Posted on May 15, 2018
For most of us, it’s hard to imagine what networking would be like without complexity. Even something simple, like moving a printer, can take weeks of planning, provisioning and system updates to get it from the fourth floor to the fifth. The number of person hours required to make a move almost costs more than the printer. It’s not sustainable. Why?
In today’s Internet 2.0 world, where connecting everything is the priority, we run into a fundamental problem. IPv4, the backbone protocol of all networking, has a finite number of addresses. IPv6 is a response to some, but not all, of its shortcomings. As a result, many connected devices use dynamic IP addresses from a limited pool or use static IP addresses. These create conflicts which must be overcome with specific routing rules and network management practices. This adds complexity and costs that cannot be avoided, along with vulnerabilities that are almost impossible to secure.
If this mad scramble to connect everything is “Internet 2.0”, then “Internet 3.0” must get back to the original intent of endpoint-to-endpoint networking while eliminating the pitfalls and shortcomings of IP. How can we get to a point where moving a printer is as simple as unplugging it, moving it to the new location and plugging it back in? We must move away from the address-defined networking model, that relies on an IP address acting as both location and identity, to an identity-defined model that gives every endpoint or device a unique, cryptographic identity.
Internet 3.0 – Making the Impossible, Possible
Identity Defined Networking (IDN) opens a world of possibilities and connections that are difficult, if not impossible in an address-defined model. Suddenly the limitations that are caused by IP addressing dissolve, and we have actual, simplified networking that is flexible in ways not previously available, and has unbreakable security built-in. For instance:
- Device-level identity means that many traditional routing rules don’t apply, making it possible to connect any device on any network to any other device on any other network. As long as the identities are authenticated it no longer matters where they are.
- It also means that connections which are impossible in an IP network are now possible. Using address defined networking, it is often not possible to connect devices on two different networks. With individual host identities, the restrictions no longer apply.
- Using endpoint-level identity it is possible to instantly create segments that can scale from an entire network down to a single device. And because the connection is encrypted and authenticated, the segment is virtually unbreakable.
- Identity based networking also means that someone would need the credentials of a user, and their specific device to hack into a network. And since identities cannot be spoofed, the attack surface of a network can effectively be reduced to zero.
- When unbreakable segmentation, isolation, and cloaking are included by default and the underlying network technology is inherently secure, it fundamentally changes the paradigm of how a network can be designed and implemented.
At Tempered Networks, we are pioneering Internet 3.0, to bring networking out of the dark ages of address defined networking and into the age of identity defined networking (IDN). We are the only company offering customers true networking without borders or boundaries. The ability to connect any device to any other, anytime and anywhere. Enabled by the Host Identity Protocol (HIP), our IDN solutions are helping all types of customers discover the benefits that Internet 3.0 brings to their business.
Internet 3.0: Business Benefits Everywhere You Look
Every day our customers are finding new ways to take advantage of IDN or uncovering hidden benefits of our solution: For example:
- One customer estimated that two engineers could provision 20 systems a week using traditional processes. With the Tempered Networks solution, they estimated that those same two engineers could provision 500 systems a week. By implementing a Tempered Networks IDN, they believe they will save about $6M/yr in IT headcount alone.
- An energy company in the southern US needed to securely connect 35 monitoring stations along a pipeline. Their options were between adding hard-wired, physical firewalls at each location or adding cellular enabled HIP-switches from Tempered Networks and quickly creating a secure IDN. With the Tempered Networks solution, they saved over $200k on hardware and subscription costs in the first three years of deployment.
Are you ready for Internet 3.0? A networked future that delivers on the original promise of networking, endpoint-to-endpoint, and eliminates many of the issues that make today’s IP networks complex and expensive. It may sound like a fantasy, but Identity Defined Networking and Internet 3.0 are here today. Welcome to the future of networking! Simple, Flexible and Secure.
Posted on May 10, 2018
In this post, Robert sets us straight about three of the most common VPN myths and why they're inaccurate.
We have all seen ads for various virtual private network (VPN) providers promoting their VPN as the solution to all that ails you. What they don't tell you is that a VPN does not prevent someone stealing your information, tracking where you go on the net, or other nefarious things that folks are doing out there.
Using a VPN will keep my activity private
The websites you visit are still using tracking cookies. They are still tracking where you go, and what you do. The only difference is that they don't get your home IP address as easily.
