this.assessTemporalRisk(context),
this.assessNetworkRisk(context)
]);
// Apply weights
let weightedScore = 0;
let totalWeight = 0;
for (const [category, score] of Object.entries(scores)) {
const weight = this.weights[category];
weightedScore += score * weight;
totalWeight += weight;
}
// Normalize to 0-100 scale
const normalizedScore = Math.min(100, Math.max(0, (weightedScore / totalWeight) * 100));
// Apply ML model if available
if (this.model && this.model.isTrained()) {
const mlScore = await this.model.predict(context);
return (normalizedScore + mlScore) / 2;
}
return normalizedScore;
}
async assessLocationRisk(context) {
// Assess based on IP geolocation, VPN usage, etc.
return 20;
}
async assessDeviceRisk(context) {
// Assess based on device fingerprint, OS, browser
return 15;
}
async assessBehavioralRisk(context) {
// Assess based on user behavior patterns
return 25;
}
async assessTemporalRisk(context) {
// Assess based on time of day, frequency of requests
const hour = new Date().getHours();
// Higher risk during off-hours
if (hour < 6 || hour > 22) {
return 30;
} else if (hour < 9 || hour > 17) {
return 20;
} else {
return 10;
}
}
async assessNetworkRisk(context) {
// Assess based on network reputation, encryption
return 15;
}
getDefaultRules() {
return {
location: {
suspiciousCountries: ['CN', 'RU', 'KP', 'IR'],
vpns: ['tor', 'proxy', 'vpn'],
datacenters: ['aws', 'gcp', 'azure']
},
device: {
outdatedBrowsers: ['IE', 'Edge Legacy'],
suspiciousUserAgents: ['bot', 'crawler', 'scanner']
},
behavior: {
rapidRequests: 10, // requests per minute
unusualPatterns: ['concurrent', 'distributed']
}
};
}
getDefaultWeights() {
return {
location: 0.3,
device: 0.2,
behavioral: 0.3,
temporal: 0.1,
network: 0.1
};
}
}
class MFAProvider {
constructor(options = {}) {
this.config = options;
this.issuer = options.issuer || 'ZeroTrust';
}
async generateSecret(user) {
const secret = speakeasy.generateSecret({
name: `ZeroTrust MFA - ${user.username}`,
issuer: this.issuer,
length: 32
});
// Save secret to user profile
user.mfaSecret = secret;
await this.updateUser(user);
// Return provisioning URI and QR code
return {
secret: secret,
provisioningUri: speakeasy.otpauthURL({
secret: secret,
label: `${user.username}@${this.issuer}`,
issuer: this.issuer
})
};
}
async verify(secret, token) {
const verified = speakeasy.totp.verify({
secret: secret,
encoding: 'base32',
token: token,
window: 2 // Allow 2 time steps before/after current time
});
return verified;
}
async updateUser(user) {
// Database implementation
console.log('Updating user MFA settings:', user.id);
}
}
class MLModel {
constructor(options = {}) {
this.isModelTrained = false;
this.model = null;
// Would load pre-trained model here
}
isTrained() {
return this.isModelTrained;
}
async predict(context) {
if (!this.isTrained) {
return 25; // Default prediction
}
// Use model for risk prediction
// This would integrate with actual ML model
return Math.random() * 100;
}
}
// Usage example
const authSystem = new ZeroTrustAuthSystem({
jwtSecret: 'your-super-secret-jwt-key',
sessionTimeout: 15 * 60 * 1000, // 15 minutes
maxFailedAttempts: 5,
lockoutDuration: 30 * 60 * 1000, // 30 minutes
riskEngine: {
enabled: true,
model: {
enabled: false // Disable ML for demo
}
},
mfa: {
issuer: 'ZeroTrust'
}
});
// Authentication middleware
const authenticate = async (req, res, next) => {
try {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing or invalid authorization header' });
}
const token = authHeader.substring(7);
const decoded = await authSystem.validateToken(token);
// Add user info to request
req.user = decoded;
req.session = authSystem.sessionStore.get(decoded.sessionId);
next();
} catch (error) {
console.error('Authentication error:', error);
return res.status(401).json({ error: 'Invalid or expired token' });
}
};
// Authorization middleware
const authorize = (requiredPermissions) => {
return (req, res, next) => {
if (!req.user || !req.user.permissions) {
return res.status(403).json({ error: 'No permissions available' });
}
const userPermissions = req.user.permissions;
const hasPermission = requiredPermissions.every(permission =>
userPermissions.includes(permission) || userPermissions.includes('admin')
);
if (!hasPermission) {
return res.status(403).json({
error: 'Insufficient permissions',
required: requiredPermissions,
current: userPermissions
});
}
next();
};
};
// Example route with Zero Trust
app.get('/api/secure-data', authenticate, authorize(['read']), (req, res) => {
res.json({ message: 'Secure data accessed successfully' });
});
// Session management endpoint
app.post('/api/refresh', async (req, res) => {
try {
const { refreshToken } = req.body;
const result = await authSystem.refreshToken(refreshToken);
res.json(result);
} catch (error) {
res.status(401).json({ error: 'Invalid refresh token' });
}
});
// Logout endpoint
app.post('/api/logout', authenticate, async (req, res) => {
try {
const authHeader = req.headers.authorization;
const token = authHeader.substring(7);
await authSystem.revokeToken(token);
res.json({ message: 'Logged out successfully' });
} catch (error) {
res.status(400).json({ error: 'Logout failed' });
}
});
// MFA enrollment endpoint
app.post('/api/mfa/enroll', authenticate, async (req, res) => {
try {
const mfaSetup = await authSystem.mfaProvider.generateSecret(req.user);
res.json(mfaSetup);
} catch (error) {
res.status(500).json({ error: 'MFA enrollment failed' });
}
});💻 Zero Trust Netzwerksegmentierung
🔴 complex
⭐⭐⭐⭐⭐
Erweiterte Netzwerksegmentierung mit Mikrosegmentierung
⏱️ 50 min
🏷️ network-segmentation, micro-segmentation, firewall, iptables, security
// Zero Trust Network Segmentation Implementation
// Advanced segmentation with micro-segmentation and dynamic policies
const express = require('express');
const iptables = require('iptables');
const winston = require('winston');
const crypto = require('crypto');
class ZeroTrustNetworkSegmentation {
constructor(options = {}) {
this.app = express();
this.logger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.errors({ stack: true }),
winston.format.json()
),
transports: [
new winston.transports.File({ filename: 'network-segmentation.log' }),
new winston.transports.Console()
]
});
this.segmentEngine = new SegmentEngine(options.segmentation);
this.policyEngine = new PolicyEngine(options.policies);
this.enforcementEngine = new EnforcementEngine(options.enforcement);
this.config = {
defaultPolicy: 'deny-all',
inspectionEnabled: options.inspectionEnabled !== false,
loggingEnabled: options.loggingEnabled !== false,
realTimeUpdates: options.realTimeUpdates !== false,
...options
};
this.segments = new Map();
this.policies = new Map();
this.connections = new Map();
this.initialize();
}
initialize() {
this.setupMiddleware();
this.setupRoutes();
this.loadConfiguration();
}
setupMiddleware() {
// Request logging and analysis
this.app.use((req, res, next) => {
this.analyzeRequest(req);
next();
});
// Header injection for inspection
this.app.use((req, res, next) => {
if (this.config.inspectionEnabled) {
req.ztHeaders = this.generateInspectionHeaders(req);
}
next();
});
// Connection tracking
this.app.use((req, res, next) => {
const connectionId = this.getConnectionId(req);
this.trackConnection(connectionId, req);
next();
});
}
setupRoutes() {
// Segmentation management
this.app.post('/api/segments', this.createSegment.bind(this));
this.app.get('/api/segments', this.listSegments.bind(this));
this.app.put('/api/segments/:id', this.updateSegment.bind(this));
this.app.delete('/api/segments/:id', this.deleteSegment.bind(this));
// Policy management
this.app.post('/api/policies', this.createPolicy.bind(this));
this.app.get('/api/policies', this.listPolicies.bind(this));
this.app.put('/api/policies/:id', this.updatePolicy.bind(this));
this.app.delete('/api/policies/:id', this.deletePolicy.bind(this));
// Enforcement
this.app.post('/api/enforce/:segmentId', this.enforcePolicy.bind(this));
this.app.post('/api/enforce/connections', this.enforceOnConnections.bind(this));
// Monitoring and analytics
this.app.get('/api/analytics/segments', this.getSegmentAnalytics.bind(this));
this.app.get('/api/analytics/connections', this.getConnectionAnalytics.bind(this));
this.app.get('/api/analytics/violations', this.getViolationAnalytics.bind(this));
}
async loadConfiguration() {
try {
// Load default segments
const defaultSegments = await this.loadDefaultSegments();
for (const segment of defaultSegments) {
await this.segmentEngine.createSegment(segment);
}
// Load default policies
const defaultPolicies = await this.loadDefaultPolicies();
for (const policy of defaultPolicies) {
await this.policyEngine.createPolicy(policy);
}
this.logger.info('Zero Trust network segmentation configuration loaded');
} catch (error) {
this.logger.error('Failed to load configuration:', error);
}
}
async createSegment(req, res) {
try {
const segmentData = {
...req.body,
id: this.generateId(),
createdAt: Date.now(),
createdBy: req.user?.id || 'system'
};
// Validate segment configuration
this.validateSegmentConfig(segmentData);
// Create segment
const segment = await this.segmentEngine.createSegment(segmentData);
// Apply default policies
await this.applyDefaultPolicies(segment);
res.status(201).json(segment);
this.logger.info(`Created segment: ${segment.id}`);
} catch (error) {
this.logger.error('Failed to create segment:', error);
res.status(400).json({ error: error.message });
}
}
async updateSegment(req, res) {
try {
const { id } = req.params;
const updateData = req.body;
const segment = await this.segmentEngine.getSegment(id);
if (!segment) {
return res.status(404).json({ error: 'Segment not found' });
}
// Validate updates
this.validateSegmentConfig(updateData);
const updatedSegment = await this.segmentEngine.updateSegment(id, updateData);
// Re-apply policies
await this.reapplySegmentPolicies(updatedSegment);
res.json(updatedSegment);
