I don’t think anyone would disagree with the statement that IT security has become exponentially more complex over the past five years. It seems every month there’s a new startup that solves a specific security issue but addresses only that one issue.
This leads to an increasing number of security vendors causing security solution sprawl. A recent ZK Research survey revealed that large enterprises have an average of 32 security vendors deployed, which is a ridiculously high number. It’s hard enough to build a strategy around two to three vendors, but 32?
One startup trying to simplify security is Tempered Networks. I recently spoke with Marc Kaplan, vice president of security architecture for the company, about how Tempered Networks makes network security simpler. Below is our conversation.
Zeus: Explain what Tempered Networks does and how the products work.
Marc: Tempered Networks’ core strategy is that networking and security must be interlocked, not deployed as separate solutions. To that end, our solution offers a new class of networking that effectively brings identity to networks and endpoints.
Here’s how it works: Our solution includes a product called a “HIPswitch” that builds a secure, private overlay network onto the actual physical network. The solution starts with a Default-Deny model, only allowing explicitly trusted (whitelisted) systems or endpoints onto the overlay. HIPswitches connect devices into an overlay network and hide these whitelisted devices from everything that doesn’t need to see it.
The other part of the solution is the Conductor, a centralized, scalable orchestration engine that manages and monitors the deployed HIP services, devices, configurations and security policies.A company could set up a policy, for example, that states medical devices can only talk to other medical devices. With traditional VLANs, if a medical device moved, things would need to be reconfigured. This is known as micro-segmentation.
HIPswitches are available in physical, software, embedded, virtual and cloud form factors, so an organization has the flexibility to create networks across their hybrid network. Our solution is effectively a secure SDN, but it goes even further by supporting east-west and north-south traffic.
Zeus: Why do networks have this problem?
Kaplan: The Internet Protocol was built on a model where everything can see everything. It’s why the internet works like it does. We’ve flipped the model where each device or network can have an associated identity, something like a DNA. Then we apply rules around the identities such that no device can see any other device unless specifically allowed to in the policy.
Zeus: How does micro-segmentation simplify the network?
Marc: It simplifies network routes and can provide a global IP address. A cloaked network can have its own network topology. Companies might choose to use dedicated leased lines, but this can be expensive and susceptible to telco vulnerabilities. Also, overlapping networks are now possible and easier to manage, as the overlay masks the complexity. Lastly, migrating to a new IP scheme or between different platforms—physical, virtual or cloud—becomes very easy. Think of the HIPswitches as comprising a secure fabric where every device is only one hop away.
Zeus: Does micro-segmentation make managing firewalls simpler?
Marc: First, we certainly do not advocate getting rid of firewalls, as they are very important parts of any organization’s security strategy. However, firewalls should do what they do best and that’s protecting the perimeter.
Today, firewalls are filled with unnecessary rules, as organizations started using them to do network segmentation. Micro-segmentation, however, drastically reduces the number of firewall rules needed, making them easier to maintain. Also, customers will see performance improve because of the reduction of rules and connections. The reduced traffic also means that the firewall log is smaller in size and, therefore, easier to inspect.
Zeus: What about IDS/IPS performance? How does micro-segmentation impact those devices?
Marc: Similar to firewalls, micro-segmentation reduces traffic that needs to be inspected. The whitelisting of devices in cloaked networks greatly reduces attack vectors, directly contributing to the reduction of traffic passing through the IDS/IPS system. This will also reduce the number of false positives because only whitelisted devices can communicate with other whitelisted devices.
The additional benefit is that API-driven responses allow for moving devices out and into overlays. Regardless where a device is located—virtual, physical, agent or cloud—the API can move a compromised device out of hundreds or thousands of networks instantly and put it into a completely isolated forensic network.
Since the HIPswitches own IP, they can even dynamically move an attack away from its target across the world instantly into a honeypot network where the overlay can present the targeted system IP on a forensic platform. The HIPswitch overlay extends the value of IPS and IDS, truly creating a defensible network.
Zeus: Any other security benefits?
Kaplan: Yes, we can enable MAC address lock-down. This makes it simple to manage NAC functionality that also provides cloaking and simplified routing over the secure overlay network. Also, micro-segmentation enables better malware mitigation and control. It’s much easier to shutdown a device that is infected when deployed around a micro-segmentation architecture.
Our solution allows devices to be disconnected with just a single click. If MAC address lock-down is not sufficient, the identity created for each device makes it possible to have absolute trust or completely remove a machine from all networks. Essentially, if you try to use a windows laptop that has an embedded identity after it has been revoked, there is no way to connect into any overlay network. All of the passwords stolen from the laptop become completely useless, as the identity is no longer valid.
Finally, global IP addressing lets us move machines effortlessly across your hybrid network without having to re-IP the machine. The fabric will ensure that all whitelisted machines will be able to find each other, regardless of where they sit or what IP address they are using, securely.