Using a VPN keeps me safe from people stealing my information.
While using a VPN means your traffic is encrypted when passing over the Internet, HTTPS and SSL effectively do the same. The likelihood that someone can steal your information is just as high, if not higher since you believe that you are protected and might click on a risky link.
Using a VPN cloaks my IP address.
Sure, the IP address in the log of the web server will be that of the VPN provider, and not your home IP address. But the VPN provider can also log what you do and where you go, and sell that information to the same people who buy it from the web hosts. Your IP address is only genuinely cloaked if no one can access it.
Tempered Networks IDN solution supersedes a VPN by providing cloaked and zero trust access to specific devices and their admin interfaces and can help resolve your most challenging networking and security needs.
Posted on May 8, 2018
It is hard to find a modern-day network today that can’t be labeled, tagged, or classified. The need to segment your network traffic and isolate your audience from harm while offering a useful service that can be easily deployed and managed is a daunting task.
The US government has spent vast resources developing best practices in network security for protecting the national power grid by applying segmentation and segregation. Here is what they have to say:
“Segmentation establishes security domains, or enclaves, that are typically defined as being managed by the same authority, enforcing the same policy, and having a uniform level of trust […].
The aim of network segmentation and segregation is to minimize access to sensitive information for those systems and people who don’t need it while ensuring that the organization can continue to operate effectively.”
Segments not properly segregated will be compromised when network breaches occur. This is sometimes referred to as Tootsie Pop Security, meaning “…security of most organizations is like a Tootsie Pop. Hard and crunchy on the outside, soft and chewy on the inside. One bite and you easily get to the yummy center.”
Network segmentation and resource isolation are important concepts used for network security and the first thing most operators implement to limit breaches from propagating further. Recent innovations in networking have made the tools for segmentation even easier to implement, deploy, and manage.
Why is network segmentation creating so much buzz today?
The main thing that has changed is the fact we have access to more of the software that makes things work and low-cost platforms to deploy them on, which allows network segmentation innovations to happen faster. For the most part data traffic and network security have also not kept up with innovations in Software Defined Networking (SDN), making this much easier.
SDN introduces the notion that data plane and control plane should be separated. Virtual networks have made it possible to create network segments that are completely disassociated from the underlying network equipment. These two concepts introduce the concept of Software Defined Segmentation (SDS).
Software Defined Segments are easier to use and can be created dynamically and managed using a rich set of APIs that can be integrated directly into deployed services. SDS allows network elements to be classified into policy groups whose members can be identified, trusted, and authorized to establish peer connections with path assurances, which include network cloaking and military grade encryption. These software segments also allow you to administratively connect using APIs to monitor events and gain visibility by collecting important metrics previously difficult to obtain.
Critical infrastructure needs a security model that has built-in and strong identity associations for connection authorization. Any network segmentation, be it nano, micro, or mondo, starts with a rock solid verifiable identity.
Identity based cryptography is a key component in trusting the associations of the connections between devices, regardless of your network topology, and it is a necessary layer in a multi-layer network approach.
Our unique network segmentation software can deliver a secure, private, full-mesh Ethernet VPLS service and our customers are protecting their critical assets with our platforms today.
Posted on May 3, 2018
“A sequel is an admission that you’ve been reduced to imitating yourself” -Don Marquis
A colleague forwarded yet another hacking article to me last week. I’ll paraphrase the headline and subtext, "HPE–iLO 4 Servers Targeted by Nasty New Variant of Ransomware! - IT blamed for not patching thousands of servers exposed on the Internet."
If you’re like me, I am sick and tired of the strain this never-ending carousel of exploits places on IT teams, our businesses, our critical infrastructure, and yes, our governments. These security events are repeated so often and the storyline has become so predictable it’s like having to watch the same genre of movie over and over again. It’s like "Groundhog Day” but that was a good movie and didn’t have a sequel.
The Internet is broken and the soft underbelly of all TCP/IP networking is exposed with yet another attack. Surprised? We have to fix the script of this movie and we can, but it means challenging the status quo in a much bigger and more meaningful way.
This Script Sucks
Unlike Groundhog Day, our IT movie sucks and a new sequel with the same storyline premiers every month. It’s called, "IT Insanity – Into the Deep #169” (for obvious reasons) and like a sequel to a teen horror movie you know how it ends every freakin’ time. Here goes, see if you recognize this.
