Traffic Enforcement with the Nile Trust Engine

8 min

introduction the nile trust engine is the enforcement core of the nile trust service it applies zero trust policies to all network traffic, whether between endpoints inside a nile service block (east west) or traffic entering and leaving the network (north south) every flow is evaluated against defined policies before it is allowed, denied, or redirected, ensuring continuous adherence to the principle of least privilege security posture and policy enforcement the trust engine enforces a default deny posture — no traffic flows without an explicit policy this model protects enterprises from unauthorized communication and minimizes the risk of lateral movement inside the network every permitted flow is governed by a policy that defines the source, destination, applicable service profile, and enforcement action traffic directions the trust engine operates on traffic in all directions east west traffic traffic between endpoints within a nile service block, such as between users and devices on the same site these flows can be locally enforced by the trust engine or forwarded upstream for centralized inspection north south traffic traffic entering or leaving the nile service block, such as communication to the internet or corporate data centers the trust engine can locally enforce these flows or forward them to an upstream firewall or secure service edge (sse) platform for advanced analysis enforcement models the trust engine supports multiple deployment models, giving organizations flexibility in how traffic is handled local enforcement both east west and north south traffic are enforced directly within the nile service block hybrid enforcement east west traffic is enforced locally, while north south traffic is forwarded upstream to a firewall or sse centralized enforcement both east west and north south traffic are directed to upstream enforcement systems each option allows network architects to balance performance, visibility, and compliance requirements while maintaining zero trust integrity actions each policy defined in the trust engine includes an action that determines how traffic is treated action description allow permits traffic flow between source and destination as defined in the policy deny blocks traffic matching the policy this is the default when no policy exists forward upstream sends the traffic to an upstream enforcement system (e g , firewall or sd wan) useful for centralized inspection or interworking forward to sse directs traffic to a secure service edge for cloud based policy enforcement and inspection available in future releases administrators can use these actions to fine tune enforcement at any level—from simple segment based control to identity based microsegmentation policy evaluation when a flow is detected, the trust engine evaluates it against the active global policy set each flow must match one policy based on the combination of source, destination, and service profile once matched, the specified action is applied, and the event is logged if no matching policy is found, the traffic is denied by default this ensures every flow in the network has explicit intent and traceability integration with upstream systems the trust engine is designed to work seamlessly with third party firewalls and sse platforms administrators can forward specific traffic types upstream for deeper inspection or regulatory compliance, while keeping intra site traffic locally enforced for performance efficiency nile automatically manages routing and encapsulation between enforcement points to maintain operational simplicity best practices for policy design define policies with least privilege in mind only allow necessary communication paths use service profiles to limit access by protocol and port instead of broad rules centralize sensitive or regulated traffic for inspection in an upstream firewall or sse monitor the policy logs in nile control center to validate rule effectiveness and detect anomalies summary the nile trust engine delivers flexible, distributed zero trust enforcement that adapts to each organization’s architecture by combining local and upstream enforcement, enterprises gain both control and visibility over every connection without compromising performance or simplicity next trust engine constructs and policy model — learn how policies, groups, and service profiles define how traffic is classified and enforced