Moving Beyond Perimeter-Based Security

(1)

Moving Beyond

Perimeter-Based Security

A Broadband-Testing Report

(2)

Moving Beyond Perimeter-Based Security

First published February 2015 (V1.0) Published by Broadband-Testing

A division of Connexio-Informatica 2007, Andorra Tel : +376 633010

E-mail : [email protected] Internet : HTTP://www.broadband-testing.co.uk @2015 Broadband-Testing

Please note that access to or use of this Report is conditioned on the following:

1. The information in this Report is subject to change by Broadband-Testing without notice.

2. The information in this Report, at publication date, is believed by Broadband-Testing to be accurate and reliable, but is not guaranteed. All use of and reliance on this Report are at your sole risk. Broadband-Testing is not liable or responsible for any damages, losses or expenses arising from any error or omission in this Report.

3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY Broadband-Testing. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY Broadband-Testing. IN NO EVENT SHALL Broadband-Testing BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.

4. This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that the products will meet your expectations, requirements, needs or specifications, or that they will operate without interruption.

5. This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report.

6. All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective owners, and no endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or Broadband-Testing is implied, nor should it be inferred.

(3)

BROADBAND-TESTING

Broadband-Testing is Europe’s foremost independent network testing facility and consultancy organisation for broadband and network infrastructure products.

Based in Andorra, Broadband-Testing provides extensive test demo facilities. From this base, Broadband-Testing provides a range of specialist IT, networking and development services to vendors and end-user organisations throughout Europe, SEAP and the United States.

Broadband-Testing is an associate of the following:

Limbo Creatives (bespoke software development)

Broadband-Testing Laboratories are available to vendors and end-users for fully independent testing of networking, communications and security hardware and software.

Broadband-Testing Laboratories operates an Approvals scheme which enables products to be short-listed for purchase by end-users, based on their successful approval.

Output from the labs, including detailed research reports, articles and white papers on the latest network-related technologies, are made available free of charge on our web site at

HTTP://www.broadband-testing.co.uk

Broadband-Testing Consultancy Services offers a range of network consultancy services including network design, strategy planning, Internet connectivity and product development assistance.

(5)

EXECUTIVE SUMMARY

Security has never been more important or more of a challenge than it is

currently, yet many security systems and strategies are now well into their teens and at the heart of all our critical networks – if they fail, so does the business.

While firewalls have advanced – especially in terms of Deep Packet Inspection capabilities – they are still very much designed for perimeter or blanket security measures, despite arguments that this is now deemed inadequate in many cases as a total solution.

HIP – Host Identity Protocol – offers an alternative to traditional encryption methodologies, in that unlike traditional security devices it has no IP address on the private side and requires no configuration changes on local devices it is protecting.

While HIP solutions are not currently widespread, one Seattle-based vendor, Tempered Networks, has created a range of security products based on the HIP protocol, a standards-based solution.

A HIP-based solution, as implemented by Tempered Networks, acts as a private overlay network to an existing infrastructure, protecting the existing investment a company has made in its security strategy. It effectively segments, isolates and cloaks the network elements, while adding vital endpoint security.

CYBER THREATS: WHAT COMES AFTER FIREWALLS AND

VPNS?

Security threats continue to rise in number, strength and originality on a daily basis.

While this is a very major concern for all companies and individuals alike, in the world of industry and cyber security, the stakes are almost limitless. Imagine the impact of a successful cyber attack on a nuclear power station, a hydro-electric dam, a gas or oil plant, or even the impact on a major retailer. Each network and device is within a critical infrastructure that is now under target – effectively our way of life is at stake.

Unthinkable is the word that springs to mind, yet it could happen.

In all these cases, the targets are vulnerable endpoint devices – for example –

manufacturing equipment, water pumps, PLCs (electric grid), control devices, ATMs, POS systems, and similar, depending on the industry. Many of these devices will be based on

SCADA (Supervisory Control And Data Acquisition), a system operating with coded signals over communication channels so as to provide control of remote equipment. This may be combined with a data acquisition system by adding the use of coded signals over

(6)

This creates a very different challenge to securing networks, network segments and users

or groups of users. While firewalls have advanced – especially in terms of Deep Packet

Inspection capabilities – they are still very much designed for perimeter or blanket security measures. Broadband-Testing has carried out NGFW testing with various vendors and the focus is never on the endpoints themselves. Once the perimeter is pierced, all devices on the network are exposed. Equally, VPNs may provide point-to-point security but were not designed to secure specific endpoint technologies – again, something we’ve observed during previous test projects.

Both Firewalls and VPNs are cumbersome to deploy and manage in large numbers and require extensive IT skills – which are expensive resources or a resource the enterprise simply does not have. Essentially, every environment that has been breached relied on a combination of Firewalls and VPNs. Time has shown through breaches that additional layers of security are required, for example by further segmenting and isolating devices and networks.

Historically, Broadband-Testing reports focusing on Next Generation Firewalls (NGFW), for example, have identified significant complexities often in trying to create very specific configurations – in this instance for specific application availability or TCP port block/open options. Sometimes multiple configuration tasks have been required in order to achieve just the one additional security rule. Multiply this by specific rules for every endpoint on the company network and the potential nightmare becomes clear. Equally, configuring VPNs for a few point-to-point connections is not complex, but try rolling out a deployment in the dozens, hundreds or more. Not only does human error create very costly mistakes, but the initial and ongoing costs (patches, upgrades etc) make OpEx positively scary in this scenario. And what about true mesh networks?

