What is an Airwall™ and How Does It Work?

At the core of the Tempered Airwall™ is the Host Identity Protocol, which builds on a strong notion of identity to guarantee a very high degree of assurance and security. But what is an Airwall and what does identity actually mean in practice?


What is an Airwall?

The Airwall architecture incorporates a fully encrypted network fabric made up of Airwall edge services and their connected devices, managed through an orchestration engine, called the Airwall Conductor. Unlike traditional IP networking and SDN approaches, the Airwall is a true overlay requiring little to no modification of the underlying network or security infrastructure. It provides a simple policy-based configuration of devices or groups of devices that are explicitly trusted within the Airwall as an overlay network based on whitelisting. This trust, based on a unique cryptographic identity, or (CID) for each device, determines what systems or devices can initiate and establish communication before any data is exchanged.

Building an Airwall requires a minimum of three components, an Airwall Conductor, and two or more hardware or software appliances, which we collectively call Airwall edge services. These can be deployed symmetrically either in a hub and spoke topology, mesh, or both. Below is a short description of each.

Airwall Conductor - Policy-based orchestration

Tempered Airwall Conductor is the orchestration engine and intelligence behind an Airwall. Airwall Conductor drives simple configuration of policy and issues unique Cryptographic IDs (CIDs) to the Airwall edge services that enforce explicit trust relationships through device-based whitelisting. The Airwall Conductor is the engine that ensures all Airwall edge service policy is up to date and synchronized and collects metrics as well as active state information from the Airwall edge services within the Airwall.

Airwall edge services - Secure networking enforcement points

Airwall edge services is a colletive term used to describe our hardware and software products that provide cloaking, secure connectivity, identity-based routing, and IP mobility. They enforce the Airwall Conductor’s provisioning, de-provisioning, and revocation of trust of any managed IP resource connected to an Airwall appliance. Airwall edge services follow the Host Identity Protocol standard, which initiates trust before transport communication is established and before any data is exchanged between the edge service and other authorized edge services.

Airwall appliance

Airwall appliances are typically deployed in front of devices or hosts that cannot protect themselves, like legacy systems and machines, or when customers are unable to install either an Airwall client or Airwall server. Airwall appliances can be deployed as a physical, virtual, or cloud-based appliances. Depending on the model, physical Airwall appliances have built-in Ethernet, Wi-Fi, Cellular (2G, 3G, 4G LTE modems), as well as Serial-over IP for the most flexible link connectivity options found in the industry. Our virtual and cloud Airwall appliances function in the same manner as our physical Airwall appliances. Unlike SDN or traditional networking and security technologies, organizations no longer need to deploy and maintain different networking and security policies for their on-premises resources and another set for their cloud-based resources.

Airwall client

The Airwall client is a software application installed on Windows, Mac, iOS, and Android devices and enables customers to provide managed computers a trusted and verifiable identity, which opens up a broad array of end-user secure access, networking, mobility, and segmentation use cases. Trust-based client segmentation, granular access control, encryption everywhere, and auditing is now possible in both static and dynamic IP environments.

Airwall server

The Airwall server supports Windows Server and Linux and behaves much like the Airwall client but is also built to allow an organization to choose whether they want to completely cloak the server itself so only authenticated and authorized endpoints can discover and communicate with it. Using an explicit trust model, cloaking, software-defined segmentation, and encryption are driven down to the server level effectively enforcing a perimeter of one.

What does identity actually mean in practice?

To understand how an Airwall manages identity, we first have to understand how it creates identity.

Tempered Airwall identity is provided by a cryptographically strong Rivest–Shamir–Adleman (RSA) key pair that resides on each Airwall edge service and Airwall Conductor. The key pair consists of a private decryption key that never leaves the Airwall edge service and a corresponding public encryption key located on the Airwall Conductor.

Airwall in practice diagram

The first step in assigning identity is when an Airwall edge service is initially provisioned. The Airwall edge service on first boot generates a public and private key pair and sends a certificate signing request to the Airwall Conductor. The Conductor then sends the certificate signing request securely to the Tempered provisioning server and returns a signed certificate. Once complete, the Conductor distributes the public keys to each Airwall edge service. Along with the pubic keys, an identity is also assigned to each and is based on a condensed form of the public key, called a Host Identity Tag (HIT), represented by an IPv6 Internet address. Airwall edge services use these HITs to establish trust among each other by cryptographic means that guarantees the identity of its peers.