this.logger.info(`Updated segment: ${id}`);
} catch (error) {
this.logger.error('Failed to update segment:', error);
res.status(400).json({ error: error.message });
}
}
async deleteSegment(req, res) {
try {
const { id } = req.params;
await this.segmentEngine.deleteSegment(id);
// Clean up associated policies
await this.cleanupSegmentPolicies(id);
res.status(204).send();
this.logger.info(`Deleted segment: ${id}`);
} catch (error) {
this.logger.error('Failed to delete segment:', error);
res.status(400).json({ error: error.message });
}
}
async listSegments(req, res) {
try {
const segments = await this.segmentEngine.listSegments();
res.json(segments);
} catch (error) {
this.logger.error('Failed to list segments:', error);
res.status(500).json({ error: error.message });
}
}
async createPolicy(req, res) {
try {
const policyData = {
...req.body,
id: this.generateId(),
createdAt: Date.now(),
createdBy: req.user?.id || 'system'
};
// Validate policy configuration
this.validatePolicyConfig(policyData);
const policy = await this.policyEngine.createPolicy(policyData);
res.status(201).json(policy);
this.logger.info(`Created policy: ${policy.id}`);
} catch (error) {
this.logger.error('Failed to create policy:', error);
res.status(400).json({ error: error.message });
}
}
async updatePolicy(req, res) {
try {
const { id } = req.params;
const updateData = req.body;
const policy = await this.policyEngine.getPolicy(id);
if (!policy) {
return res.status(404).json({ error: 'Policy not found' });
}
const updatedPolicy = await this.policyEngine.updatePolicy(id, updateData);
// Update enforcement for affected segments
await this.updatePolicyEnforcement(updatedPolicy);
res.json(updatedPolicy);
this.logger.info(`Updated policy: ${id}`);
} catch (error) {
this.logger.error('Failed to update policy:', error);
res.status(400).json({ error: error.message });
}
}
async deletePolicy(req, res) {
try {
const { id } = req.params;
await this.policyEngine.deletePolicy(id);
// Remove policy from segments
await this.removePolicyFromSegments(id);
res.status(204).send();
this.logger.info(`Deleted policy: ${id}`);
} catch (error) {
this.logger.error('Failed to delete policy:', error);
res.status(400).json({ error: error.message });
}
}
async listPolicies(req, res) {
try {
const policies = await this.policyEngine.listPolicies();
res.json(policies);
} catch (error) {
this.logger.error('Failed to list policies:', error);
res.status(500).json({ error: error.message });
}
}
async enforcePolicy(req, res) {
try {
const { segmentId } = req.params;
const { target, action } = req.body;
const segment = await this.segmentEngine.getSegment(endcodedURIComponent(segmentId));
if (!segment) {
return res.status(404).json({ error: 'Segment not found' });
}
const result = await this.enforcementEngine.enforcePolicy(segment, target, action);
res.json(result);
this.logger.info(`Enforced policy on segment ${segmentId}: ${action} on ${target}`);
} catch (error) {
this.logger.error('Failed to enforce policy:', error);
res.status(500).json({ error: error.message });
}
}
async enforceOnConnections(req, res) {
try {
const { connections } = req.body;
const results = [];
for (const connection of connections) {
const result = await this.enforcePolicyOnConnection(connection);
results.push(result);
}
res.json({ results });
this.logger.info(`Enforced policies on ${connections.length} connections`);
} catch (error) {
this.logger.error('Failed to enforce policies on connections:', error);
res.status(500).json({ error: error.message });
}
}
async getSegmentAnalytics(req, res) {
try {
const analytics = await this.segmentEngine.getAnalytics();
res.json(analytics);
} catch (error) {
this.logger.error('Failed to get segment analytics:', error);
res.status(500).json({ error: error.message });
}
}
async getConnectionAnalytics(req, res) {
try {
const analytics = await this.enforcementEngine.getConnectionAnalytics();
res.json(analytics);
} catch (error) {
this.logger.error('Failed to get connection analytics:', error);
res.status(500).json({ error: error.message });
}
}
async getViolationAnalytics(req, res) {
try {
const violations = await this.enforcementEngine.getViolationAnalytics();
res.json(violations);
} catch (error) {
this.logger.error('Failed to get violation analytics:', error);
res.status(500).json({ error: error.message });
}
}
async analyzeRequest(req) {
const analysis = {
timestamp: Date.now(),
method: req.method,
url: req.url,
headers: this.sanitizeHeaders(req.headers),
ip: req.ip,
userAgent: req.get('User-Agent'),
connectionId: this.getConnectionId(req)
};
// Run through policy engine
const decision = await this.policyEngine.evaluateRequest(analysis);
if (decision.action === 'block') {
this.logger.warn(`Request blocked: ${analysis.url} from ${analysis.ip}`, decision);
}
// Store for analytics
this.storeRequestAnalytics(analysis, decision);
}
generateInspectionHeaders(req) {
const timestamp = Date.now();
const requestId = this.generateId();
return {
'X-ZT-Timestamp': timestamp,
'X-ZT-Request-ID': requestId,
'X-ZT-Segmentation': 'pending',
'X-ZT-Risk-Score': '0',
'X-ZT-Inspection': 'enabled'
};
}
getConnectionId(req) {
// Generate consistent connection ID from request characteristics
const components = [
req.ip,
req.get('User-Agent') || '',
req.get('X-Forwarded-For') || ''
];
return crypto
.createHash('sha256')
.update(components.join('|'))
.digest('hex')
.substring(0, 16);
}
trackConnection(connectionId, req) {
if (!this.connections.has(connectionId)) {
this.connections.set(connectionId, {
id: connectionId,
firstSeen: Date.now(),
lastSeen: Date.now(),
requestCount: 0,
bytesReceived: 0,
bytesSent: 0,
userAgent: req.get('User-Agent'),
ip: req.ip
});
}
const connection = this.connections.get(connectionId);
connection.lastSeen = Date.now();
connection.requestCount++;
connection.bytesReceived += req.socket.bytesRead || 0;
}
async enforcePolicyOnConnection(connection) {
try {
// Identify segment for connection
const segment = await this.identifyConnectionSegment(connection);
// Get applicable policies
const policies = await this.getApplicablePolicies(segment);
// Enforce policies
const results = [];
for (const policy of policies) {
const result = await this.enforcementEngine.enforcePolicy(
segment,
`connection:${connection.id}`,
'allow'
);
results.push({
policyId: policy.id,
result
});
}
return {
connectionId: connection.id,
segmentId: segment.id,
policies: results,
overall: results.every(r => r.result.action === 'allow') ? 'allow' : 'block'
};
} catch (error) {
this.logger.error('Failed to enforce policy on connection:', error);
return {
connectionId: connection.id,
error: error.message,
overall: 'error'
};
}
}
async identifyConnectionSegment(connection) {
// Use various heuristics to identify segment
const segmentRules = [
{
name: 'internal-traffic',
condition: (conn) => this.isInternalIP(conn.ip)
},
{
name: 'external-traffic',
condition: (conn) => !this.isInternalIP(conn.ip)
},
{
name: 'vpn-traffic',
condition: (conn) => this.isVPNConnection(conn)
},
{
name: 'admin-access',
condition: (conn) => conn.userAgent.includes('admin') || this.isAdminIP(conn.ip)
}
];
for (const rule of segmentRules) {
if (rule.condition(connection)) {
return { id: rule.name, name: rule.name };
}
}
return { id: 'default', name: 'Default Segment' };
}
async getApplicablePolicies(segment) {
return await this.policyEngine.getPoliciesForSegment(segment.id);
}
validateSegmentConfig(config) {
const requiredFields = ['name', 'type', 'description'];
for (const field of requiredFields) {
if (!config[field]) {
throw new Error(`Missing required field: ${field}`);
}
}
// Validate network configurations
if (config.network) {
if (config.network.cidr && !this.isValidCIDR(config.network.cidr)) {
throw new Error('Invalid CIDR format');
}
}
}
validatePolicyConfig(config) {
const requiredFields = ['name', 'type', 'action'];
for (const field of requiredFields) {
if (!config[field]) {
throw new Error(`Missing required field: ${field}`);
}
}
// Validate action
const validActions = ['allow', 'deny', 'log', 'alert'];
if (!validActions.includes(config.action)) {
throw new Error(`Invalid action. Must be one of: ${validActions.join(', ')}`);
}
// Validate target
const validTargets = ['any', 'ip', 'port', 'protocol', 'user', 'device'];
if (config.target && !validTargets.includes(config.target.type)) {
throw new Error(`Invalid target type. Must be one of: ${validTargets.join(', ')}`);
}
}
generateId() {
return crypto.randomBytes(16).toString('hex');
}
isInternalIP(ip) {
const internalRanges = [
'10.0.0.0/8',
'172.16.0.0/12',
'192.168.0.0/16',
'127.0.0.0/8'
];
return internalRanges.some(range => this.ipInCIDR(ip, range));
}
isVPNConnection(connection) {
// Check for common VPN indicators
const vpnIndicators = [
'vpn',
'tunnel',
'proxy'
];
return vpnIndicators.some(indicator =>
connection.userAgent?.toLowerCase().includes(indicator) ||
connection.ip?.includes(indicator)
);
}
isAdminIP(ip) {
const adminIPs = ['192.168.1.100', '10.0.0.1']; // Would load from config
return adminIPs.includes(ip);
}
isValidCIDR(cidr) {
// Simplified CIDR validation
const cidrPattern = /^(d{1,3}.){3}d{1,3}/d{1,2}$/;
return cidrPattern.test(cidr);
}
ipInCIDR(ip, cidr) {
const [network, prefixLength] = cidr.split('/');
const [networkStart] = network.split('.').map(Number);
const [ipStart] = ip.split('.').map(Number);
// Convert to 32-bit integers
const networkNum = (networkStart[0] << 24) + (networkStart[1] << 16) + (networkStart[2] << 8) + networkStart[3];
const ipNum = (ipStart[0] << 24) + (ipStart[1] << 16) + (ipStart[2] << 8) + ipStart[3]);
const mask = (0xFFFFFFFF << (32 - parseInt(prefixLength))) >>> 0;
return (networkNum & mask) === (ipNum & mask);
}
sanitizeHeaders(headers) {
const sanitized = {};
for (const [key, value] of Object.entries(headers)) {
if (!key.toLowerCase().includes('password') &&
!key.toLowerCase().includes('secret') &&