System has vulnerability (Gasp!), hacker runs recon looking for systems (DUN-dun-DUN-dun), hacker finds systems (Bwahahahaha!), hacker exploits system and does bad stuff (Nooooo!), forensics team is brought in (Look there! Cha-ching $$$), heads roll (Ewwww!), hacker escapes (Ugh, again?), new guys hired to replace old to shake things up (Ah, maybe the next sequel will be better), new guys buy more stuff from the same network and security cartel who didn’t protect them in the first place (I really hate this movie).
Traditional IT prescriptions won’t fix this script
What blew me away about the headline of the article was not that ransomware found a new target or that yet another system was exploited, it was the tone of the article, the comments posted by readers, and the prescription. It felt like yet another exploit was a surprise, what, hacked again?! And reader comments were harsh, "What kind of idiots expose their servers on the Internet, grrrr.” Really? When I did a quick search on Shodan those HP servers looked as if they’re being used as web servers and being that they are web servers it’s kind of normal that many would be public facing on the web. What about the perimeter firewalls and the prescription offered, “remember to use a VPN.” Brilliant. But what if I have highly mobile users and workloads, vastly different IP namespaces and what if I want to micro-segment that server from others on the same network? And what if I don’t want to expose my VPN on the Internet either and need to have a mesh of many-to-many connections to non-routable device IPs? VPNs are 90’s technology masquerading as modern in a 21st century world. It’s not IT’s fault.
Sure those HP servers should have been patched because HPE-iLO servers have a long ,storied history of vulnerabilities but they’re not alone. All firmware, O/S’, and software from all vendors have had some type of vulnerability since the beginning of the Internet. Spoiler alert: vulnerabilities will continue to happen because people write code, people make mistakes, and bugs happen.
Despite brilliant performances in harsh conditions, the actors can’t save this movie
Have the critics ever worked in IT? Do they know how many tens of thousands of different systems need to be patched at any given time? Do they know that most of the systems implemented in an organization were deployed by people who no longer work at the company or the current staff doesn’t know where, why, or for what purpose the systems were deployed? Do they have any idea how many firewall rules, routes, access control lists, how many NAT devices there are and what it takes to maintain so users even have reliable connectivity? They don't know the sheer scope of IP:Port combinations in existence or how difficult it is to consistently maintain an IP namespace across different networks, IoT endpoints, containers, k8 pods, and oh by the way different cloud providers too.
It’s not the actors, it’s the writers and directors
Do the critics know how all of these circular dependencies tie a gordian knot of complexity that few, if any, humans can effectively manage? Idiots didn’t expose those HPE-iLO servers - overworked IT people did using technology that they trusted. It’s not IT’s fault. IT didn’t create the complexity or allow the fatal flaw in TCP/IP to persist for so long - they inherited this script. Vendors, and even the standards bodies themselves, have let IT and all Internet users down.
Captain obvious disclosure: I’m a vendor and have worked for vendors for the last 25+ years so am admitting my own guilt here, not just pointing a finger. Must be my Catholic upbringing and the need to atone for so many years of ignorance.
Fixing the movie starts with admitting the script needs to be rewritten
The reason the Internet is broken and why we see so many groundhog sequels to our "IT Insanity” series is the nature of TCP/IP itself. The base attribute of networking is the IP address which serves a dual role for which it was never intended – as a device locator and as a device identifier. The role of the address evolved pretty quickly from its sole original intent as machine locator on a network to also being used as a machine's identity in order to enforce or restrict access to what that machine can or can’t talk to, e.g. allow ingress from 172.17.0.0/16 and allow egress to 10.0.0.0/24. We’re in essence trusting a non-verifiable attribute and treating it as a trusted identity. And if that base attribute isn’t trustworthy, nothing built on top of it will be either. It’s the weak link that the rest of the entire chain depends upon.
