Guest blog by Russel Jensen, Network and Security Practice Lead, Sysorex Inc.
“The best block is to not be there” – Mr. Miyagi
Designing, installing, and maintaining your company’s infrastructure can be one heck of a job. I’ve been doing network architecture for about 20 years now and the best explanation I’ve ever found to tell people what I do is still, “I make sure packets go from point A to point B, and back again”. Horribly simplified, but if I start going down the rabbit-hole about L1-L4 design ideas and trade-offs, they immediately look like they just stepped on a rake and knocked themselves silly. Seriously, if I ever want my kids to go to sleep right away, I just pick a random page out of “TCP/IP Illustrated” and start reading it to them. “Forget counting sheep, I’ve got a subnet mask for you to work on…” But one of the things that keeps me up at night is security. I’ve had plenty of clients who’ve back-burnered security and woke up the next day to an encrypted file system and demands for bitcoins. I’ve got others who are now starting to realize that everybody accessing their IP/sensitive docs internally maybe really isn’t a good thing and those emails from Mr. Nairbobi? Ya know, the ones that say you’re rich and can you please open this PDF as well as send us an email? Yeah, maybe those really should be looked at, and no, I don’t know why the admin account accessed those servers from my machine earlier.
The challenge with security is that it’s against an ever-changing picture that you’re trying to defend against. There does not exist one single on-prem or SAS package that can defend against everything perfectly. So obviously you’ll need more than one set of tools, which is where the concept of ‘defense in depth’ or ‘defense in layers’ comes from. But you can take it another step, not only have the ‘layers’ but also design it so that the layers work with and complement each other, and thus, the concept of a Security Ecosystem is born.
One of the parts of the EcoSystem that’s given me fits and starts to design security for are IP-connected devices that cannot protect themselves. We’re talking pumps (industrial and medical), HVAC controllers, cameras, critical legacy apps that require an OS that’s no longer supported/updated, etc. Add the whole “IoT” push to the lot and suddenly you have a rather impressive attack-surface for people(s) to take a look at. So, if you can’t enable the devices to protect themselves, then your next best bet is to block the attacks before they even start, and if you’re a fan of 80’s movies, then you know that the best “block” is “No be there”. That is precisely where Tempered Networks comes in.
How Tempered’s HIP switches work is well documented on their website (www.temperednetworks.com) and I’m not going to go into that here, but what I will say is that as of this moment, Tempered Networks is the *only* game in town when it comes to cloaking endpoint devices and controlling who has any type of visibility to those devices. They quickly and (very) easily build armored tunnels between devices protected with HIP switches (either physical or virtual) and that access control is absolute. You may not be able to harden those vulnerable endpoints, but you can build a bullet-proof access control scheme that rides on top of existing L1-L3 resources (be it serial, Ethernet, cellular, or wireless) quickly, easily, and with enough time over to make a new pot of coffee in the breakroom after you took the last cup.
It’s true you can kind-of duplicate Tempered’s functionality with VPN-based technology, but having attempted that at several clients, I can tell you that the cost of the required equipment along with the additional FW/VPN setup/Maintenance required is challenging. Indeed, the pure flexibility and speed at which the Tempered Network orchestration engine allows you to quickly setup, execute, and modify tunnels and the devices which have access to them is nothing short of astounding.
It is my belief that Tempered Networks is a requirement for ANY company with endpoints as mentioned above that has either a on-prem or cloud-based architecture and has IP/resources that they want to protect, and that their place in a Security Ecosystem cannot be understated. They are not the only piece, but a critical piece that’s well worth taking a long look at.
By- Russell Jensen, Network and Security Practice Lead, Sysorex Inc.