creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 16:03:17 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/deploying-tailscale-for-zero-trust-vpn/references/standards.md
T

56 lines
1.9 KiB
Markdown
Raw Blame History

# Standards Reference: Tailscale Zero Trust VPN
## Protocol Standards
### WireGuard Protocol
- **Encryption**: ChaCha20 for symmetric encryption
- **Key Exchange**: Curve25519 for Diffie-Hellman
- **MAC**: Poly1305 for message authentication
- **Hashing**: BLAKE2s for hashing
- **Framework**: Noise Protocol Framework for key negotiation
### NIST SP 800-207: Zero Trust Architecture
- Tailscale implements identity-aware proxying (Section 3.2.2)
- End-to-end encryption satisfies data-in-transit requirements
- ACL-based access control implements least privilege access
- Device identity via WireGuard keys maps to device trust
### NIST SP 800-77: Guide to IPsec VPNs
- WireGuard provides alternative to IPsec with reduced complexity
- Tailscale automates key distribution and NAT traversal
- Mesh topology eliminates single point of failure
## Tailscale Security Model
### Identity Layer
- Authentication via OIDC-compatible identity providers
- SSO integration with Okta, Azure AD, Google Workspace, GitHub
- MFA enforcement through identity provider policies
- Key expiry forces periodic re-authentication
### Network Layer
- Default deny ACL policy (zero trust)
- Per-connection authorization based on identity and tags
- No implicit trust based on network location
- All traffic encrypted with WireGuard (256-bit keys)
### Device Layer
- Unique WireGuard key pair per device
- Device authorization required before network access
- Network Lock prevents unauthorized node addition
- Ephemeral nodes for temporary workloads
## Compliance Considerations
### SOC 2
- End-to-end encryption for data in transit
- ACL-based access control for authorization
- Audit logging for all connection events
- Key management through coordination server
### GDPR
- Data minimization: Tailscale only routes traffic, does not inspect
- Encryption: All traffic encrypted end-to-end
- Self-hosted option (Headscale) for data sovereignty
- Log retention configurable per organization policy
Reference in New Issue View Git Blame Copy Permalink