Airwall in practice diagram

Once the identity is established, there is usually no need to re-provision the generated keys. However, some Airwall edge services such as Airwall clients and Airwall servers support multiple Airwall Conductor connection profiles and generate an additional, new identity each time a new profile is created resulting in multiple identities.

Now that we know how Airwall creates identity, let’s look under the hood at how the network stack changes.

How is the network stack changed?

Airwall edge services configure the host network stack separating the Airwall network traffic from the untrusted shared network. They establish secure tunnels to deliver traffic safely between devices. The Airwall’s secure tunnels isolate the network into trusted micro-segments, completely cloaking vulnerable infrastructure, making them undetectable by the underlying network.

Isolating the Airwall from the shared network is done by creating a special virtual network interface, called a TAP interface, on the host. This TAP interface assigns an IPv4 IP address generated from the Host Identity Tag (HIT). The Airwall appliance, client, or server generates routing rules that forward any packets sent to destinations behind other Airwall edge services to the TAP interface. Packets sent to the TAP interface are received by the Tempered software daemon, which is part of the Airwall edge service’s software. This isolates any Airwall traffic from the rest of the network and makes it undiscoverable outside of the Airwall fabric.

The Tempered software performs policy validation using the policy configuration received from the Airwall Conductor. These policies are based on identity, do not change, and are impervious to NAT. Any packets that are allowed according to the policy configuration are encrypted using standard IPsec and UDP encapsulation and the source and destination IPs of the resulting packets are sent to both the IP of the destination Airwall edge service and source Airwall edge service. The encapsulated packets are sent using the normal network interface.

The same path is used for encapsulated packets received from a remote Airwall edge service. The Tempered Network software daemon reads the packets on the standard network interface, usually on port 10500 by default and de-encapsulates and decrypts the received packets. The receiving Airwall edge service performs an ingress policy check based on the original IP packet. If this check is successful, the packet is forwarded to the TAP interface and is handled by the kernel, or in the case of the Airwall Client or Server, the platform where it is installed.

What is Host Identity Protocol?

The concepts behind an Airwall were first proposed by Robert Moskovitz in 1999 as an individual IETF submission when the Host Identity Protocol (HIP) was conceived as a solution to overcome the fundamental flaw in TCP/IP networking - which has made networking and security the complex Rubik it is today . HIP was not only developed by leading academics and Global 2000 companies but was put into production before formal ratification by the IETF in April 2015.

The defining feature of HIP is the de-coupling of the identifier and locator functions in an IP address, restoring its original purpose as a resource locator and using unique CryptoID’s are what makes the unified secure Airwall approach both resilient and practical. Unlike other technologies, networking and security policy orchestration is made so simple that authorized business teams can easily make their own policy changes without involving other teams or risk exposing corporate networks and other connected resources.

HIP is an open standard. However, to realize the vision of host identity enabled on every IP-based device, a new management paradigm is needed. This requires scale, policy-based orchestration, and compatibility of HIP-based services for any operating system, hypervisor, container, or hardware platform in order to realize the vision of HIP everywhere to create “a secure and mobile Internet”.

Tempered offers a unique and simple orchestrated system that builds on HIP technology. This allows you to shrink, and in most cases eliminate your infrastructure’s attack surface by offering easy management of critical, physical infrastructure, providing the following capabilities and benefits:

Capabilities

  • Cloak IIoT infrastructure: “hackers can’t hack what they can’t see”
  • Eliminate lateral movement and malware propagation
  • Unify security policy across physical, virtual, and cloud infrastructure
  • Authenticate and encrypt every connection, based on a trusted identity

Benefits

  • Reduce downtime of physical infrastructure
  • Extend useful life of IT and Security systems, such as firewalls, security scanners, and proxies
  • Dramatically reduce the attack surface across an entire network
  • Deploy and manage less expensively than competing legacy solutions

Do you have an Airwall?