Skip to content
Dilmune
Dilmuneblog
All articles
Security Tutorial

Zero-Trust Networking: A Practical Guide

Zero-trust isn't just a buzzword. Here's how to actually implement it, with real code examples.

A
Ahmed Al Jamal
/ 1 min read

"Zero-trust" has become one of those terms that means everything and nothing. Every security vendor claims to offer it. Most of them are selling you a VPN with extra steps. Let's cut through the noise and look at what zero-trust actually means in practice.

The Core Principle

Zero-trust means exactly what it sounds like: trust nothing, verify everything. Every request — whether it comes from inside or outside your network — must prove its identity and authorization.

The old model: "You're inside the firewall, so you're trusted." The new model: "Prove who you are. Every. Single. Time."

Implementation: Token-Based Identity

At Dilmune, every service-to-service call uses short-lived, scoped tokens. Here's a simplified version of our authentication middleware:

auth-middleware.ts
1import { verify, sign } from "@dilmune/auth"; 2 3interface ServiceToken { 4 sub: string; // Service identity 5 aud: string; // Target service 6 scope: string[]; // Permitted actions 7 exp: number; // Expiry (5 min max) 8} 9 10export async function authenticate(req: Request) { 11 const token = req.headers.get("Authorization")?.split(" ")[1]; 12 13 if (!token) { 14 return new Response("Unauthorized", { status: 401 }); 15 } 16 17 try { 18 const payload = await verify<ServiceToken>(token, { 19 issuer: "dilmune-mesh", 20 maxAge: "5m", 21 }); 22 23 // Verify the token is intended for THIS service 24 if (payload.aud !== process.env.SERVICE_ID) { 25 return new Response("Forbidden", { status: 403 }); 26 } 27 28 return payload; 29 } catch (err) { 30 return new Response("Invalid token", { status: 401 }); 31 } 32}

Network Segmentation

Beyond authentication, zero-trust requires network-level isolation. Every service runs in its own micro-segment with explicit ingress and egress rules:

network-policy.yaml
1# Service network policy 2apiVersion: dilmune.com/v1 3kind: NetworkPolicy 4metadata: 5 name: api-service 6spec: 7 ingress: 8 - from: 9 - service: gateway 10 - service: admin-panel 11 ports: 12 - 8080 13 egress: 14 - to: 15 - service: database 16 ports: [5432] 17 - service: cache 18 ports: [6379] 19 # Everything else is denied by default

Key Takeaways

  1. Never trust the network. Authenticate every request.
  2. Use short-lived tokens (5 minutes or less).
  3. Scope tokens to specific services and actions.
  4. Segment your network. Default deny, explicit allow.
  5. Log everything. You can't detect what you can't see.

Zero-trust isn't a product you buy. It's an architecture you build. And it's worth building right.

Related articles

/ Security

Introducing Dilmune Cyber: Security That Doesn't Slow You Down

Security shouldn't be an afterthought or a bottleneck. Here's how we're making it invisible.

/ Engineering

Our Stack: Astro, Sanity, and the Art of Choosing Boring Technology

How we chose the technologies behind this blog — and why boring is often better than exciting.