Zero Trust Identity Lab

A hands-on engineering guide to Identity-Based Networking, Microsegmentation, and Least Privilege.

Learning Objectives

  • Understand Zero Trust Architecture principles
  • Deploy an identity-based mesh network using Tailscale
  • Implement microsegmentation with ACL policies
  • Apply the principle of least privilege using Linux sudo policies
  • Use generative AI as a SOC assistant to analyze security logs

Laboratory Architecture

We are building a local Zero Trust ecosystem. Even though these machines are in the same room, they will communicate through an encrypted identity-aware mesh.

Architecture Diagram

graph TD A["Analyst Laptop"] B["Tailscale Mesh Network"] C["Ubuntu Lab Server"] D["Web Service :8080"] A --> B B --> C C --> D
The Zero Trust: Traditional "Perimeter" security assumes that if you're on the Wi-Fi, you're safe. Zero Trust assumes the network is already compromised and verifies every single packet.

Requirements

Virtualization

VirtualBox or VMware Workstation installed on your host.

Ubuntu ISO

Ubuntu 22.04 or 24.04 LTS Desktop or Server image.

Accounts

Tailscale account linked to Google or GitHub SSO.

Implementation Steps

Milestone 1 — Identity-Centric Connectivity
1

Create the Lab Server

Create a new virtual machine using VirtualBox or VMware.

OS: Ubuntu

Once Ubuntu is installed update the system:

sudo apt update
sudo apt upgrade -y
2

Install Tailscale on the Server

Install Tailscale inside the Ubuntu VM.

curl -fsSL https://tailscale.com/install.sh | sh
3

Authenticate the Server

Start Tailscale and authenticate using your SSO account.

sudo tailscale up

A browser link will appear. Login using your Google or GitHub account.

4

Get the Tailscale IP

Find the server's identity-based network address.

tailscale ip

Example output:

100.92.10.5
Milestone 2 — Microsegmentation
5

Install Tailscale on Your Laptop

Download and install Tailscale on your host machine.

https://tailscale.com/download

Login using the same SSO account.

6

Verify Devices in the Tailscale Network

Open the Tailscale dashboard and confirm both machines appear.

Devices
✔ lab-server
✔ your-laptop

This confirms identity-based connectivity.

7

Create the Demo Web Service

Install Python and start a simple web server.

sudo apt install python3 -y
python3 -m http.server 8080

Test access from your laptop:

http://TAILSCALE_IP:8080
8

Apply Microsegmentation Policy

Open the Tailscale ACL editor and restrict access to only port 8080.

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["lab-server:8080"]
    }
  ]
}

This blocks all other services including SSH.

Milestone 3 — Least Privilege
9

Create the Application Script

nano webapp.sh

Paste:

#!/bin/bash
python3 -m http.server 8080
10

Make Script Executable

chmod +x webapp.sh
11

Create Systemd Service

sudo nano /etc/systemd/system/webapp.service

Add:

[Unit]
Description=Demo Web App
After=network.target

[Service]
ExecStart=/home/ubuntu/webapp.sh
Restart=always
User=ubuntu

[Install]
WantedBy=multi-user.target
12

Create Junior Admin Role

sudo adduser junioradmin
Milestone 4 — Generative AI Security Analysis
13

Generate Security Events

Create failed login attempts to generate entries in /var/log/auth.log.

ssh fakeuser@localhost
su wronguser

Using AI as a Security Co-Pilot

Modern security teams often use AI assistants to quickly interpret logs and detect anomalies. In this lab the learner will use an LLM to analyze authentication failures.

The AI acts as a SOC assistant, explaining what happened and identifying suspicious patterns.

14

Analyze Logs Using AI

Copy entries from:

/var/log/auth.log

Then ask an AI assistant:

You are a SOC analyst. Explain the following auth.log entries and identify suspicious activity.

Common Mistakes

• Port 8080 already in use
• Tailscale not logged in
• VM network misconfiguration
• Firewall blocking port 8080

Debug services with: 
journalctl -u webapp

AI SOC Analyst Roleplay

Generate some "noise" in the logs by attempting failed logins:

ssh fakeuser@localhost
su wrongpassword

Now analyze logs from /var/log/auth.log using an LLM.

Conceptual Review

What is Microsegmentation?
Restricting access to specific services rather than the entire network.
Principle of Least Privilege?
Users receive only the permissions needed to perform tasks.
Why is identity better than IP-based security?
IP addresses can change or be spoofed, but identity verification ensures the actual user or device is authenticated.

Further Exploration

To expand your knowledge of Zero Trust systems explore:

  • Device posture checks in Tailscale
  • Mutual TLS authentication
  • Policy engines such as Open Policy Agent
  • Identity-aware proxies
  • Service mesh architectures (Istio / Linkerd)

Final Verification

  • Devices appear in the Tailscale dashboard
  • Web service reachable on port 8080
  • SSH access blocked by ACLs
  • junioradmin can restart the service
  • Security logs contain failed login attempts