It’s no different than trusting someone to enter your house using their home address as their identity, "It’s okay honey, the person at the door said he’s 1324 Maple Lane so it must be Bill. Let him in." Would you feel secure knowing that your protection and personal identity was based on using your home address for identification? I didn’t think so, yet that’s the state of networks and the Internet today so why are we still so surprised when bad guys so easily find our houses, enter, and do harm? We’ve been building networks and access control based on a false trust model. This is the status quo we have to break if we’re to rewrite the script. If we don’t break it, we will continue to have to act in the same tired and horribly costly IT Insanity sequel. Because deploying yet another next-gen firewall, VPN, SDN controller, secure switch or whatever, is just layering more complexity on top of a soft and vulnerable underbelly.
The award-winning script that you not only get to act in but write and direct
This new script starts with zero trust, adds verifiable device/machine identity, peer-to-peer encryption and climaxes with borderless overlay networks that can’t be violated by unauthorized systems and can be run anywhere with point and click simplicity. Let’s eliminate those HP-iLO Server 4 sequels all together.
The Host Identity Protocol (HIP) is the only one I know that combines the powerful attributes of three different protocols into one – VXLAN, LISP, and IPsec while eliminating their complexity and limitations. Imagine being able to traverse any network boundary or domain like VXLAN but you didn’t have to modify any infrastructure so it could run anywhere, across any network, even ones you didn’t control. HIP gives you seamless, non-disruptive, and universal peer-to-peer connectivity that’s been impossible until now. Now imagine your machines could automatically and transparently authenticate and authorize connectivity like LISP but did it at the host level and before a TCP connection could even be established so all your machines would be cloaked and undiscoverable by unauthorized devices. HIP not only does this but unlike LISP doesn’t require the underlay network to be HIP-aware in order to function and can be implemented in a tenth of the time and cost. Now imagine that all of your authenticated and authorized network connections were encrypted like IPSec but didn’t have the mobility limitations or complicated and costly IKE overhead. You could connect anything to another over any network, including the Internet, and it would remain private end-to-end. None of your stuff would have to be exposed. Everything could remain private. You could create your own private Internet and rewrite the script.
Now just imagine that overworked IT team being able to orchestrate connectivity and the discovery of devices with point and click simplicity. A lot of the previous storyline would be struck from the script – ineffective internal firewalls, using unmanageable and traversable VLANs for segmentation, immobile and exposed VPN technology. You could start to untie the gordian knot of IT complexity and not just be an actor using a crappy script you inherited but direct and star in your movie too.
Now that would be a movie I’d love to see.
Posted on May 1, 2018
The distributed enterprise is a beautiful thing! It’s been a marvel of mobile empowerment, remote access, and self-service IT services. Cloud services have opened up a plethora of applications that give workers unparalleled access to resources that improve efficiency. While this all sounds great, it gives IT folks responsible for network security nightmares. This Shadow IT has unraveled the traditional IT and network security cocoon that once controlled network access.
Then came whitelisting. The idea that every single device needs authorization to connect to the network sounds great (at least to IT) but in today’s connected world, a manual approach to network security is not only a resource burden it’s simply unsustainable. Furthermore, after a decade of centralizing data in cloud-based infrastructure and services, businesses are rapidly pushing intelligence out to the edge of the network, where data can be processed more quickly than transmitting it to the cloud and waiting for a response. Soon, many companies may be dealing with millions of Internet of Things (IoT) devices, ranging from “dumb” sensors to sophisticated processing systems; certainly, too much to manage manually!
Ensuring trust over this ever-expanding cloud and IT environment represents a major challenge for already overburdened IT teams. In many cases, they’re dealing with products and vendors that may be unable to ensure a secure environment. In fact, Gartner predicted back in 2016 in their Top 10 Security Predictions, that “through 2018, over 50 percent of IoT device manufacturers will not be able to address threats from weak authentication practices.” Cue the IT nightmare music!
But what if whitelisting were transparent to the end user and automated? When you base networking and access control on an identity–based machine, whitelisting becomes a simple way to enforce policy as opposed to attempting to enforce based on IP addresses or blacklists—both of which are vulnerable to spoofing and hacker reconnaissance. Now we’re talking!
The difficulties of whitelisting stem from the computing world’s reliance on IP addressing to establish access and authentication. The problem with this approach, as many businesses have learned, is that IP addresses can be “spoofed” to impersonate a trusted device or to conceal the true identity of a device accessing a network.
