Context: 400 Locations, One Team
Managing network infrastructure for a large retail chain means dealing with an adversarial reality: remote branches in poorly-secured buildings, POS systems that can’t be patched immediately, and a support team that can’t physically visit every site when something breaks.
Traditional VPN-based approaches create a “castle and moat” architecture — hard on the outside, soft on the inside. Once an attacker (or malware) gets past the perimeter, they move laterally with ease.
Zero-trust flips this: assume breach, verify every request, minimize blast radius.
The Architecture
Cloudflare Tunnels Instead of VPNs
Instead of maintaining VPN concentrators, I deployed Cloudflare Tunnels (cloudflared) at each location. The tunnel daemon initiates an outbound connection to Cloudflare’s edge — no inbound firewall ports required, no public IPs needed at branches.
# Install and configure the tunnel daemon at each location
cloudflared service install
cloudflared tunnel create branch-location-01
cloudflared tunnel route dns branch-location-01 pos.internal.example.comBenefits:
- Zero inbound attack surface at the branch level
- Automatic certificate management
- Built-in DDoS protection
- Access policies enforced at the edge, not the network perimeter
VLAN Segmentation
Even within a branch, devices are segmented:
| VLAN | Purpose | Trust Level |
|---|---|---|
| 10 | POS Terminals | Medium |
| 20 | Back Office | Medium |
| 30 | CCTV / IoT | Low (isolated) |
| 40 | Guest Wi-Fi | Untrusted |
| 50 | Management | High |
CCTV systems sit in a quarantine VLAN with no route to POS or office networks. A compromised camera cannot pivot to payment systems.
Monitoring with LibreNMS
Every network device ships SNMP traps and syslog to a central LibreNMS instance backed by Redis for alert throttling:
# AlertRule: device unreachable for > 5 minutes
# Severity: critical
# Action: notify on-call via webhookWith 500+ monitored devices, alert fatigue is a real problem. Redis-backed deduplication ensures each outage generates one alert, not hundreds.
Results
After rolling out this architecture:
- Mean time to detect branch outages dropped from ~45 minutes to under 5 minutes
- Attack surface reduced: no open inbound ports at branch locations
- Incident response improved: tunnels auto-reconnect without on-site intervention
- Compliance posture strengthened: network segmentation satisfies PCI-DSS requirement 1.3
Key Takeaways
Zero-trust isn’t a product — it’s a mindset. You don’t need enterprise budgets to apply its principles. Open-source tooling (LibreNMS, Cloudflare Tunnels free tier, pfSense) combined with disciplined network design gets you most of the way there.
The most important principle: never assume that because a device is “inside” your network, it’s safe.