Zero Trust Networking with Zero Touch Management
Erik Giesa, Tempered Networks
IEEE Softwarization, November 2018
Networking has evolved into a messy patchwork of inflexible and complicated systems with an expanding attack surface. Network administrators and security professionals responsible for designing, deploying, securing, and maintaining networks are simply overwhelmed and ill-equipped to keep up.
The ‘go to’ strategy has been to implement Virtual Private Networks (VPNs), firewalls, Access Control Lists (ACLs), etc. and apply IP routing schemes intended to keep devices within the network connected, while keeping hackers and unwanted visitors out. The software and security industries set out to fix this problem by encrypting communications with protocols like SSL/TLS, HTTPS, SSH, SLADP, DNSSEC, IPSec, etc., yet networks continue to be breached. Unfortunately, these protocols on their own do not really move the needle and actually move us in the wrong direction since they are all based on TCP/IP.
In the traditional TCP/IP architecture, IP addresses serve as both machine location and identity, which creates problems and limits mobility and multi-homing. Vint Cerf, father of the Internet and inventor of TCP/IP, stated in an interview, “If I could turn back time, I would do a better job on trusted authentication and mobility, which we did a very poor job with and are paying for now, with additional hard work.” This dual use of an IP address is the cause of most security and networking challenges today. TCP/IP is a promiscuous protocol and is designed to communicate with anything and does so using non-verifiable attributes like IP addresses, Classless Inter-Domain Routing (CIDRs), ports, and Virtual LANs (VLANs). IP-based solutions simply are not architected to connect endpoints and enforce access control based on verifiable machine identity, authentication, and authorization.
Because the IP address should only be used for host location, the dual-use of the IP address lacks the basic mechanisms for flexibility and security. This flawed architecture forces IT teams to perform time-consuming and meticulous tasks on a daily basis with box-by-box configuration of switching, routing, firewall rules, VPN policies, creating VLANs and mapping them across switches and uplinks, and so forth. An ineffective and costly process.
Host Identity Protocol (HIP): The ultimate zero trust protocol
In order to address the fundamental flaw in TCP/IP that afflicts us all, enterprises are turning to the Host Identity Protocol (HIP), an open IETF standard. In 2015, HIP was adopted by the IETF as a networking security protocol standard. In addition to being inherently secure, one of the most important principles is that HIP is both backward and forward compatible with any IP-based network, application or resource.
HIP provides verifiable, immutable identity and is the ultimate zero trust protocol. Unlike TCP/IP, HIP is monogamous and only allows connectivity between trusted HIP-enabled endpoints. HIP authenticates and authorizes a machine before TCP session establishment. It introduces a layer between the transport and network layers of the TCP/IP stack that maps host identifiers to network locations, separating the two conflicting roles of IP addresses. (See Figure 1.)
Figure 1: HIP separates the role of IP address as both host identity and location. It enables you to define network trust relationships by identity at the host or machine level.
HIP is Inherently Secure and Mobile
HIP brings native security and mobility to networking without having to change existing infrastructure. With HIP, we can move beyond routing to the concept of orchestration, where network trust relationships are defined by a verifiable identity at the device level, while still using traditional IP addressing for location across the Internet. HIP is secure by default and not vulnerable to common threats like DoS (Denial of Service) and MiTM (Man in the Middle) attacks. This identity-first architecture transitions us from vulnerable and complex ‘address-defined’ networking to ‘identity-defined’ networking.
The main building block of the HIP protocol is the HIP 4-way base exchange used to establish a pair of IPsec security associations between two hosts. (See Figure 2). The base exchange is built around a classic authenticated Diffie-Hellman key exchange. No certificates are required for the authentication because HIP is self-certifying. The protocol can be compared with key exchange protocols such as IKE (Internet Key Exchange) but without the same overhead or management complexity.
Only provable host identities are recognized, creating an automatic and manageable process for whitelisting at scale. Compare this to traditional IP networking and SDN where authentication and authorization occur between machines after data communications has been established.