!key.toLowerCase().includes('token')) {
sanitized[key] = value;
}
}
return sanitized;
}
storeRequestAnalytics(analysis, decision) {
// Store in analytics database
this.logger.info('Request analyzed', {
analysis,
decision,
severity: decision.action === 'block' ? 'warning' : 'info'
});
}
async loadDefaultSegments() {
return [
{
name: 'critical-infrastructure',
type: 'infrastructure',
description: 'Critical infrastructure servers and systems',
network: {
cidr: '10.0.1.0/24',
ports: [22, 443, 3389, 5432, 8080],
protocols: ['ssh', 'https', 'mysql', 'postgres']
},
policies: ['strict-security', 'monitoring'],
tags: ['infrastructure', 'critical']
},
{
name: 'developer-workstations',
type: 'workstation',
description: 'Developer workstations and dev environments',
network: {
cidr: '192.168.1.0/24',
ports: [22, 80, 443, 3000, 8080, 9000],
protocols: ['ssh', 'http', 'https', 'websocket']
},
policies: ['developer-access', 'build-tools'],
tags: ['development', 'workstation']
},
{
name: 'guest-wifi',
type: 'guest',
description: 'Guest WiFi network with restricted access',
network: {
cidr: '172.16.32.0/22',
ports: [80, 443],
protocols: ['http', 'https']
},
policies: ['guest-access', 'web-only'],
tags: ['guest', 'wifi']
},
{
name: 'iot-devices',
type: 'iot',
description: 'IoT devices and sensors',
network: {
cidr: '10.10.0.0/16',
ports: [80, 443, 1883, 8883],
protocols: ['http', 'https', 'mqtt', 'coap']
},
policies: ['iot-security', 'device-communication'],
tags: ['iot', 'sensors']
}
];
}
async loadDefaultPolicies() {
return [
{
name: 'deny-all',
type: 'default',
action: 'deny',
description: 'Default deny all traffic',
priority: 1,
rules: [
{
target: { type: 'any' },
action: 'deny',
log: true
}
]
},
{
name: 'allow-internal-dns',
type: 'network',
action: 'allow',
description: 'Allow internal DNS queries',
priority: 10,
rules: [
{
target: { type: 'protocol', value: 'dns' },
action: 'allow',
log: false
},
{
target: { type: 'ip', value: '10.0.1.1' },
action: 'allow',
log: false
},
{
target: { type: 'ip', value: '8.8.8.8' },
action: 'allow',
log: false
}
]
},
{
name: 'block-suspicious-ips',
type: 'security',
action: 'deny',
description: 'Block known malicious IP addresses',
priority: 100,
rules: [],
threatIntelFeed: true // Would integrate with threat intel feeds
},
{
name: 'require-mfa-for-admin',
type: 'security',
action: 'deny',
description: 'Require MFA for admin access',
priority: 50,
rules: [
{
condition: 'user.role == admin',
target: { type: 'any' },
action: 'deny',
unless: 'user.mfaVerified',
log: true
}
]
},
{
name: 'rate-limit-api-calls',
type: 'security',
action: 'deny',
description: 'Rate limit API calls',
priority: 30,
rules: [
{
target: { type: 'protocol', value: 'http' },
action: 'limit',
rate: { requests: 100, window: '60s' },
log: true
}
]
},
{
name: 'log-all-traffic',
type: 'logging',
action: 'allow',
description: 'Log all network traffic for analysis',
priority: 1,
rules: [
{
target: { type: 'any' },
action: 'allow',
log: true
}
]
}
];
}
async applyDefaultPolicies(segment) {
const defaultPolicies = await this.loadDefaultPolicies();
for (const policy of defaultPolicies) {
try {
await this.segmentEngine.addPolicyToSegment(segment.id, policy.id);
} catch (error) {
this.logger.error(`Failed to apply default policy ${policy.id} to segment ${segment.id}:`, error);
}
}
}
async reapplySegmentPolicies(segment) {
// Remove existing policies
await this.segmentEngine.removeAllPoliciesFromSegment(segment.id);
// Re-apply policies
await this.applyDefaultPolicies(segment);
}
async cleanupSegmentPolicies(segmentId) {
const policies = await this.policyEngine.getPoliciesForSegment(segmentId);
for (const policy of policies) {
try {
await this.segmentEngine.removePolicyFromSegment(segmentId, policy.id);
} catch (error) {
this.logger.error(`Failed to remove policy ${policy.id} from segment ${segmentId}:`, error);
}
}
}
async updatePolicyEnforcement(policy) {
// Get segments using this policy
const segments = await this.segmentEngine.getSegmentsUsingPolicy(policy.id);
for (const segment of segments) {
await this.enforcementEngine.updatePolicyEnforcement(segment, policy);
}
}
async removePolicyFromSegments(policyId) {
const segments = await this.segmentEngine.getSegmentsUsingPolicy(policyId);
for (const segment of segments) {
await this.enforcementEngine.removePolicyEnforcement(segment, policyId);
}
}
}
class SegmentEngine {
constructor(options = {}) {
this.segments = new Map();
this.segmentPolicies = new Map(); // segmentId -> Set of policyIds
}
async createSegment(segmentData) {
this.segments.set(segmentData.id, segmentData);
this.segmentPolicies.set(segmentData.id, new Set());
return segmentData;
}
async getSegment(id) {
return this.segments.get(id);
}
async updateSegment(id, updateData) {
const segment = this.segments.get(id);
if (!segment) {
throw new Error('Segment not found');
}
Object.assign(segment, updateData);
segment.updatedAt = Date.now();
return segment;
}
async deleteSegment(id) {
this.segments.delete(id);
this.segmentPolicies.delete(id);
}
async listSegments() {
return Array.from(this.segments.values());
}
async addPolicyToSegment(segmentId, policyId) {
const policies = this.segmentPolicies.get(segmentId);
policies.add(policyId);
}
async removePolicyFromSegment(segmentId, policyId) {
const policies = this.segmentPolicies.get(segmentId);
policies.delete(policyId);
}
async removeAllPoliciesFromSegment(segmentId) {
this.segmentPolicies.set(segmentId, new Set());
}
async getSegmentsUsingPolicy(policyId) {
const segments = [];
for (const [segmentId, policyIds] of this.segmentPolicies.entries()) {
if (policyIds.has(policyId)) {
const segment = await this.getSegment(segmentId);
if (segment) {
segments.push(segment);
}
}
}
return segments;
}
async getAnalytics() {
return {
totalSegments: this.segments.size,
segmentsWithPolicies: Array.from(this.segmentPolicies.entries()).filter(([_, policies]) => policies.size > 0).length,
averagePoliciesPerSegment: this.calculateAveragePolicies(),
segmentTypes: this.getSegmentTypeDistribution()
};
}
calculateAveragePolicies() {
const totalPolicies = Array.from(this.segmentPolicies.values()).reduce((sum, policies) => sum + policies.size, 0);
return this.segments.size > 0 ? totalPolicies / this.segments.size : 0;
}
getSegmentTypeDistribution() {
const distribution = {};
for (const segment of this.segments.values()) {
distribution[segment.type] = (distribution[segment.type] || 0) + 1;
}
return distribution;
}
}
class PolicyEngine {
constructor(options = {}) {
this.policies = new Map();
this.defaultPolicy = options.defaultPolicy || 'deny-all';
}
async createPolicy(policyData) {
this.policies.set(policyData.id, policyData);
return policyData;
}
async getPolicy(id) {
return this.policies.get(id);
}
async updatePolicy(id, updateData) {
const policy = this.policies.get(id);
if (!policy) {
throw new Error('Policy not found');
}
Object.assign(policy, updateData);
policy.updatedAt = Date.now();
return policy;
}
async deletePolicy(id) {
this.policies.delete(id);
}
async listPolicies() {
return Array.from(this.policies.values());
}
async getPoliciesForSegment(segmentId) {
const policies = [];
for (const policy of this.policies.values()) {
if (policy.segments && policy.segments.includes(segmentId)) {
policies.push(policy);
}
}
return policies;
}
async evaluateRequest(request) {
// Evaluate request against all policies
let decision = { action: 'allow' };
for (const policy of this.policies.values()) {
const policyDecision = await this.evaluatePolicy(request, policy);
// Use most restrictive decision
if (policyDecision.action === 'deny') {
decision = policyDecision;
break; // Deny takes precedence
}
}
return decision;
}
async evaluatePolicy(request, policy) {
for (const rule of policy.rules) {
const matches = await this.evaluateRule(request, rule);
if (matches) {
return {
action: rule.action,
policyId: policy.id,
rule: rule,
matchedCondition: rule.condition
};
}
}
// Default to policy action
return {
action: policy.action,
policyId: policy.id
};
}
async evaluateRule(request, rule) {
if (rule.condition) {
return await this.evaluateCondition(request, rule.condition);
}
return false;
}
async evaluateCondition(request, condition) {
// Handle different condition types
if (typeof condition === 'string') {
// String condition - parse and evaluate
return await this.evaluateStringCondition(request, condition);
} else if (typeof condition === 'object' && condition.type) {
// Object condition
return this.evaluateObjectCondition(request, condition);
}
return false;
}
async evaluateStringCondition(request, condition) {
// Simple string-based evaluation
// In practice, this would use a proper expression parser
const context = {
user: request.user,
ip: request.ip,
userAgent: request.userAgent,
method: request.method,
url: request.url
};
try {
// Use Function constructor for safe evaluation
const func = new Function('context', `return ${condition}`);
return func(context);
} catch (error) {
console.error(`Error evaluating condition '${condition}':`, error);
return false;
}
}
evaluateObjectCondition(request, condition) {
const context = {
user: request.user,
ip: request.ip,
userAgent: request.userAgent,
method: request.method,
url: request.url
};
switch (condition.type) {
case 'equals':
return this.compareValues(context, condition.field, condition.value, '==');
case 'not-equals':
return this.compareValues(context, condition.field, condition.value, '!=');
case 'contains':
return String(context[condition.field]).toLowerCase().includes(String(condition.value).toLowerCase());
case 'regex':
const regex = new RegExp(condition.pattern, condition.flags || '');
return regex.test(String(context[condition.field]));
case 'in':
return Array.isArray(condition.value) &&
condition.value.includes(context[condition.field]);
default:
return false;
}
}
compareValues(context, field, value, operator) {
const contextValue = this.getNestedValue(context, field);
