HIPrelay Product. The Industry's First Identity-Based Router Product FAQ

Transcription

1 HIPrelay Product The Industry's First Identity-Based Router Product FAQ Q. What is the HIPrelay? The HIPrelay is an identity-based router that seamlessly extends identity-defined micro-segments (IDMS) across LANs and WANs connecting any resource to another based on provable cryptographic identities (crypto-ids), not IP addresses. Along with our HIP Services, the HIPrelay moves the security and networking perimeter from the network edge to the hosts or machines themselves. Using our Conductor s simple policy orchestration, resources within an identity micro-segment can now securely connect to others regardless of location or network. It overcomes previously costly and impassable network barriers and borders. Secure end-to-end networking for anything, anywhere, across any environment is now possible. You can now instantly connect or revoke any networked resource with confidence. HIPrelay is wide-area micro-segmentation without barriers. Q. What s so unique about the HIPrelay? It s the only routing technology that doesn t rely on IP addresses to route and securely connect separate networks, machines, or devices. Instead, the HIPrelay relies on host-based crypto-ids to determine who and where to route the encrypted traffic and doesn t require modifications to the underlay network. It s also the only solution that can punch through impassable barriers like multi-nat and Carrier Grade NAT. Q. What types of network barriers do you overcome? Barriers that have prevented secure and direct end-to-end connectivity in the past like multi-nat, CGNAT, dynamic IP addressing, IP conflicts, and unwieldy inbound firewall rules are just some examples that can be overcome-instantly. Wide-area segmentation, machine-based authentication and authorization, and end-to-end encryption that has no barriers creates an incredibly flexible and hardened networking fabric at a fraction of the cost of alternatives. Different network environments that prevent secure end-to-end connectivity for any type of resource can also be easily overcome. Direct connectivity across different cellular networks, wide-area peering and segmentation between on-premises resources, VPCs, and between different clouds Western Ave. Suite 550, Seattle, WA Tempered Networks. All rights reserved.

2 Q. Is the HIPrelay really a router? Not in the traditional sense and that s why it s so powerful. It s a new networking paradigm all together. The HIPrelay does not use Layer 3 rule sets, addresses, or traditional routing protocols for its routing decisions. Instead, routing decisions and machine to machine communications are allowed based on provable crypto-ids and enabling trust between systems in the form of whitelist policies. All authorized and encrypted communication between HIP Services are securely routed or forwarded by the HIPrelay within an identity-defined overlay. The HIPrelay can also be deployed in clusters providing a private and superior high availability, performance, and data governance architecture all based on crypto-ids, not spoofable IP addresses. Q. How does it work? It s really elegant in its simplicity. 1. The HIPrelay, in conjunction with our HIP Services, securely routes encrypted communications between any authorized devices, even non-routable IP resources, across any network, anytime quickly and easily. 2. The only requirement is that the HIPrelay have a public IP, all other networked resources can be privately addressed and buried deep inside any network; physical, virtual, cloud, cellular, or Wi-Fi. 3. When IDN policy is distributed by our Conductor to all distributed HIP Services, those that have been authorized to use a HIPrelay or a cluster of them register themselves by sending an outbound Host Identity Tag (HIT) to the HIPrelay(s). 4. The HIPrelay learns their locations and enforces Conductor s policy -- authorizing that the packets can be forwarded to any other HIP Service it s authorized to connect to. 5. When a device wants to connect to another, it sends its an initiation packet with its signed crypto-id and the first HIPrelay within a cluster that responds will be the one used for the duration of the session forwarding the encrypted data between the authorized HIP Services. 6. The newly peered HIP Services perform a 4-way base exchange to authenticate and authorize each other before a TCP session is established and any data is transmitted. 7. Once authenticated and authorized, the HIP Services establish a secure tunnel for all data communication through the HIPrelay which doesn t decrypt but forwards the packets on to their authorized destinations. Q. How is policy created? It s extremely simple. 1. Policy is defined by creating trust relationships between distributed systems based on their crypto-id. 2. Only devices that are explicitly trusted with one another, via a HIPrelay, can establish a secure tunnel through it via a simple three-step relay rule. 3. The encrypted packets that are forwarded to the authorized endpoints by the HIPrelay simply traverse the existing infrastructure as any encrypted traffic would -- with no modification to the underlay network. 2

