Posted on Dec 2, 2014
Now that we renamed the company to Tempered Networks, people have been asking me what we mean by "tempered". It's really a reference to "well-tempered", which means treated so as to develop the desired degree of hardness and elasticity. At Tempered Networks, our mission is to instill that hardness and elasticity into our customer's networks. We do that with a suite of products that implement virtual private overlay networks that work across existing public and private infrastructure.
So what makes a network well-tempered? Communication is only allowed between things that are supposed to communicate with each other.
Common network security schemes often focus on a "zone defense" - creating DMZs and inner zones with firewalls in between, and then allowing traffic between the zones to enable networked applications that actually span across the zones. These perimeters end up being more porous than necessary and difficult to maintain.
By comparison, in a well-tempered network we create groups of hosts that are allowed to communicate, independently of where or on what LAN the hosts are on, or on how they are interconnected. Hosts can simultaneously be in multiple groups. Tempered Networks calls these groups "overlay networks" - a simplified way to express otherwise complex network policy.
For example, suppose we have a big machine in a factory. That machine needs to communicate with the process controller, in a different part of the factory. But maybe it also needs a communication path to the engineering offices where the programmers work. And the techs need a way to get firmware updates from their staging server to the machine. And the analysts in the QA department down the road want to collect statistics. And the InfoSec team needs access to the logs. Of course, each of those teams talking to the machine will be talking to other machines also, and to other parts of the company. QA department talks to the supply chain system but InfoSec does not. And it may all be changed next week!
With the Tempered Networks overlay approach, we might define one overlay network just for this one machine. Everything that talks to the machine is in the overlay network (and in other overlays for other machines). The above paragraph becomes a nearly exact specification of an extremely specific policy. The overlay network transcends VLANs and addressing schemes, and spans across firewalls, NAT, public networks, WAN, VPN, etc.
This approach hardens networks by enabling fine grain control over policy, while keeping them elastic, with a safe and simple way to create new secure communication paths across the enterprise. That's what we mean by a "well-tempered" network.
Posted on Nov 20, 2014
It’s not just a great song by Tower of Power; the Host Identity Protocol (HIP) is a game changer in network communications. Let’s get some of the technical details out of the way and then discuss what it means:
HIP allows consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses. HIP uses public key identifiers from a new Host Identity namespace for mutual peer authentication. The protocol is designed to be resistant to denial-of-service (DoS) and man-in-the-middle (MitM) attacks. When used together with another suitable security protocol, such as the Encapsulated Security Payload (ESP), it provides integrity protection and encryption for upper-layer protocols, such as TCP and UDP. HIP has matured over 15 years of research, development, and deployment from companies like Boeing, Verizon, and Ericsson, as well as research institutions around the world.
The drawbacks of the dual use of the IP address cannot be understated, and are largely responsible for many of the Internet’s security and networking problems. With HIP this pattern of misuse is corrected, and the upper layers of the stack can now use a Host Identity in their socket APIs instead of an IP address. HIP then establishes secure communications between cryptographic identities, and binds local and remote application interfaces to these identities. At layer 3, IP addresses are still used for network delivery and routing. With IP addresses used to locate but not identify hosts, HIP enables seamless mobility (changing addresses), multi-homing (using multiple addresses), and switching between address families (IPv4/IPv6) while maintaining secure sessions. Extending to the extreme edge of the network, HIP Diet Exchange (DEX) enables HIP for extremely low-power, resource constrained IoT devices. Individuals can also use HIP with anonymous Host Identities, so the Internet can finally deliver anonymity when you need it and trust when you demand it. In summary, HIP embeds authentication, integrity, and authorization at the application level for free, without breaking the existing socket API!
November 19, 2014 is a remarkable day for HIP. After many years of development, testing, and consensus building, HIP RFC 5201-bis was just approved by the IETF as a proposed standard. This is an important step; however, the true measure of a standard is adoption and there are a number of challenges to supporting a new protocol like HIP. HIP allows us to gracefully and gradually embrace the path of Software Defined Networking. Based on 7 years of R&D at Boeing and now working with Fortune 500 clients, Tempered Networks discovered that we can enable HIP secure communications while performing a very vital function: protecting critical infrastructure and information. The Tempered Networks HIPswitch provides a migration path for non-HIP-enabled endpoints to “get” HIP. Over time endpoints will have HIP embedded in the protocol stacks, much like TCP/IP, ESP, and DNS support are built-in to any operating system.
By the time HIP is widely deployed, the challenge of the Internet moves from one of routing to one of orchestration. Orchestration enables highly dynamic definitions of network trust relationships at the identity level, along with routing and policy definitions at Internet scale. This is what we’re setting out to build at Tempered Networks. And that’s HIP!
Posted on Nov 13, 2014
BlackEnergy (aka Sandworm) malware is another ICS game changer. It could be another watershed event like Stuxnet, highlighting the nightmare scenarios faced by modern industrial enterprises: loss of control/view reconnaissance, data exfiltration, and latent attack. How did we get here? BlackEnergy attacks GE Cimplicity, Advantech, and Siemens WinCC Human Machine Interfaces (HMIs) by leveraging vulnerabilities in Windows and vendor software. The attack vectors are primarily network-based, but air-gapped or perimeter-protected networks can be penetrated via removable-media.
What are some of the obvious discussion points? The HMIs are quite simply exposed to communications networks that are far too open! Patching is always problematic in ICS, which makes the software on these HMIs difficult to keep updated, especially when ICS vendor certifications of the patches are required. The testing cycles are lengthy and system downtime is disruptive. Once a successful attack is in play what can we do to prevent communication back to command and control (C&C) servers under the control of the attackers? What can we do to mitigate this general class of problems? The obvious first step is to make the ICS devices disappear from view. Not an air gap, but a trust map. We must retrofit high assurance communications into ICS networks to “cloak” ICS devices from everything, except between trusted peers. Trust must be based on something much stronger than IP addresses, MAC, protocols, and ports. Network “trust relationships” must be defined cryptographically, but packaged in such a way to function at scale without breaking existing networks.
The hack of today is energy companies compromised by BlackEnergy. Notice how common these stories are becoming? We used to talk about hack of the year; then hack of the month. If you don’t see a disturbing trend, then you need to pay closer attention. The industry must step up to the challenge and disrupt this trend. It’s imperative that we raise the bar as high as possible to stop new infections and neutralize existing infections, while maintaining operational integrity and availability.
--David Mattes, Co-Founder and CTO