#!/bin/bash # ============================================================================= # Zero-Trust Network Validation - Home Lab # ============================================================================= # Purpose: Validate that ISE dACL properly enforces zero-trust isolation # Usage: sudo ./test-zero-trust.sh # Expected: Internal RFC1918 blocked, essential services + internet allowed set -euo pipefail # tag::vars[] # Home Lab Infrastructure ISE_PAN="10.50.1.21" DNS_PRIMARY="10.50.1.1" AD_DC="10.50.2.11" NAS="10.50.100.10" # Test targets INTERNAL_TARGET="10.50.2.50" # Random internal IP (should be BLOCKED) INTERNET_TARGET="www.google.com" # Internet (should be ALLOWED) # Colors GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[1;33m' NC='\033[0m' # end::vars[] # tag::banner[] echo "========================================" echo "Zero-Trust Validation - Home Lab" echo "========================================" echo "Testing dACL enforcement..." echo "" # end::banner[] PASS=0 FAIL=0 # tag::dns-test[] # Test 1: DNS (Should PASS - essential service) echo -n "[1] DNS Query (essential): " if dig @${DNS_PRIMARY} inside.domusdigitalis.dev +short > /dev/null 2>&1; then echo -e "${GREEN}✓ PASS${NC} - DNS working" PASS=$((PASS+1)) else echo -e "${RED}✗ FAIL${NC} - DNS blocked (critical!)" FAIL=$((FAIL+1)) fi # end::dns-test[] # tag::ise-test[] # Test 2: ISE Posture (Should PASS - essential service) echo -n "[2] ISE Posture (port 8443): " if timeout 2 bash -c "echo > /dev/tcp/${ISE_PAN}/8443" 2>/dev/null; then echo -e "${GREEN}✓ PASS${NC} - ISE reachable" PASS=$((PASS+1)) else echo -e "${RED}✗ FAIL${NC} - ISE blocked (critical!)" FAIL=$((FAIL+1)) fi # end::ise-test[] # tag::ad-test[] # Test 3: AD LDAP (Should PASS - essential service) echo -n "[3] AD LDAP (port 389): " if timeout 2 bash -c "echo > /dev/tcp/${AD_DC}/389" 2>/dev/null; then echo -e "${GREEN}✓ PASS${NC} - AD reachable" PASS=$((PASS+1)) else echo -e "${RED}✗ FAIL${NC} - AD blocked (critical!)" FAIL=$((FAIL+1)) fi # end::ad-test[] # tag::nas-test[] # Test 4: NAS Access (Should PASS - allowed by dACL) echo -n "[4] NAS Access: " if ping -c 1 -W 2 ${NAS} > /dev/null 2>&1; then echo -e "${GREEN}✓ PASS${NC} - NAS reachable" PASS=$((PASS+1)) else echo -e "${RED}✗ FAIL${NC} - NAS blocked" FAIL=$((FAIL+1)) fi # end::nas-test[] # tag::internal-block-test[] # Test 5: Random Internal IP (Should FAIL - zero-trust blocks lateral movement) echo -n "[5] Random Internal IP (zero-trust): " if ping -c 1 -W 2 ${INTERNAL_TARGET} > /dev/null 2>&1; then echo -e "${RED}✗ FAIL${NC} - Internal access allowed (SECURITY ISSUE!)" FAIL=$((FAIL+1)) else echo -e "${GREEN}✓ PASS${NC} - Internal blocked (zero-trust working)" PASS=$((PASS+1)) fi # end::internal-block-test[] # tag::https-test[] # Test 6: HTTPS to Internet (Should PASS - allowed) echo -n "[6] Internet HTTPS: " if curl -s --connect-timeout 5 https://${INTERNET_TARGET} > /dev/null 2>&1; then echo -e "${GREEN}✓ PASS${NC} - Internet allowed" PASS=$((PASS+1)) else echo -e "${RED}✗ FAIL${NC} - Internet blocked" FAIL=$((FAIL+1)) fi # end::https-test[] # tag::ssh-block-test[] # Test 7: SSH to Internet (Should FAIL - blocked for security) echo -n "[7] SSH to Internet (security block): " if timeout 2 bash -c "echo > /dev/tcp/github.com/22" 2>/dev/null; then echo -e "${RED}✗ FAIL${NC} - SSH allowed (SECURITY ISSUE!)" FAIL=$((FAIL+1)) else echo -e "${GREEN}✓ PASS${NC} - SSH blocked (secure)" PASS=$((PASS+1)) fi # end::ssh-block-test[] # tag::summary[] echo "" echo "========================================" echo "Summary: $PASS passed, $FAIL failed" echo "========================================" if [ $FAIL -eq 0 ]; then echo -e "${GREEN}✓ Zero-trust properly configured!${NC}" exit 0 else echo -e "${RED}✗ Zero-trust issues detected${NC}" exit 1 fi # end::summary[]