3 Q. Why is the HIPrelay so important? The HIPrelay saves an incredible amount of time, personnel and money, while hardening the interior and extending it across the WAN in a manner that was previously impossible. The security perimeter can now be easily moved from the network edge down to the hosts or machines themselves without modifying infrastructure or applications. The HIPrelay allows you to securely route and connect anything located anywhere based on provable identity, even non-routable IP resources buried deep inside an environment can be securely routed to others in separate networks without changing the underlay network. This means you can extend, connect and protect your business more simply and cost-effectively than ever before. Our customers find themselves eliminating VPNs, remote access servers, and jump boxes. They often reduce the complexity and cost of inbound firewall rule management reclaiming firewall capacity and allowing more focus on outbound rules. Network ACLs and interior firewalls are often eliminated as well. The result is a simpler, more secure, and predictable network with fewer human errors. With the HIPrelay and our IDN platform, our customers reduce provisioning and time to mitigation by up to 97%. They eliminate up to 90% of north-south and east-west attack vectors while lowering IT costs by as much as 25%. We re the only solution that can secure north-south and east-west traffic across any environment physical, virtual, and cloud. We re also the only solution that can extend, connect, and protect across any type of connectivity medium Wi-Fi, cellular, and Ethernet. Network and security teams love us because they can now become more agile while significantly reducing business risk. Instead of spending 80% of their time provisioning and maintaining complicated infrastructure-where every add/move/change introduces risk--they can reclaim that time, provision or mitigate with certainty, and focus on business innovation. Compliance teams are very interested in the HIPrelay because it can enable data sovereignty by controlling traffic flows within a region or specific country based on policy. Wide-area traffic policies that prevent the access and movement of data from one region to the next are not only simple but possible now based on provable crypto-id. For example, it s easy to create a policy for Germany where only authorized and authenticated machines (as part of a private and isolated German overlay network) could only connect to one another through a German HIPrelay. All encrypted traffic flows between systems and machines would be pinned to, and between, German-only machines. Q. How are policies enforced within the IDN Fabric? Policy enforcement is performed by a HIP Service that could either be a client or server agent installed on individual systems you want to connect and protect. Or, a HIP Service could be a physical, virtual, or cloud appliance that functions as the micro-segment gateway connecting and protecting the resources behind it. Q. What do you mean by identity-based micro-segments (IDMS's)? Unlike other micro-segmentation solutions, an Identity Micro-Segment's inbound and outbound authorized connectivity is defined by policy based on a provable crypto-id, not an IP address. No device or system can connect inbound to a resource or resources within a IDMS unless it has an authorized crypto-id allowed by IDN policy. And no device inside the micro-perimeter can connect outbound to another unless it is also authorized to do so. 3

4 Now the security and networking perimeter can easily move from the network edge to the hosts or machines themselves, with no disruption or dependencies on the underlay network. This type of explicitly allowed or denied connectivity based upon provable identity is what provides superior segmentation and isolation. For example, containment and prevention of malware command and control (C&C) is now possible. If a machine within an identity micro-segment was somehow able to be compromised, command and control communication would be prevented, because it would not be an authorized outbound connection to an allowed identity micro-segment's destination. Isolation and containment can be hardened even further by allowing only unidirectional inbound or outbound communication; enforcing policy as a virtual data diode for protecting resources and data. Instead of deploying hundreds, if not thousands of next-gen firewalls deep inside the network, and having to hire dozens of firewall admins just to maintain what would still be a porous environment, our customers have chosen a better alternative that simplifies instead of complicates the network. Unlike address-defined segmentation using Layer 3 and 4 firewall rules, identity-defined micro-segmentation is unbreakable, not spoofable, quick to implement, and extremely simple to maintain and audit. The flexibility to instantly connect, protect, or revoke any resource, across any location, in a fraction of the time, personnel, and cost can transform IT. Q. What do you mean by wide-area micro-segments? A wide-area micro-segments is made possible by the HIPrelay. A resource in one identity micro-segment can now easily connect to another across the WAN regardless of location, environment, network, or IP scheme. Even nonroutable resources can be securely connected. It s next-gen networking unbounded. A host within one identity micro-segment cannot connect to another unless policy allows it. HIP Services must authenticate and authorize each other before any data is exchanged and can now connect easily overcoming network barriers because of the HIPrelay. Any of these micro-segments and their protected resources can be easily networked within the LAN, WAN or across the Internet without constraint or sacrificing security. Only provable crypto-identified hosts can communicate within a local or wide-area overlay, providing a level of isolation, segmentation, and containment previously unattainable. This hardens the interior, isolating and segmenting east-west lateral movement, as well as all north-south traffic across the WAN. This simplifies everything and improves security by reducing an over-reliance on imprecise address-based policy for functions like inbound firewall rules, ACLs, VLANs, and NAT. Q. Does the HIPrelay help replace anything? Yes, VPNs become obsolete. Why would you deploy a VPN when? you could get wide-area micro-segmentation with instant provisioning and revocation without having to touch the underlay network and no management overhead? it only terminates a connection at the network edge, and you could secure communication all the way to or directly in front of the host? it can t support multi-point connectivity, and you could deploy a solution with better availability and reachability from any network 4