const conditionValue = value;
switch (operator) {
case '==':
return contextValue === conditionValue;
case '!=':
return contextValue !== conditionValue;
case '>':
return Number(contextValue) > Number(conditionValue);
case '<':
return Number(contextValue) < Number(conditionValue);
case '>=':
return Number(contextValue) >= Number(conditionValue);
case '<=':
return Number(contextValue) <= Number(conditionValue);
default:
return false;
}
}
getNestedValue(obj, path) {
return path.split('.').reduce((current, key) => current?.[ key ], obj);
}
}
class EnforcementEngine {
constructor(options = {}) {
this.enforcementRules = new Map();
this.violations = [];
this.connectionAnalytics = new Map();
this.logger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.errors({ stack: true }),
winston.format.json()
)
});
}
async enforcePolicy(segment, target, action) {
const rule = {
target,
action,
timestamp: Date.now(),
segmentId: segment.id,
policyId: 'unknown'
};
try {
// Implement enforcement based on target type
const result = await this.enforceRule(rule, segment);
if (result.action === 'block') {
this.logViolation(rule);
}
return result;
} catch (error) {
this.logger.error('Policy enforcement error:', error);
return {
action: 'error',
error: error.message
};
}
}
async enforceRule(rule, segment) {
switch (rule.target.type) {
case 'ip':
return await this.enforceIPRule(rule, segment);
case 'port':
return await this.enforcePortRule(rule, segment);
case 'protocol':
return await this.enforceProtocolRule(rule, segment);
case 'user':
return await this.enforceUserRule(rule, segment);
case 'device':
return await this.enforceDeviceRule(rule, segment);
default:
return { action: 'allow', message: 'Unknown target type' };
}
}
async enforceIPRule(rule, segment) {
// Implement IP-based enforcement using iptables
return await this.enforceWithIPTable(rule, segment);
}
async enforcePortRule(rule, segment) {
// Implement port-based enforcement
return await this.enforceWithIPTable(rule, segment);
}
async enforceProtocolRule(rule, segment) {
// Implement protocol-based enforcement
return await this.enforceWithIPTable(rule, segment);
}
async enforceUserRule(rule, segment) {
// User-based enforcement handled at application level
return { action: 'allow', message: 'User enforcement requires application integration' };
}
async enforceDeviceRule(rule, segment) {
// Device-based enforcement handled at application level
return { action: 'allow', message: 'Device enforcement requires application integration' };
}
async enforceWithIPTable(rule, segment) {
// Implement actual iptables enforcement
const command = this.generateIPTableCommand(rule, segment);
try {
await this.executeShellCommand(command);
return {
action: rule.action,
message: `Rule enforced: ${command}`,
command: command
};
} catch (error) {
this.logger.error('iptables enforcement error:', error);
return {
action: 'error',
error: error.message
};
}
}
generateIPTableCommand(rule, segment) {
let command = 'iptables';
switch (rule.target.type) {
case 'ip':
command += ` -s ${segment.network.cidr}`;
if (rule.action === 'deny') {
command += ' -j DROP';
} else {
command += ' -j ACCEPT';
}
command += ` -s ${rule.target.value}`;
break;
case 'port':
command += ` -p ${rule.target.value} -j ${rule.action}`;
if (segment.network.cidr) {
command += ` -s ${segment.network.cidr}`;
}
break;
case 'protocol':
command += ` -p ${rule.target.value} -j ${rule.action}`;
break;
default:
throw new Error(`Unsupported target type: ${rule.target.type}`);
}
command += ` -m comment "Zero Trust: ${rule.policyId}"`;
return command;
}
async executeShellCommand(command) {
return new Promise((resolve, reject) => {
const { spawn } = require('child_process');
const process = spawn(command, { shell: true });
let stdout = '';
let stderr = '';
process.stdout.on('data', (data) => {
stdout += data;
});
process.stderr.on('data', (data) => {
stderr += data;
});
process.on('close', (code) => {
if (code === 0) {
resolve({ stdout, stderr, code });
} else {
reject(new Error(`Command failed with exit code ${code}`));
}
});
process.on('error', (error) => {
reject(error);
});
});
}
logViolation(rule) {
const violation = {
id: this.generateId(),
timestamp: rule.timestamp,
segmentId: rule.segmentId,
policyId: rule.policyId,
target: rule.target,
action: rule.action,
reason: rule.message || 'Policy violation',
context: this.getContextInfo()
};
this.violations.push(violation);
this.logger.warn('Policy violation detected', violation);
// Could send alerts to SIEM
this.sendSecurityAlert(violation);
}
sendSecurityAlert(violation) {
// Send security alert to SIEM or monitoring system
console.log('Security Alert:', JSON.stringify(violation, null, 2));
}
getContextInfo() {
return {
timestamp: Date.now(),
hostname: require('os').hostname(),
platform: process.platform,
nodeVersion: process.version,
memory: process.memoryUsage()
};
}
getConnectionAnalytics() {
return {
totalConnections: this.connectionAnalytics.size,
activeConnections: Array.from(this.connectionAnalytics.values())
.filter(conn => Date.now() - conn.lastSeen < 30000) // Last 30 seconds
.length,
averageRequestCount: this.calculateAverageRequestCount(),
totalBytes: this.calculateTotalBytes()
};
}
getViolationAnalytics() {
return {
totalViolations: this.violations.length,
violationsByType: this.getViolationsByType(),
violationsByPolicy: this.getViolationsByPolicy(),
recentViolations: this.getRecentViolations(),
topViolations: this.getTopViolations()
};
}
calculateAverageRequestCount() {
const connections = Array.from(this.connectionAnalytics.values());
if (connections.length === 0) return 0;
const totalRequests = connections.reduce((sum, conn) => sum + conn.requestCount, 0);
return totalRequests / connections.length;
}
calculateTotalBytes() {
const connections = Array.from(this.connectionAnalytics.values());
return connections.reduce((sum, conn) => sum + (conn.bytesReceived + conn.bytesSent), 0);
}
getViolationsByType() {
const types = {};
for (const violation of this.violations) {
const type = violation.target?.type || 'unknown';
types[type] = (types[type] || 0) + 1;
}
return types;
}
getViolationsByPolicy() {
const policies = {};
for (const violation of this.violations) {
const policyId = violation.policyId || 'unknown';
policies[policyId] = (policies[policyId] || 0) + 1;
}
return policies;
}
getRecentViolations() {
const oneHourAgo = Date.now() - (60 * 60 * 1000);
return this.violations.filter(v => v.timestamp > oneHourAgo);
}
getTopViolations() {
const counts = {};
for (const violation of this.violations) {
const key = `${violation.policyId}:${violation.target?.type}`;
counts[key] = (counts[key] || 0) + 1;
}
return Object.entries(counts)
.sort((a, b) => b[1] - a[1])
.slice(0, 10)
.map(([key, count]) => {
const [policyId, target] = key.split(':');
return {
policyId,
target,
count
};
});
}
generateId() {
require('crypto').randomBytes(16).toString('hex');
}
}
// Usage example
const segmentation = new ZeroTrustNetworkSegmentation({
segmentation: {
defaultPolicy: 'deny-all',
inspectionEnabled: true,
realTimeUpdates: true
},
policies: {
defaultPolicy: 'deny-all',
loggingEnabled: true
},
enforcement: {
defaultAction: 'block',
enableLogging: true,
enableAlerts: true
}
});
// Start the segmentation service
const port = process.env.PORT || 3001;
segmentation.app.listen(port, () => {
console.log(`Zero Trust Network Segmentation API listening on port ${port}`);
});
// Graceful shutdown
process.on('SIGINT', () => {
console.log('Shutting down...');
process.exit(0);
});💻 Zero Trust Mikro-Segmentierung
🔴 complex
⭐⭐⭐⭐⭐
Granulare Mikro-Segmentierung auf Ebene der Anwendungen
⏱️ 45 min
🏷️ micro-segmentation, kubernetes, docker, container-security, zero-trust
// Zero Trust Micro-Segmentation Implementation
// Granular segmentation for containers and applications
const express = require('express');
const { EventEmitter } = require('events');
const Docker = require('dockerode');
const Kubernetes = require('@kubernetes/client');
const winston = require('winston');
class ZeroTrustMicroSegmentation extends EventEmitter {
constructor(options = {}) {
super();
this.config = {
// Container orchestration
orchestration: options.orchestration || 'kubernetes',
dockerApi: options.dockerApi || '/var/run/docker.sock',
kubernetesConfig: options.kubernetesConfig,
// Segmentation strategy
strategy: options.strategy || 'application-based',
defaultPolicy: 'deny-all',
// Runtime settings
enableRuntimePolicies: options.enableRuntimePolicies !== false,
enableAPIAccess: options.enableAPIAccess !== false,
realTimeUpdates: options.realTimeUpdates !== false,
// Analytics
enableAnalytics: options.enableAnalytics !== false,
analyticsRetention: options.analyticsRetention || '24h',
...options
};
this.logger = winston.createLogger({
level: 'info',
format: winston.format.combine(
winston.format.timestamp(),
winston.format.errors({ stack: true }),
winston.format.json(),
winston.format.colorize(),
winston.format.simple()
),
transports: [
new winston.transports.Console(),
new winston.transports.File({ filename: 'micro-segmentation.log' })
]
});
this.segments = new Map();
this.microSegments = new Map();
this.workloadProfiles = new Map();
this.runtimePolicies = new Map();
this.orchestrator = null;
this.client = null;
this.initialize();
}
async initialize() {
await this.setupOrchestrator();
await this.setupClients();
await this.loadInitialConfiguration();
this.logger.info('Zero Trust micro-segmentation initialized');
this.emit('initialized');
}
async setupOrchestration() {
switch (this.config.orchestration) {
case 'kubernetes':
await this.setupKubernetes();
break;
case 'docker':
await this.setupDocker();
break;
default:
throw new Error(`Unsupported orchestration: ${this.config.orchestration}`);
}
}
async setupKubernetes() {
try {
const kc = new Kubernetes.KubeConfig(this.config.kubernetesConfig);
this.client = new Kubernetes.CoreV1Api(kc);