Let’s instead promote provable machine identity. The IP address is relegated to providing address location only, while identity is ensured through the Host Identity Protocol (HIP), which creates strong cryptographic identities that can be automatically verified and authorized within an Identify-Defined Network (IDN) overlay. With IDN, only provable host identities are recognized, essentially creating an automatic and manageable process for whitelisting. Now Shadow IT isn’t so shadowy, and IT and network security folks can breathe a little easier!
Posted on Apr 26, 2018
For our first employee spotlight, Trisha, our HR Generalist, talks with Jared about his transition from one of our awesome interns to his role as a full-time employee.
Jared Williams is an intern success story in many ways, but especially for Tempered since he now works with us as a full-time Software Engineer. I knew the moment that I read Jared’s resume and cover letter that he was an A player. Jared was an intern at Tempered Networks from June to September 2017, and if it wasn’t for his last quarter in college, he would’ve started working full-time right away instead of starting officially in December 2017. Although I checked in with Jared and gathered some feedback about our internship program back in the summer, I wanted to check in with him about the transition from internship to full-time employee at our company.
Trisha: What is the biggest difference between working as an intern and a full-time employee at Tempered?
Jared: Probably the pay. But honestly, there’s not that many differences between the two. The only things that really stand out to me from both experiences are the same, which is the meaningfulness of my work where I’m a big part of decisions. Even as an intern, I was just working on one project, but I had free reign over what happened. Of course, the team collaborates to some extent, but I didn’t feel like I was just sitting in a cabinet and typing in the dark. As an intern at a start-up, I knew that all of my work towards the project I was assigned was making a great impact on deliverables and would go straight to market.
Trisha: What made you interested in Tempered Networks?
Jared: I’ve always had a slight obsession with security. Even when I was younger before I even thought about studying software engineering or coded anything, I was interested in what people could do to break down security to hack you. Tempered was most interesting to me because it addressed the security focus, but there’s still a variety and much more to what we do.
Trisha: Why do you like working here?
Jared: This is a good place to learn a lot really quickly. If you’re willing to do as much as you can and take initiative, you’ll definitely learn more. The work inspires me the most to be here. It also makes a difference that the people on my team are really encouraging and more than just co-workers. I might even call them friends.
Trisha: What do you think of the Tempered Solution?
Jared: Our product is cool because it solves the problem of network management, and the fact that it’s obvious the problem we’re solving now isn’t the only problem we can solve; we can solve so much more.
Posted on Apr 24, 2018
The ‘Internet of things’ (IoT) continues to be all the rage these days, but what does that really mean for us as a society in the broader context? All these ‘things’, including vending machines, Point-of-Sale systems, biomedical devices, HVAC systems, etc., are being connected onto networks. Seems like everything needs to connect and communicate, but we need to think carefully about the implications.
More Internet-connected devices and things have simply created more opportunities for bad actors to gain access to networks and sensitive information. Take, for example, medical IoT, where devices like infusion pumps, PACS systems, mobile x-ray units, EKG monitors, etc., are increasingly being connected across hospital networks. As hackers take advantage of historically lax security on medical systems and embedded devices, defending medical instruments has taken on new sense of urgency.
Having your information stolen is one thing, but what happens when a bad actor decides to put people in life threatening danger like hacking an insulin pump to administer a fatal dose?
Now we’re talking about the Internet of important things.
It’s my job to wake up every day and inform and educate customers. Every ‘thing’ is connected, and the only responsible approach is to consider the cost and consequences of a breach, and take the steps to mitigate that risk. Who’s doing that in your organization?
What keeps me up at night are the ‘worst-case scenarios’. We’ve already witnessed the near shutdown of 16 hospitals across the UK, which caused chaos and even prevented staff from completing scheduled surgeries. Then there are airline carriers with outdated systems and countless entry points that make them highly vulnerable to cybersecurity threats. It’s already been reported that hackers could access aircraft flight controls and air traffic systems, but I won’t dwell on that thought.
Suffice it to say that IoT will never successfully take off using current networking and security practices. Tempered Networks’ mission is to make it incredibly easy to protect the important or vulnerable ‘things’ that impact our safety and well-being.
The good news is that there’s a better way forward to secure IoT and IP communications by using identity based segmentation, where only provable identities can be networked. The best part is that it’s easy because of recent tech innovations that abstract the complexities of traditional networking. Mere mortals can deploy and maintain identity defined networks at enterprise scale. Contact us today so we can help you securely connect your world important things.