Every once in a while I get a phone call at my home for someone that doesn’t live here. Given that I’ve had the phone number associated with my house since before I lived here, I find it odd that after more than fifteen years, there are still debt collectors and telemarketers that are looking for someone that used to have that number many years ago and they don’t have it anymore.
Phone numbers are just one of the things we use to identify people that we really shouldn’t be using. They’re transient and easy to change or lose. Even mobile numbers are not permanent. What happens when you move to a different country? Or if you are forced to give it up for some other reason? Just because number portability exists in today’s world doesn’t mean that your mobile number will be the same for the next twenty years.
Likewise, IP addresses fall into a similar category. We use them to identify computers and users all the time. However, IP addresses are subject to the same changes that we see of all other temporary identifiers. They’re even worse when you consider the amount of NAT and other obfuscation techniques out there today. There’s no reliable way to track a specific user given the volatility of the identifiers we have today.
Identifying Hosts
That’s why I was interested to sit down and hear from Tempered at Security Field Day 3 back in June. I talked to them briefly at the RSA Conference before everything shut down. They captured my attention immediately by telling me they can secure host-to-host communications and make sure they stay that way by making it all invisible on the wire. My mind started racing as to how this could happen based on what I knew about the capabilities of IP networking and things like access lists. I was shocked when Jeff Hussey, their CEO, smiled and said, “Nope, we’re using something different.”
Once I got a full briefing, I realized that Tempered had indeed started off on the right foot. Instead of building a complicated collection of access lists or reinventing the wheel with a complicated protocol, they instead turned to the IETF and RFC 5201 (later superseded by RFC 7401). Host Identity Protocol (HIP) is the magic that makes Tempered work under the hood. Here’s a great overview of the mechanical pieces behind it from Ludwin Fuchs during Security Field Day:
In a nutshell, HIP separates the identity of a device from its IP address or DNS information. It can do this reliably because it calculates a cryptographic hash for the device and uses that to find it instead. Because you are running an app on your device that allows it to calculate this hash, it can check in and communicate back to a central system for managing those connections.
Tempered’s app and control solution is called Airwall. When you get an invite to install the app, it checks you into the management solution and allows the admins to see your device. Now, when you want to talk securely to another device, all you have to do is drag-and-drop a connection between them. Sounds too easy, right? Well, it really is. Because of HIP, the crypto ID on your device is connected to the other device via a VPN tunnel. It’s easy and simple to use because the hard work is happening under the hood.
Once you get your devices up and running on the system, you can ensure communications are secured. If you’re not connected to the other device in the system, you are effectively invisible to everyone. That’s better than systems that create access lists and deny connections. You still have to establish a connection to have it denied even a second later. That proves that the system you’re looking for is still there. With Tempered’s Airwall, the system can’t even respond because the pathway hasn’t been built between them. Effectively nonexistent.
Building Better Networks
The real advantage that I can see for Tempered Airwall lies in the hardware gateways they have available. Securing newer devices like laptops and mobile phones is pretty easy to do, thanks to software solutions that can extend the capabilities of those devices. But what about IoT systems that are running on the least amount of power they can budget? Or what about hardened systems that can’t run additional software because of regulatory issues?
Honestly, the biggest draw is for a hospital. Insulin pumps, heart monitors, and medication dispensers are becoming increasingly connected to the network in order to relay telemetry and help keep staffing levels reasonable in large wards. But these devices are also tempting attack surfaces. With Airwall, you can configure the connections to identify a device, connect it with the analytics database server, and ensure that nothing is going to try and talk to it. Maybe there’s a critical patch that needs to be deployed to the devices from an update server on-site? Log in to the Airwall Conductor and build a pathway from the pumps and sensors to the patching server. Deploy the patch and remove the connection. You’ve increased your security and removed potential attack surfaces. All with your mouse and keyboard and not with cryptic ACLs.
Bringing It All Together
Tempered is taking proven technology and building on it to create something unique and needed in the market. Security is about more than just denying connections. As attacks become more and more complicated, and devices lose flexibility from becoming more purpose-built, we need to examine how the network can augment our security posture. With Airwall clients and gateways, Tempered is helping us create a zero-trust networking system that can be verified and extended with ease. I’m looking forward to seeing where they take this technology and what systems they are likely to secure next.
For more information about Tempered or for a quick demo to prove how Airwall works, make sure to visit their website at http://Tempered.io.