this.orchestrator = new Kubernetes.CoreV1Api(kc);
this.logger.info('Kubernetes client initialized');
} catch (error) {
this.logger.error('Failed to initialize Kubernetes client:', error);
throw error;
}
}
async setupDocker() {
try {
this.orchestrator = new Docker.Docker({ socketPath: this.config.dockerApi });
await this.orchestrator.ping();
this.logger.info('Docker client initialized');
} catch (error) {
this.logger.error('docker connection failed:', error);
throw error;
}
}
setupClients() {
if (this.config.enableAPIAccess) {
this.setupAPIRoutes();
}
// Setup real-time updates
if (this.config.realTimeUpdates) {
this.setupRealTimeUpdates();
}
}
setupAPIRoutes() {
this.app.use(express.json());
this.logger.info('API routes configured');
}
setupRealTimeUpdates() {
// WebSocket for real-time updates
const WebSocket = require('ws');
this.wss = new WebSocket.Server({ port: 8081 });
this.wss.on('connection', (ws) => {
ws.on('message', (data) => {
try {
const message = JSON.parse(data);
this.handleRealTimeUpdate(message);
} catch (error) {
this.logger.error('Real-time update error:', error);
}
});
});
this.logger.info('WebSocket server started on port 8081');
}
handleRealTimeUpdate(message) {
switch (message.type) {
case 'segment-updated':
this.broadcastSegmentUpdate(message.data);
break;
case 'policy-updated':
this.broadcastPolicyUpdate(message.data);
break;
case 'workload-detected':
this.handleWorkloadDetection(message.data);
break;
default:
this.logger.warn('Unknown real-time update type:', message.type);
}
}
broadcastSegmentUpdate(segmentData) {
if (this.wss) {
const message = {
type: 'segment-updated',
data: segmentData
};
this.wss.clients.forEach(client => {
if (client.readyState === WebSocket.OPEN) {
client.send(JSON.stringify(message));
}
});
}
}
async loadInitialConfiguration() {
try {
// Load workload profiles
await this.loadWorkloadProfiles();
// Load runtime policies
if (this.config.enableRuntimePolicies) {
await this.loadRuntimePolicies();
}
// Create initial segments based on discovered workloads
await this.createInitialSegments();
} catch (error) {
this.logger.error('Failed to load initial configuration:', error);
}
}
async loadWorkloadProfiles() {
const profiles = [
{
name: 'web-server',
type: 'application',
description: 'Web server workloads',
resourceRequirements: {
cpu: '500m',
memory: '1Gi',
bandwidth: '100Mbps'
},
securityRequirements: {
networkAccess: ['http', 'https'],
databaseAccess: true,
filesystemAccess: false
},
complianceRequirements: {
dataClassification: 'confidential',
retentionPeriod: '30d',
auditLogging: true
}
},
{
name: 'database-server',
type: 'application',
description: 'Database server workloads',
resourceRequirements: {
cpu: '2vCPU',
memory: '4Gi',
bandwidth: '1Gbps',
storage: '100Gi'
},
securityRequirements: {
networkAccess: ['postgres', 'mysql'],
databaseAccess: true,
filesystemAccess: true
},
complianceRequirements: {
dataClassification: 'sensitive',
retentionPeriod: '90d',
auditLogging: true,
encryptionAtRest: true
}
},
{
name: 'api-gateway',
type: 'application',
description: 'API gateway workloads',
resourceRequirements: {
cpu: '1vCPU',
memory: '2Gi',
bandwidth: '500Mbps'
},
securityRequirements: {
networkAccess: ['http', 'https'],
databaseAccess: true,
filesystemAccess: false
},
complianceRequirements: {
dataClassification: 'restricted',
retentionPeriod: '7d'
}
},
{
name: 'batch-processing',
type: 'application',
description: 'Batch processing workloads',
resourceRequirements: {
cpu: '4vCPU',
memory: '8Gi',
bandwidth: '2Gbps'
},
securityRequirements: {
networkAccess: ['sftp', 'ssh'],
databaseAccess: true,
filesystemAccess: true
},
complianceRequirements: {
dataClassification: 'confidential',
retentionPeriod: '60d'
}
}
];
for (const profile of profiles) {
this.workloadProfiles.set(profile.name, profile);
}
this.logger.info(`Loaded ${profiles.length} workload profiles`);
}
async loadRuntimePolicies() {
const policies = [
{
name: 'container-runtime-protection',
type: 'security',
description: 'Container runtime security policies',
rules: [
{
name: 'block-privileged-containers',
condition: {
field: 'runtime.privileged',
operator: '==',
value: true
},
action: 'deny',
severity: 'high'
},
{
name: 'require-read-only-filesystem',
condition: {
field: 'runtime.readOnlyRootfs',
operator: '!=',
value: true
},
action: 'deny',
severity: 'medium'
},
{
'name: 'restrict-cap-drop',
condition: {
field: 'runtime.capDrop',
operator: '==',
value: true
},
action: 'deny',
severity: 'high'
},
{
'name: 'no-new-privileges',
condition: {
field: 'runtime.noNewPrivileges',
operator: '!=',
value: true
},
action: 'deny',
severity: 'medium'
}
]
},
{
name: 'network-access-control',
type: 'network',
description: 'Network access control for containers',
rules: [
{
name: 'block-external-requests-by-default',
condition: {
field: 'network.defaultExternalAccess',
operator: '!=',
value: true
},
action: 'deny',
severity: 'high'
},
{
'name: 'allow-dns-resolution',
condition: {
field: 'network.dnsAccess',
operator: '==',
value: true
},
action: 'allow',
severity: 'low'
},
{
name: 'rate-limit-outbound-connections',
condition: {
field: 'network.maxOutboundConnections',
operator: '>',
value: 100
},
action: 'limit',
severity: 'medium'
}
]
},
{
name: 'application-security',
type: 'application',
description: 'Application-level security controls',
rules: [
{
name: 'disable-insecure-protocols',
condition: {
field: 'application.insecureProtocols',
operator: 'includes',
value: ['telnet', 'ftp', 'rsh', 'rlogin']
},
action: 'deny',
severity: 'high'
},
{
name: 'scan-for-secrets',
condition: {
field: 'application.scanSecrets',
operator: '==',
value: true
},
action: 'deny',
severity: 'medium'
},
{
'enforce-read-only-filesystem',
condition: {
field: 'application.readOnlyRootfs',
operator: '==',
value: true
},
action: 'deny',
severity: 'medium'
}
]
}
];
for (const policy of policies) {
this.runtimePolicies.set(policy.name, policy);
}
this.logger.info(`Loaded ${policies.length} runtime policies`);
}
async createInitialSegments() {
try {
// Auto-create segments for discovered workloads
for (const profile of this.workloadProfiles.values()) {
const segment = await this.createMicroSegment({
name: profile.name,
workloadId: profile.name,
type: profile.type,
target: 'container',
parent: 'default'
});
this.logger.info(`Created micro-segment for workload: ${profile.name}`);
}
// Create network-level segments
await this.createNetworkSegments();
} catch (error) {
this.logger.error('Failed to create initial segments:', error);
}
}
async createMicroSegment(segmentConfig) {
const segment = {
id: this.generateId(),
name: segmentConfig.name,
type: segmentConfig.type,
workloadId: segmentConfig.workloadId,
target: segmentConfig.target,
parent: segmentConfig.parent || 'default',
// Network configuration
network: {
cidr: '10.0.0.0/24',
ports: [],
protocols: []
},
// Security configuration
security: {
policies: ['container-runtime-protection', 'network-access-control'],
enforcementMode: 'strict'
},
// Resource limits
resources: {
cpu: segmentConfig.resourceRequirements?.cpu || '500m',
memory: segmentConfig.resourceRequirements?.memory || '1Gi',
ephemeral: segmentConfig.ephemeral || false
},
// Labels for identification
labels: {
workload: segmentConfig.workloadId,
type: 'micro-segment',
environment: process.env.NODE_ENV || 'production'
},
// Metadata
createdAt: Date.now(),
updatedAt: Date.now(),
createdBy: 'auto-creation',
status: 'active'
};
// Configure network based on target type
this.configureSegmentNetwork(segment, segmentConfig);
// Apply security policies
await this.applySegmentSecurityPolicies(segment);
// Store segment
this.microSegments.set(segment.id, segment);
this.segments.set(segment.id, segment);
this.emit('segmentCreated', segment);
return segment;
}
async createNetworkSegments() {
const networkSegments = [
{
name: 'critical-infrastructure',
type: 'network',
network: {
cidr: '10.0.1.0/24'
},
policies: ['network-access-control'],
enforcementMode: 'strict'
},
{
name: 'development-network',
type: 'network',
network: {
cidr: '192.168.1.0/24'
},
policies: ['network-access-control'],
enforcementMode: 'permissive'
},
{
name: 'guest-network',
type: 'network',
network: {
cidr: '172.16.0.0/22'
},
policies: ['network-access-control', 'guest-access'],
enforcementMode: 'restrictive'
}
];
for (const networkSegment of networkSegments) {
const segment = {
id: this.generateId(),
name: networkSegment.name,
type: networkSegment.type,
target: 'network',
network: networkSegment.network,
policies: networkSegment.policies,
enforcementMode: networkSegment.enforcementMode,
createdAt: Date.now(),
updatedAt: Date.now(),
createdBy: 'auto-creation',
status: 'active'
};
this.segments.set(segment.id, segment);
this.logger.info(`Created network segment: ${segment.name}`);
}
}
configureNetwork(segment, config) {
if (config.type === 'container') {
// Container-specific network configuration
if (config.network?.cidr) {
segment.network.cidr = config.network.cidr;
}
// Auto-detect ports from workload
if (config.ports && config.ports.length > 0) {
segment.network.ports = config.ports;
}
// Auto-detect protocols
if (config.protocols && config.protocols.length > 0) {
segment.network.protocols = config.protocols;
}
} else if (config.type === 'network') {
// Network-level configuration is already set
// No additional configuration needed
}
}
async applySegmentPolicies(segment) {
if (segment.security && segment.security.policies) {
for (const policyName of segment.security.policies) {
try {
const policy = this.runtimePolicies.get(policyName);
if (policy) {
await this.applyPolicyToSegment(segment, policy);
}
} catch (error) {
this.logger.error(`Failed to apply policy ${policyName} to segment ${segment.name}:`, error);
}
}
}
}
async applyPolicyToSegment(segment, policy) {
const segmentId = segment.id;
switch (policy.type) {
case 'container-runtime-protection':
