Robert Armstrong profile picture

Robert Armstrong

Senior Software Engineer

Tuesday, February 5, 2019

Typically, we are deploying our product into existing network environments. Whether this is due to a new rule that requires secure access or the failure of an audit, it is always an existing network with all of the issues incumbent in modifying an existing thing. Deploying into these networks requires a more complicated design and potentially several phases of deployment to be successful.

While TCP/IP may be long in the tooth, it is still the foundation of the Internet and all current corporate networks. Even a newly-built network will use Ethernet and TCP/IP as the foundation protocols of operation. However, with the addition of Host Identity Protocol (HIP) on top of the new network, it can be possible to alleviate many of the issues that plague TCP/IP.

HIP uses a cryptographic identity instead of just the IP address to identify the parties in the communication. The advantage is that HIP uses the IP address as the locator, and a strong cryptographic identity as the identity. This allows the creation of secure policies without complex deep-packet inspection rules that will need to change over time.

A new network deployed with HIP over the top of TCP/IP would look more like the following:

By using HIP to provide a layer of identity management and encryption over the top of TCP/IP, it is possible for networks to continue to use traditional networking tools and methods and still gain the advantage of encryption and manageability as well as identity-based [link] control.

With a HIPserver on the domain controller, all of the Active Directory services (authentication, name lookup, printing, etc.) are available inside the HIP tunnels. Access can be granted through Active Directory groups, just like it is now, but in the case of HIP, any resource you do not have permission to is not reachable. There is no tunnel from your device(s) to resources unless you are a member of a group with access to that device.

Onboarding a new device on the network is a matter of connecting and adding it to the Overlay. Once there, the group permissions take over, and the routing table is set up to allow access to all the resources assigned.

From file server to printers and more exotic network resources, what you see is strictly what you have permission to see. Any unregistered device on the network can see only the DHCP traffic, name resolution for the HIP Service peer, and encrypted traffic. A scan of any of these devices shows the only thing listening is HIP.

The benefits are not only in the realm of security but also in manageability. To update the routing and access of a group, add them to the correct overlay group, and routing is automatically propagated to all members.

TCP/IP was not designed for the modern network and is showing its age. Putting a layer of HIP over the top of the IP network allows for the use of Identity instead of just IP address for accessing resources as well as providing encryption for all data in motion. The new networking has to be secure while remaining as easy as possible to configure, and with HIP as the security layer on top of TCP/IP, it can be made so.

Want to see how we’ve applied HIP to secure and connect hundreds of Smart Buildings for a top 50 university? You can read our case study here.