// PILLAR 03 OF 07 — DoD ZERO TRUST ARCHITECTURE

🌐 NETWORK / ENVIRONMENT

Flat networks are a gift to adversaries. Segmentation, encryption, and dynamic access controls transform your network from a trusted highway into a series of verified, monitored, access-controlled zones.

// Core Requirements — What Must Be Implemented

Macro-segmentation — defined security zones (classified, unclassified, DMZ, partner) across the enterprise
Micro-segmentation — workload-level isolation with deny-by-default east-west rules between all segments
Software-Defined Networking (SDN) / Software-Defined Perimeter (SDP) for dynamic, policy-driven access
Encrypted communications — TLS 1.3 minimum for ALL data in transit, including internal east-west traffic
DNS Security — DNSSEC validation, DNS filtering, DNS-over-HTTPS/TLS, C2 domain blocking
Network Access Control (NAC) — device posture-based admission before any network connectivity is granted
Dynamic firewall policy management driven by Policy Enforcement Point (PEP) receiving PDP decisions
Network Traffic Analysis (NTA) / Network Detection and Response (NDR) for east-west visibility

// Operational Principle

Eliminate the flat network. Every path must be justified. East-west traffic between workloads is as dangerous as inbound external traffic. If two systems don't need to communicate, the architecture must make that communication impossible — not just against policy.

// Hardware — Network Security Appliances

Hardware

Palo Alto PA-Series NGFWs

Next-gen firewalls with App-ID, User-ID, and Zone-based micro-segmentation. DISA STIG-compliant configurations. Hardware-enforced east-west traffic policy at 100Gbps+.

Palo Alto Networks

Hardware

Cisco Catalyst 9000 Series (NAC)

Enterprise switching platform with 802.1X NAC, Trustsec SGT micro-segmentation, and integration with Cisco ISE for device posture-based VLAN assignment.

Cisco

Hardware

Aruba ClearPass (NAC Appliance)

Network access control appliance providing device posture assessment, 802.1X enforcement, and dynamic VLAN assignment for ZT network admission.

HPE Aruba

Hardware

Gigamon ThreatINSIGHT Sensor

Network packet broker hardware providing deep packet inspection and traffic decryption for east-west visibility without degrading network performance.

Gigamon

// Software, Platforms & Cloud Services

Software / Platform

Illumio Core (Micro-Segmentation)

Workload micro-segmentation software mapping all east-west communications and enforcing deny-by-default policies. Used by DoD and federal agencies for zero-trust network segmentation.

Illumio

Software / Platform

Zscaler Zero Trust Exchange

Cloud-native SDP platform replacing VPN. Provides identity-aware, application-specific access without exposing network segments. Used by DoD components under DISA authorization.

Zscaler

Software / Platform

Palo Alto Prisma Access (SASE)

Cloud-delivered SASE platform combining ZTNA, SWG, CASB, and FWaaS. Enforces consistent policy for remote users, branch offices, and cloud workloads.

Palo Alto Networks

Software / Platform

Cisco ISE (Identity Services Engine)

Enterprise NAC and policy enforcement platform. Integrates device posture, user identity, and network context to enforce dynamic access policies per ZT principles.

Cisco

Software / Platform

ExtraHop Reveal(x) (NDR)

Network detection and response platform providing AI-driven east-west traffic analysis. Detects lateral movement, encrypted threat channels, and anomalous network behavior.

ExtraHop

Software / Platform

Darktrace DETECT/RESPOND

AI-powered NDR using unsupervised machine learning to detect novel network threats without signature dependence. Autonomous response capabilities.

Darktrace

Software / Platform

Infoblox (DNS Security)

Enterprise DNS/DHCP/IPAM (DDI) with threat intelligence integration for DNS-based C2 detection and blocking. Used extensively in DoD network environments.

Infoblox

// Standards, Frameworks & Compliance Alignment

SegmentationIllumio / Cisco ISE

SDP/SASEZscaler / Prisma

EncryptionTLS 1.3 / MACsec

NDRExtraHop / Darktrace

StandardNIST SP 800-207

DoD Compliance Note: All hardware and software solutions referenced on this page must be evaluated against the DISA Approved Products List (APL) or obtain an Authority to Operate (ATO) through RMF before deployment in DoD environments. FIPS 140-2 or 140-3 validated cryptographic modules are required for any solution handling classified or CUI data. Solutions referencing DoD environments have been noted where DISA APL listings exist as of this publication.

// ZTNSS Assessment for This Pillar

John’s Zero Trust Readiness Assessment evaluates your Network / Environment Pillar maturity against all applicable DoD ZT Target Level activities using structured, evidence-based scoring methodology. The assessment identifies specific capability gaps, maps them to DoD activity numbers, and produces a sequenced remediation roadmap prioritized by risk exposure and operational impact.

John’s 24-year operational background at USSOCOM and SOCCENT means this assessment is grounded in environments where the adversaries are nation-state level, the stakes are operational, and compliance checkboxes are not a substitute for actual security.

← Pillar 02 — Device Pillar 04 — Application →

[ Assess your Network / Environment Pillar maturity against DoD Target Level ]

GET YOUR ZT READINESS SCORE.

30 minutes. Mission-first guidance from someone who built and defended these architectures at USSOCOM.

Book Strategy Call → ← All Seven Pillars