await this.applyContainerRuntimeProtection(segment, policy);
break;
case 'network-access-control':
await this.applyNetworkAccessControl(segment, policy);
break;
case 'application-security':
await this.applyApplicationSecurity(segment, policy);
break;
default:
this.logger.warn(`Unknown policy type: ${policy.type}`);
}
}
async applyContainerRuntimeProtection(segment, policy) {
if (!this.orchestrator) return;
try {
// Configure container runtime protection
if (policy.rules) {
for (const rule of policy.rules) {
if (rule.name === 'block-privileged-containers') {
await this.applyContainerPolicy(segment, {
security: {
privileged: false
}
});
}
}
}
} catch (error) {
this.logger.error(`Failed to apply container runtime protection: ${error.message}`);
}
}
async applyNetworkAccessControl(segment, policy) {
if (!this.orchestrator) return;
try {
// Apply network access control at orchestration level
if (policy.rules) {
for (const rule of policy.rules) {
if (rule.name === 'block-external-requests-by-default') {
await this.applyNetworkPolicy(segment, {
network: {
defaultExternalAccess: false
}
});
} else if (rule.name === 'allow-dns-resolution') {
await this.applyNetworkPolicy(segment, {
network: {
dnsAccess: true
}
});
}
}
}
} catch (error) {
this.logger.error(`Failed to apply network access control: ${error.message}`);
}
}
async applyApplicationSecurity(segment, policy) {
if (!this.orchestrator) return;
try {
// Apply application security
if (policy.rules) {
for (const rule of policy.rules) {
if (rule.name === 'disable-insecure-protocols') {
await this.applyApplicationPolicy(segment, {
security: {
insecureProtocols: []
}
});
}
}
}
} catch (error) {
this.logger.error(`Failed to apply application security: ${error.message}`);
}
}
async applyContainerPolicy(segment, updates) {
if (!this.orchestrator) return;
try {
const containers = await this.getContainersForSegment(segment.id);
for (const container of containers) {
if (updates.security) {
await this.updateContainerSecurity(container, updates.security);
}
}
} catch (error) {
this.logger.error(`Failed to apply container policy: ${error.message}`);
}
}
async applyNetworkPolicy(segment, updates) {
if (!this.orchestrator) return;
try {
// Apply network policies at orchestration level
// This would integrate with network policies at the orchestration platform level
this.logger.info(`Applying network policy updates to segment ${segment.id}`);
} catch (error) {
this.logger.error(`Failed to apply network policy: ${error.message}`);
}
}
async applyApplicationPolicy(segment, updates) {
if (!this.orchestrator) return;
try {
// Apply application policies at orchestration level
this.logger.info(`Applying application policy updates to segment ${segment.id}`);
} catch (error) {
this.logger.error(`Failed to apply application policy: ${error.message}`);
}
}
async getContainersForSegment(segmentId) {
if (!this.orchestrator) return [];
try {
const containers = await this.orchestrator.listContainers({
label: `workload=${segmentId}`
});
return containers.containers || [];
} catch (error) {
this.logger.error(`Failed to get containers for segment ${segmentId}:`, error);
return [];
}
}
async updateContainerSecurity(container, securityUpdates) {
try {
// Update container security settings
if (securityUpdates.privileged !== undefined) {
// Update privileged mode
}
if (securityUpdates.readOnlyRootfs !== undefined) {
// Update read-only root filesystem
}
this.logger.info(`Updated container security for container ${container.Id}`);
} catch (error) {
this.logger.error(`Failed to update container security: ${error.message}`);
}
}
async analyzeWorkload(workloadId) {
// Analyze workload characteristics
const profile = this.workloadProfiles.get(workloadId);
if (!profile) {
return null;
}
const characteristics = {
resourceUtilization: await this.getResourceUtilization(workloadId),
securityScore: await this.calculateSecurityScore(workloadId),
riskLevel: this.assessRiskLevel(workloadId),
complianceScore: this.assessCompliance(workloadId)
};
return {
profile,
characteristics,
recommendations: this.generateRecommendations(characteristics)
};
}
async getResourceUtilization(workloadId) {
try {
const containers = await this.getContainersForSegment(workloadId);
if (containers.length === 0) {
return { cpu: 0, memory: 0, bandwidth: 0 };
}
let totalCPU = 0;
let totalMemory = 0;
let totalBandwidth = 0;
for (const container of containers) {
const stats = await this.getContainerStats(container.Id);
if (stats) {
totalCPU += stats.cpu || 0;
totalMemory += stats.memory || 0;
totalBandwidth += stats.network?.bytesReceived || 0;
}
}
return {
cpu: totalCPU,
memory: totalMemory,
bandwidth: totalBandwidth,
containers: containers.length
};
} catch (error) {
this.logger.error(`Failed to get resource utilization: ${error.message}`);
return { cpu: 0, memory: metrics.memoryUsage.heapUsed };
}
}
calculateSecurityScore(workloadId) {
let score = 50; // Base score
try {
const profile = this.workloadProfiles.get(workloadId);
// Check compliance requirements
if (profile.complianceRequirements) {
if (profile.complianceRequirements.dataClassification === 'sensitive') {
score -= 30;
}
}
// Check security requirements
if (profile.securityRequirements) {
if (!profile.securityRequirements.databaseAccess) {
score -= 20;
}
}
} catch (error) {
this.logger.error(`Failed to calculate security score: ${error.message}`);
}
return Math.max(0, score);
}
assessRiskLevel(workloadId) {
let riskScore = 25; // Default medium risk
try {
const profile = this.workloadProfiles.get(workloadId);
// Higher risk for external network access
if (profile.securityRequirements.networkAccess.length > 2) {
riskScore += 20;
}
// Higher risk for filesystem access
if (profile.securityRequirements.filesystemAccess) {
riskScore += 15;
}
// Higher risk for privileged containers
if (profile.resourceRequirements.cpu.includes('vCPU')) {
riskScore += 10;
}
} catch (error) {
this.logger.error(`Failed to assess risk level: ${error.message}`);
}
if (riskScore > 75) return 'critical';
if (riskScore > 50) return 'high';
if (riskScore > 25) return 'medium';
return 'low';
}
assessCompliance(workloadId) {
let score = 0;
try {
const profile = this.workloadTypes.get(workloadId);
if (profile.complianceRequirements) {
// Score based on compliance level
if (profile.complianceRequirements.dataClassification === 'public') score += 25;
if (profile.complianceRequirements.dataClassification === 'internal') score += 50;
if (profile.complianceRequirements.dataClassification === 'confidential') score += 75;
if (profile.complianceRequirements.dataClassification === 'restricted') score += 90;
if (profile.complianceRequirements.dataClassification === 'top-secret') score += 100;
}
} catch (error) {
this.logger.error(`Failed to assess compliance: ${error.message}`);
}
return Math.min(100, score);
}
generateRecommendations(characteristics) {
const recommendations = [];
// Resource optimization recommendations
if (characteristics.resourceUtilization.cpu > 80) {
recommendations.push({
type: 'optimization',
priority: 'high',
title: 'High CPU utilization detected',
description: 'Consider scaling or optimizing CPU usage',
suggestion: 'Implement horizontal scaling or CPU optimization'
});
}
// Security recommendations
if (characteristics.securityScore < 50) {
recommendations.push({
type: 'security',
priority: 'high',
title: 'Security score below threshold',
description: 'Security score below 50% requires attention',
suggestion: 'Review security policies and configurations'
});
}
// Risk recommendations
if (characteristics.riskLevel === 'critical') {
recommendations.push({
type: 'security',
priority: 'critical',
title: 'Critical risk level detected',
description: 'Workload presents critical security risks',
suggestion: 'Review and implement additional security controls'
});
}
// Compliance recommendations
if (characteristics.complianceScore < 60) {
recommendations.push({
type: 'compliance',
priority: 'medium',
title: 'Compliance score needs improvement',
description: 'Compliance score below 60%',
suggestion: 'Review and update compliance controls'
});
}
return recommendations;
}
async enforcePolicy(segmentId, target, action) {
try {
const segment = this.segments.get(segmentId);
if (!segment) {
throw new Error(`Segment not found: ${segmentId}`);
}
const result = await this.enforcementEngine.enforcePolicy(segment, { target, action });
this.emit('policyEnforced', {
segmentId,
target,
action: result.action,
reason: result.message || 'Policy enforced'
});
return result;
} catch (error) {
this.logger.error(`Policy enforcement failed: ${error.message}`);
return { action: 'error', error: error.message };
}
}
updateSegment(segmentId, updates) {
const segment = this.segments.get(segmentId);
if (!segment) {
throw new Error(`Segment not found: ${segmentId}`);
}
Object.assign(segment, updates);
segment.updatedAt = Date.now();
this.segments.set(segmentId, segment);
this.emit('segmentUpdated', segment);
}
deleteSegment(segmentId) {
this.segments.delete(segmentId);
this.microSegments.delete(segmentId);
this.emit('segmentDeleted', { segmentId });
}
// Analytics and monitoring
getSegmentAnalytics() {
const segmentAnalytics = {
total: this.segments.size,
microSegments: this.microSegments.size,
activeSegments: Array.from(this.segments.values()).filter(s => s.status === 'active').length,
segmentTypes: this.getSegmentTypeDistribution(),
securityPosture: this.getSecurityPostureDistribution(),
resourceUtilization: await this.getOverallResourceUtilization(),
violationTrends: this.getViolationTrends()
};
return segmentAnalytics;
}
getConnectionAnalytics() {
const connectionAnalytics = {
total: this.connectionAnalytics.size,
activeConnections: this.connectionAnalytics.size,
connectionTypes: this.getConnectionTypeDistribution(),
averageSessionDuration: this.getAverageSessionDuration(),
geographicDistribution: this.getGeographicDistribution()