5 when you could use wide-area micro-segmentation and eliminate the management headache and overhead of a VPN. Yes, the HIPrelay as part of our IDN platform reduces if not eliminates the need, cost, and complexity of deploying next-gen firewalls deep inside your network. Why would you deploy internal firewalls when? you could get east-west and north-south micro-segmentation that was more secure and simpler at a fraction of the cost. you could get better security that makes ubiquitous connectivity between all devices simpler and much easier to maintain. you could eliminate complexity instead of transferring it from the network edge to the interior Tempered Networks is about 1/10th the cost to buy and 1/10th the cost to maintain compared to VPNs and nextgen firewalls all wide-area communication from trusted systems can now be tunneled through an IDN s trust segments, which dramatically reduces the complexity and cost associated with inbound firewall rules. Q. Do I have to punch any holes in my firewalls for this to work? No. But it does depend on how restrictive your firewall rules are based on inbound/outbound protocols and ports. The default port for HIP communication is however you could use something like port 53 as well. Our customers usually do not require changes to the underlay network. In fact, the HIPrelay allows a unification of all remote network traffic over one or just a few ports instead of many. Because HIP encapsulates IP protocols for all types of applications, all wide-area traffic can be seamlessly tunneled within a common protocol and common port. Inbound firewall rules become much simpler freeing both infrastructure and personnel resources. Q. What latency does the HIPrelay add to a connection or session? Very little because HIP is such an efficient and lightweight protocol. Of course the degree of latency depends upon the deployment of the HIPrelay and its geographic location in relation to the resources it s routing. We have customers who have deployed the HIPrelay regionally with no measurable additional latency. We have other customers whose traffic traverses between continents and the added latency is negligible at around 5 ms. However, with highly distributed deployments, we always recommend discussing application and performance requirements with our Solution Architects so we can be sure to design the most performant solution possible. Q. Can I create a distributed cluster of HIPrelays? Absolutely. In fact, deploying more than one HIPrelay and creating a cluster is our recommended architecture. The reasons are for high availability and performance. A cluster can even enable a better approach for country or regional data sovereignty laws like those required in the EU. 5

6 Q. Can a HIP Switch have more than one HIPrelay licensed on it? No, it s a one-to-one relationship of one HIPrelay per HIPswitch. However, a single HIPrelay can support hundreds of wide-area overlay policies that support dozens if not hundreds of distributed HIPswitches. For example, in one HIPrelay you could have a wide-area overlay network defined for distributed security cameras, another for your building automation systems, and another overlay for cloaked and restricted access by HR or Finance teams to highly sensitive data. The powerful attribute of this integrated model is that the micro-segmented access policy follows a user or machine regardless of location. For example, a finance person could be remotely accessing sensitive data from home one day and be in HQ the next, yet policy enforcement persists by intelligently connecting to the correct and authorized HIP Service. When she s remote her smart HIPclient knows to access through the HIPrelay which will route her encrypted communication directly to the cloaked and privately addressed finance servers. Her session will be machine authenticated and authorized before connectivity adding non-spoofable access control to her normal user credentials. The next day when she s in the office, her smart HIPclient will automatically recognize that she does not need to go through the HIPrelay but can directly connect to the private HIPservice that s either on or in front of the finance servers. Access to the finance crypto micro-segment remains the same regardless of location, all data-in-flight will be automatically encrypted end-to-end with no changes to any of the applications or infrastructure. Q. This is very new technology, where has it been proven? It is new, but our solution has actually been in production at several large enterprises across the energy, transportation, real estate, and technology industries for several months now and been in beta since February At Tempered, we believe in eating our own dogfood so our DevOps team as well as product engineering team have been using the HIPrelay in production for over 6 months. The technology and the specifications to enable wide-area micro-segmentation and mobility using Host Identity have actually been around since However, we re the first to commercialize HIP in this manner. You can read the HIP RFC to learn more about the concept behind HIP Rendezvous. However, because of our real-world experience working with a large contingent of our customers, our approach is even simpler and more predictable than what s specified in the RFC. 6