NAC (Network Access Control) emerged a few years ago as a means of securing endpoint

access. NAC was designed to use a set of protocols to define and implement a policy that

describes how to secure access to network endpoints on initial access. However, it really made sense as a means of preventing already-infected devices, such as user’s laptops, from being able to gain network access – not what we are looking for here. Moreover, the definition became incredibly complicated from vendor to vendor, and even in terms of who was supposed to deploy and manage said technology – IT admin or the network team. It also suffered from well-documented deployment cost and scalability issues.

VLANs, in conjunction with firewalls and other security products, were also seen by some as a fundamental part of a “security strategy” but they are purely a means of segmenting network traffic and users. There’s also the issue of ‘bridging the divide between OT and IT’ when it comes to managing and controlling network security when firewalls, VPNs, NAC and VLANs are combined.

Potential performance hit is a further concern as, again, are those operating costs. Tied in with this is the issue of managing remote access to the critical endpoints – granting and revoking remote access rights in an easily managed way that avoids potential targeted security breaches.

(7)

critical is a file server, database server or core router, for example, in these days where the network, data and applications ARE the business?

In other words, there is a real challenge here to all forms of business, especially as networks become more fragmented, thanks to a combination of public and private networks, Internet, public and private cloud and other outsourced network elements.

One option has emerged in the form of HIP – Host Identity Protocol – not to be confused with HIP meaning “Host Inspection Protocol” as some NGFW vendors use the term. HIP, as the former definition, offers an IETF workgroup specified alternative to traditional encryption methodologies, in that it effectively decouples the transport layer of the OSI model from the network layer, with a presence on the private LAN and the shared

network (e.g. WAN or Internet) equally but, unlike traditional security devices it has no IP address on the private side (thereby negating attack possibilities) and requires no

configuration changes on local devices it is protecting. Instead, it introduces a Host Identity (HI) name space, based on a public key security infrastructure. So, in HIP

networks, all occurrences of IP addresses in applications are eliminated and replaced with

cryptographic host identifiers.

Given that TCP/IP was not initially designed as a secure protocol, the benefits of removing the IP address are suitably obvious. The question is – who offers this new alternative? And can HIP be effective as a complementary solution, rather than a “rip out and start again” option, the latter patently not a realistic proposition for most companies?

SOLUTION EXAMPLE: TEMPERED NETWORKS

So, from a solution perspective, we are looking at a new approach here – a technology that compliments existing security investments, but adds true endpoint security, eases the management and configuration headaches, and is cost-effective.

These are the goals behind what Tempered Networks, a Seattle-based security product vendor, is looking to achieve.

Successfully Managing Legacy and Contemporary Networks

and Devices

Importantly, a HIP-based solution, as implemented by Tempered Networks, is a transparent drop-in solution that facilitates private overlay networks and a defence in depth approach. In this way it protects the existing investment a company has made in its security strategy and implementation, but adds vital endpoint security without impacting on the underlying network infrastructure, configuration and management in any way – a flexible solution that is simple to deploy and manage.

(8)

The HIPswitches come in various (industrial and data-centre) form factors and performance levels and can connect to the shared network via wired Ethernet, Wi-Fi, cellular, SatCom and public cloud networks. In addition to the range of physical switches, there are also laptop and data-centre grade virtual HIPswitches. Importantly, HIPswitches are device and vendor agnostic.

Figure 1 – Configuring HIPswitches

So, from a solutions perspective, it is all about time and, therefore, cost savings. For example, you need to set up 500 port-port connections for distributed devices, and everyone wants port-port granular control for devices over a distributed network – how complex and time-consuming is this using traditional security tools?

The Tempered approach is about securing the endpoint devices themselves, not with a complex configuration required on each device, but simply by creating an overlay network using the Tempered technology and using that to secure the devices with no endpoint configuration changes. This impacts positively on both deployment and day-to-day management costs, potentially reducing months and weeks of configuring and re-configuring to days – see cost examples in summary.

It also simplifies the logistics of who deploys and who manages what is very much a security, rather than a network, solution. IT governance is a hot topic these days, as networks continually expand and job roles start to overlap. Tempered’s solution is designed to all IT to delegate user level administration for self-service departmental provisioning. It is also a classic case of providing the right tool for the job, rather than contriving a new use out of something that was never designed to do the job.

So, instead of firewalls being used to secure thousands of instances of TCP ports through layers of administration, the focus is simply on connecting to the physical port of the

endpoint. The Tempered solution uses HIP alongside IF-MAP, which provides a common

interface between the security appliances and a database server. Though initially aimed at protecting critical control systems in industrial environments, the solution is applicable to most enterprise network environments. The key element here is that the endpoint

(9)

Figure 2 – SimpleConnect Dashboard

IN CONCLUSION

Simplifying the security of device endpoints – especially those open to industrial sabotage - cannot be over-stated in its importance. HIP provides the technical means of securing these devices, but the Tempered approach equally simplifies the deployment from a cost, ease and political aspect. It neither impacts upon the existing security strategy, nor who owns that space, but simply improves it.

So, if we look at how pricing typically works out against a standard firewall even at base level, the deployment costs are interesting. Tempered Networks base case is a five node protection – so that’s five critical endpoints. The “starter kit” here is $9,995, to which you need to add three HIPswitch 100s, bringing a total equipment cost of $12,980. The benefit then is that installation and configuration is simple – a one hour task – so if we look at an hourly rate of $250, then total deployment cost is $13,230. For this outlay all seven attributes of the security model and covered, along with micro-segmentation,

orchestrated 3rd_{party secure remote access and other benefits.}