};
return connectionAnalytics;
}
getViolationAnalytics() {
return {
total: this.violations.length,
byType: this.getViolationsByType(),
byPolicy: this.getViolationsByPolicy(),
recent: this.getRecentViolations(),
trends: this.getViolationTrends(),
bySeverity: this.getViolationsBySeverity()
};
}
getSegmentTypeDistribution() {
const distribution = {};
for (const segment of this.segments.values()) {
distribution[segment.type] = (distribution[segment.type] || 0) + 1;
}
return distribution;
}
getSecurityPostureDistribution() {
const postures = {
strict: 0,
permissive: 0,
restrictive: 0
};
for (const segment of this.segments.values()) {
if (segment.security) {
const mode = segment.security.enforcementMode || 'default';
postures[mode] = (postures[mode] || 0) + 1;
}
}
return postures;
}
async getOverallResourceUtilization() {
try {
const segments = Array.from(this.segments.values());
let totalCPU = 0;
let totalMemory = 0;
let totalBandwidth = 0;
for (const segment of segments) {
const utilization = await this.getResourceUtilization(segment.id);
totalCPU += utilization.cpu;
totalMemory += utilization.memory;
totalBandwidth += utilization.bandwidth;
}
return {
cpu: totalCPU,
memory: totalMemory,
bandwidth: totalBandwidth,
efficiency: this.calculateEfficiency(totalCPU, totalMemory, totalBandwidth)
};
} catch (error) {
this.logger.error(`Failed to get resource utilization: ${error.message}`);
return { cpu: 0, memory: metrics.memoryUsage.heapUsed, bandwidth: 0 };
}
}
calculateEfficiency(cpu, memory, bandwidth) {
// Calculate efficiency score based on resource utilization
const cpuEfficiency = cpu > 0 ? (100 - (cpu / (cpu + memory + bandwidth / 100)) : 50) : 50;
return Math.min(100, cpuEfficiency);
}
getConnectionTypeDistribution() {
const distribution = {};
for (const connection of this.connectionAnalytics.values()) {
const type = this.determineConnectionType(connection);
distribution[type] = (distribution[type] || 0) + 1;
}
return distribution;
}
getAverageSessionDuration() {
const connections = Array.from(this.connectionAnalytics.values());
const sessionDurations = connections.map(conn =>
(Date.now() - (conn.firstSeen) / 1000) // milliseconds
);
return sessionDurations.length > 0
? sessionDurations.reduce((sum, duration) => sum + duration, 0) / sessionDurations.length
: 0;
}
getGeographicDistribution() {
const distribution = {};
for (const connection of this.connectionAnalytics.values()) {
const geoInfo = this.getGeoLocation(connection.ip);
const location = ${geoInfo.country || 'unknown}`;
distribution[location] = (distribution[location] || 0) + 1);
}
return distribution;
}
getViolationsByType() {
const types = {};
for (const violation of this.violations) {
const type = violation.policy?.name || 'unknown';
types[type] = (types[type] || 0) + 1);
}
return types;
}
getViolationsByPolicy() {
const policies = {};
for (const violation of this.violations) {
const policyId = violation.policyId || 'unknown';
policies[policyId] = (policies[policyId] || 0) + 1);
}
return policies;
}
getRecentViolations() {
const oneHourAgo = Date.now() - (60 * 60 * 1000); // 1 hour ago
return this.violations.filter(v => v.timestamp > oneHourAgo);
}
getViolationsBySeverity() {
const severities = { critical: 0, high: 0, medium: 0, low: 0 };
for (const violation of this.violations) {
const severity = violation.severity || 'low';
severities[severity] = (severities[severity] || 0) + 1;
}
return severities;
}
getGeoLocation(ip) {
// Simplified geo-location lookup
return {
country: 'unknown',
city: 'unknown',
region: 'unknown',
org: 'unknown'
};
}
generateId() {
require('crypto').randomBytes(16).toString('hex');
}
// Analytics and monitoring
startPeriodicAnalytics() {
setInterval(() => {
this.updateAnalytics();
}, 60000); // Every minute
setInterval(() => {
this.cleanupOldData();
}, 300000); // Every 5 minutes
}
updateAnalytics() {
const segmentAnalytics = this.getSegmentAnalytics();
const connectionAnalytics = this.getConnectionAnalytics();
const violationAnalytics = this.getViolationAnalytics();
this.logger.info('Analytics update', {
segments: segmentAnalytics,
connections: connectionAnalytics,
violations: violationAnalytics
});
// Update dashboards
this.updateDashboards(segmentAnalytics, connectionAnalytics, violationAnalytics);
}
updateDashboards(segmentAnalytics, connectionAnalytics, violationAnalytics) {
// Update dashboard data sources
if (this.config.enableAnalytics) {
this.updateDashboardData('segments', segmentAnalytics);
this.updateDashboardData('connections', connectionAnalytics);
this.updateDashboardData('violations', violationAnalytics);
}
}
updateDashboardData(type, data) {
// Update external dashboard systems
console.log(
--- Dashboard Update [${type}] ---`);
console.log(JSON.stringify(data, null, 2));
}
cleanupOldData() {
// Clean up old analytics data
const oneHourAgo = Date.now() - (60 * 60 * 1000);
// Remove old violations
this.violations = this.violations.filter(v => v.timestamp > oneHourAgo);
// Remove inactive connections
for (const [id, connection] of this.connectionAnalytics.entries()) {
if (connection.lastSeen < oneHourAgo) {
this.connectionAnalytics.delete(id);
}
}
// Remove old session data
this.sessionStore.cleanup();
console.log('Cleanup completed');
}
}
// Workload Profile and Application Integration
class WorkloadManager {
constructor(segmentationEngine) {
this.segmentationEngine = segmentationEngine;
}
async registerWorkload(profile) {
const workload = {
...profile,
id: this.generateId(),
registeredAt: Date.now(),
status: 'registered'
};
// Save to workload profiles
this.segmentationEngine.workloadProfiles.set(profile.name, workload);
// Create corresponding micro-segment
const segment = await this.segmentationEngine.createMicroSegment({
name: profile.name,
workloadId: profile.name,
type: profile.type,
target: 'container',
parent: 'default'
});
this.segmentationEngine.emit('workload-registered', workload);
return segment;
}
async detectWorkload(containerId) {
// Detect workload type from container metadata
try {
if (this.segmentationEngine.orchestrator) {
const container = await this.segmentationEngine.orchestrator.getContainer(containerId);
if (container) {
const labels = container.Labels || {};
// Match workload profile by labels
for (const [workloadId, profile] of this.segmentationEngine.workloadProfiles.entries()) {
if (workloadId === labels.workload) {
return {
workload: profile,
confidence: this.matchConfidence(container, profile)
};
}
}
// If no direct match, try pattern matching
const match = this.matchWorkloadProfile(container, this.segmentationEngine.workloadProfiles);
if (match) {
return {
workload: match.workload,
confidence: match.confidence,
detected: true
};
}
}
}
} catch (error) {
console.error(`Workload detection failed: ${error.message}`);
}
return null;
}
matchWorkloadProfile(container, profiles) {
let bestMatch = null;
let highestConfidence = 0;
for (const [workloadId, profile] of profiles.entries()) {
const confidence = this.matchConfidence(container, profile);
if (confidence > highestConfidence) {
bestMatch = workload;
highestConfidence = confidence;
}
}
return bestMatch ? bestMatch.workload : null;
}
matchConfidence(container, profile) {
let confidence = 0;
let factors = 0;
// Match by name
if (container.Labels && container.Labels.workload === profile.name) {
confidence += 50;
factors++;
}
// Match by resource requirements
if (profile.resourceRequirements) {
factors += 3;
if (container.Resources) {
// Compare CPU requirements
if (profile.resourceRequirements.cpu && container.Resources.limits?.cpu) {
const requiredCPU = this.parseCPURequirement(profile.resourceRequirements.cpu);
const availableCPU = this.parseCPURequirement(container.Resources.limits?.cpu);
if (availableCPU >= requiredCPU) {
confidence += 20;
factors++;
}
}
// Compare memory requirements
if (profile.resourceRequirements.memory && container.Resources.limits?.memory) {
const requiredMemory = this.parseMemoryRequirement(profile.resourceRequirements.memory);
availableMemory = this.parseMemoryRequirement(container.Resources.limits?.memory);
if (availableMemory >= requiredMemory) {
confidence += 20;
factors++;
}
}
}
}
return factors > 0 ? confidence / factors : 0;
}
parseCPURequirement(cpuSpec) {
if (typeof cpuSpec === 'string') {
const match = cpuSpec.match(/(\d+)([mgtG]?)/);
if (match) {
const value = parseFloat(match[1]);
return value * (match[2] === 'M' ? 1000 : 1);
}
}
return 0;
}
parseMemoryRequirement(memorySpec) {
if (typeof memorySpec === 'string') {
const match = memorySpec.match(/(\d+)([GM]i[Bb]?)$/);
if (match) {
const value = parseFloat(match[1]);
return value * (match[2] === 'G' || match[2] === 'i' ? 1024 : 1) * 1024 : 1));
}
}
return 0;
}
async getWorkloadSummary() {
const profiles = Array.from(this.segmentationEngine.workloadProfiles.values());
const summary = {
totalWorkloads: profiles.length,
byType: this.getWorkloadTypeDistribution(profiles),
averageSecurityScore: this.calculateAverageSecurityScore(profiles),
averageRiskLevel: this.calculateAverageRiskLevel(profiles),
complianceStatus: this.getOverallComplianceStatus(profiles)
};
return summary;
}
getWorkloadTypeDistribution(profiles) {
const distribution = {};
for (const profile of profiles) {
distribution[profile.type] = (distribution[profile.type] || 0) + 1);
}
return distribution;
}
calculateAverageSecurityScore(profiles) {
if (profiles.length === 0) return 50;
const scores = profiles.map(profile =>
this.segmentationEngine.calculateSecurityScore(profile.id)
);
return scores.reduce((sum, score) => sum + score, 0) / scores.length;
}
calculateAverageRiskLevel(profiles) {
if (profiles.length === 0) return 'medium';
const riskLevels = profiles.map(profile =>
this.segmentationEngine.assessRiskLevel(profile.id)
);
const riskLevelCounts = {
critical: 0,
high: 0,
medium: 0,
low: 0
};
for (const level of riskLevels) {
riskLevelCounts[level]++;
}
// Return the highest risk level with the least matches
const riskLevelsOrdered = ['critical', 'high', 'medium', 'low'];
for (const level of riskLevelsOrdered) {
if (riskLevelCounts[level] > 0) {
return level;
}
}
return 'low';
}
getOverallComplianceStatus(profiles) {
if (profiles.length === 0) return 100;
const scores = profiles.map(profile =>
this.segmentationEngine.assessCompliance(profile.id)
);
return scores.reduce((sum, score) => sum + score, 0) / scores.length;
}
}
// Container and application integration
class ContainerManager {
constructor(segmentationEngine) {
this.segmentationEngine = segmentationEngine;
}
async updateContainer(containerId, updates) {
if (!this.segmentationEngine.orchestrator) return;
try {
const container = await this.segmentationEngine.orchestrator.getContainer(containerId);
if (container && updates.security) {
await this.segmentationEngine.applyContainerPolicy(container, updates.security);
}
// Update segment with new container information
await this.updateContainerInSegment(containerId, updates);
} catch (error) {
console.error(`Failed to update container ${containerId}:`, error);
}
}
async updateContainerInSegment(containerId, updates) {
const container = await this.segmentationEngine.orchestrator.getContainer(containerId);
if (!container) return;
// Find associated segment
const segment = await this.findSegmentByContainer(containerId);
if (segment) {
// Update segment with new container metadata
segment.containerCount = (segment.containerCount || 0) + 1;
segment.lastUpdated = Date.now();
// Re-apply policies if needed
await this.segmentationEngine.applySegmentPolicies(segment);
this.segmentationEngine.updateSegment(segment.id, segment);
}
}
async findSegmentByContainer(containerId) {
for (const [segmentId, segment] of this.segmentationEngine.segments.entries()) {
const containers = await this.segmentationEngine.getContainersForSegment(segmentId);
if (containers.find(c => c.Id === containerId)) {
return segment;
}
}
return null;
}
}
// Application integration example
class Application {
constructor(segmentationEngine, app) {
this.segmentationEngine = segmentationEngine;
this.app = app;
// Setup Zero Trust middleware
this.setupMiddleware();
this.setupRoutes();
}
setupMiddleware() {
// Request analysis
this.app.use(async (req, res, next) => {
this.segmentationEngine.analyzeRequest(req);
next();
});
// Policy enforcement
this.app.use(async (req, res, next) => {
const decision = await this.segmentationEngine.evaluateRequest(req);
if (decision.action === 'block') {
return res.status(403).json({
error: 'Access denied by policy'
});
}
next();
});
// Session validation
this.app.use(async (req, res, next) => {
if (req.headers.authorization) {
try {
const decoded = await this.segmentationEngine.validateToken(req.headers.authorization);
if (decoded.exp < Date.now() / 1000) {
return res.status(401).json({ error: 'Token expired' });
}
req.user = decoded;
} catch (error) {
return res.status(401).json({ error: 'Invalid token' });
}
}
// Validate session
if (decoded && decoded.sessionId) {
const session = this.segmentationEngine.sessionStore.get(decoded.sessionId);
if (!session || session.expiresAt < Date.now()) {
return res.status(401).json({ error: 'Session expired' });
}
req.session = session;
}
next();
});
}
setupRoutes() {
// Admin endpoints
this.app.get('/api/segments', authenticate, authorize(['admin']), this.listSegments.bind(this));
this.app.post('/api/segments', authenticate, authorize(['admin']), this.createSegment.bind(this));
this.app.put('/api/segments/:id', authenticate, authorize(['admin']), this.updateSegment.bind(this));
this.app.delete('/api/segments/:id', authenticate, authorize(['admin']), this.deleteSegment.bind(this));
// Developer endpoints
this.app.get('/api/workloads', authenticate, this.listWorkloads.bind(this));
this.app.post('/api/workloads/:id/security-scan', authenticate, this.performSecurityScan.bind(this)));
// Analytics endpoints
this.app.get('/api/analytics', authenticate, authorize(['admin']), this.getAnalytics.bind(this));
// Dynamic policy enforcement
this.app.post('/api/enforce/:segmentId', authenticate, this.enforcePolicyOnConnection.bind(this)));
// Workload detection
this.app.post('/api/detect-workload', authenticate, this.detectWorkload.bind(this)));
// Real-time updates
this.app.get('/api/ws', authenticate, this.setupWebSocket.bind(this));
}
listSegments(req, res) {
const segments = await this.segmentationEngine.listSegments();
res.json(segments);
}
createSegment(req, res) {
const segmentData = {
...req.body,
id: this.segmentationEngine.generateId(),
createdAt: Date.now()
};
try {
const segment = await this.segmentationEngine.createSegment(segmentData);
res.status(201).json(segment);
this.logger.info(`Created segment: ${segment.name}`);
} catch (error) {
this.logger.error('Failed to create segment:', error);
res.status(400).json({ error: error.message });
}
}
updateSegment(req, res) {
const { id } = req.params;
const updates = req.body;
try {
const segment = await this.segmentationEngine.updateSegment(id, updates);
res.json(segment);
this.logger.info(`Updated segment: ${segment.name}`);
} catch (error) {
this.logger.error('Failed to update segment:', error);
res.status(400).json({ error: error.message });
}
}
deleteSegment(req, res) {
const { id } = req.params;
try {
await this.segmentationEngine.deleteSegment(id);
res.status(204).send();
this.logger.info(`Deleted segment: ${id}`);
} catch (error) {
this.logger.error('Failed to delete segment:', error);
res.status(400).json({ error: error.message });
}
}
listWorkloads(req, res) {
const profiles = Array.from(this.segmentationEngine.workloadProfiles.values());
res.json(profiles);
}
performSecurityScan(req, res) {
const { id } = req.params;
try {
const analysis = await this.segmentationEngine.analyzeWorkload(id);
res.json(analysis);
} catch (error) {
this.logger.error('Security scan failed:', error);
res.status(500).json({ error: error.message });
}
}
enforcePolicyOnConnection(req, res) {
const { segmentId, target, action } = req.params;
try {
const result = await this.segmentationEngine.enforcePolicy(segmentId, target, action);
res.json(result);
} catch (error) {
this.logger.error('Policy enforcement failed:', error);
res.status(500).json({ error: error.message });
}
}
detectWorkload(req, res) {
const { connectionId } = req.connectionId || this.getConnectionId(req);
try {
const workload = await this.segmentationEngine.analyzeWorkload(connectionId);
res.json({
workload,
connectionId,
detected: workload !== null
});
} catch (error) {
this.logger.error('Workload detection failed:', error);
res.status(500).json({ error: error.message });
}
}
setupWebSocket(ws, req, res) {
ws.on('connection', (ws, req) => {
const connectionId = this.getConnectionId(req);
// Store connection reference for context
this.connections.set(ws, {
connectionId,
ip: req.ip,
userAgent: req.headers['user-agent'],
headers: req.headers,
socket: ws
});
});
ws.on('message', (ws, data) => {
this.handleWebSocketMessage(ws, data);
});
ws.on('close', () => {
const connection = this.connections.get(ws);
if (connection) {
this.connections.delete(ws);
this.logger.info(`Connection closed: ${connection.connectionId}`);
}
});
res.status(200).json({
message: 'WebSocket connected',
connectionId
});
}
handleWebSocketMessage(ws, data) {
try {
const message = JSON.parse(data);
switch (message.type) {
case 'connection-migration':
this.handleConnectionMigration(ws, message.data);
break;
case 'risk-update':
this.handleRiskUpdate(ws, message.data);
break;
case 'segment-update':
this.handleSegmentUpdate(ws, message.data);
break;
}
} catch (error) {
this.logger.error('WebSocket message error:', error);
}
}
handleConnectionMigration(ws, data) {
const connection = this.connections.get(ws);
if (connection) {
// Update connection with new security context
connection.security = {
requiresReauth: data.requiresReauth,
trustScore: data.trustScore || 0
};
this.logger.info(`Connection migration required: ${connection.requiresReauth ? 'Yes' : 'No'}`);
}
}
handleRiskUpdate(ws, data) {
// Update connection risk score
const connection = this.connections.get(ws);
if (connection) {
connection.security.riskScore = data.riskScore || 0;
if (connection.security.riskScore > 70) {
// Trigger additional verification
this.logger.warn(`High risk score for connection ${connection.connectionId}: ${connection.security.riskScore}`);
}
}
}
handleSegmentUpdate(ws, data) {
// Update segment information
const connection = this.connections.get(ws);
if (connection) {
connection.segmentId = data.segmentId;
connection.security.requiresReauth = data.requiresReauth;
}
}
getConnectionId(req) {
const connectionId = req.ztConnectionId ||
req.ip ||
req.connectionId ||
this.generateId();
return connectionId;
}
}
// Start the micro-segmentation service
const port = process.env.PORT || 3000;
const app = express();
const segmentation = new ZeroTrustNetworkSegmentation({
orchestration: 'kubernetes',
enableAPIAccess: true,
realTimeUpdates: true,
analytics: {
enabled: true,
retention: '24h'
},
logging: {
level: 'info'
}
});
// Start the service
app.listen(port, () => {
console.log(`Zero Trust Micro-Segmentation API listening on port ${port}`);
});
// Add routes to application
const app2 = express();
const app2Router = express.Router();
app2.use('/api/v2', app2Router);
app2Router.use(authenticate);
app2Router.use(authorize(['admin']));
app2Router.get('/workloads', authenticate, async (req, res) => {
const summary = await segmentation.getWorkloadSummary();
res.json(summary);
});
app2Router.post('/workloads/:id/security-scan', authenticate, async (req, res) => {
const analysis = await segmentation.analyzeWorkload(req.params.id);
res.json(analysis);
});
// Graceful shutdown
process.on('SIGINT', () => {
console.log('Shutting down Zero Trust Micro-Segmentation Service...');
segmentation.stop();
app.close();
process.exit(0);
});