Figure 2. The 4-way base exchange is invoked prior to establishing a TCP session and forms a security association between mutually authenticated and authorized HIP Services. The base exchange consists of four messages in two round-trip times, which distributes Diffie–Hellman keys and authenticates the hosts.
HIP: a potent 3-in-1 protocol
HIP eliminates the complexity and constraints that make secure networking difficult, if not impossible. HIP allows consenting hosts to securely establish and maintain shared IP-layer state, enabling separation of the identifier and locator roles of IP addresses. The separation of location and identity removes many of the constraints we face with traditional and so called ‘next generation’ IP networking, eliminating conflicts and making direct device-to-device connections possible, no matter where the devices are located.
Zero trust networking is only feasible with zero touch networking
The most effective way to secure and manage networks is to start with zero trust and “whitelist” each device that is authorized to connect to the network. Now you are only dealing with trusted devices and exclude everything of potential danger. The historical problem with this approach is that it typically requires manual intervention, which usually leads to abandonment or, worse, ignoring policy. The difficulties of whitelisting stem from the computing world’s reliance on IP addressing to establish access and authentication. The challenge with relying on an IP address for identity is that it can be “spoofed” to impersonate a trusted device or to conceal the true identity of a device accessing a network.
Tempered Networks instead promotes HIP with trust based on ‘provable’ Cryptographic IDentities (CIDs) through its Identity Defined Networking (IDN) platform. To realize the vision of host identity enabled on every IP-based device, a new management paradigm is needed. (See Figure 3.) It requires scalability, policy-based orchestration, and compatibility of HIP Services for any O/S, Hypervisor, Container, or hardware platform in order to realize the vision of HIP Services everywhere--creating “a secure and mobile Internet”.
Figure 3. The IDN architecture incorporates a fully encrypted fabric that is orchestrated through a simple policy-based orchestration engine. Identity-based micro-segmentation and trust can be bound to any IDN enforcement point, where only whitelisted and trusted devices can join the fabric. Identity-based routing enables macro-segmentation to span subnets and whole network domains.
With IDN, nothing is exposed to the Internet because routing and access control is determined by verifiable machine identities between endpoints, instead of ephemeral IP addresses. Secure peer-to-peer connectivity and segmentation across the LAN, WAN and Internet is now possible. Unlike traditional networking and SDN technologies available, IDN does not tie machine identity to an IP address of the underlying network. With connectivity no longer based on the IP address alone you achieve unprecedented flexibility, including:
- Unrestricted mobility of traffic flows
- Freedom from IP conflicts
- Seamless NAT and CGNAT traversal
With IDN and HIP, the big pay-off is through the automated orchestration of policies using the IDN orchestration engine. Zero touch networking ensures CIDs can be automatically verified and authorized within an IDN overlay—without the need to modify the underlying network.
Beyond segmentation and software defined networking
Given the growth of breaches, it is clearly becoming more difficult for organizations to keep up with security. And while network segmentation has long been a best practice, many enterprises initial attempts to implement a sustainable micro-segmentation strategy have failed due to complexity and cost that lead to continued security and compliance gaps.
Figure 4. A unified secure networking fabric is now possible spanning any IP resource, location and link medium with little to no modification of the network and security underlay or applications. Devices can be automatically or manually segmented, migrated, failed over or revoked within the encrypted overlay. Even if a device were compromised, the reach of an attacker is isolated by preventing lateral movement within the network.
Eliminate complexity by unifying networking and security
The aging Internet communications model of ubiquitous access is not well suited for today’s world of device proliferation and state sponsored espionage and hacking. HIP-based solutions enable a new era of SDN that violate the antiquated Internet networking model of “smart” end devices and “dumb” network pipes.
The answer is simple. Start with zero trust and eliminate complexity by unifying networking and security, rather than treating them as two separate initiatives. Then, automate the complicated, error prone, and time-consuming work through orchestration based on provable CIDs. Together, this gives organizations the ability to build well-orchestrated software defined networks that are inherently secure, mobile and scalable, in minutes, rather than days or weeks.
Erik is the VP of Products at Tempered Networks where he is responsible for product strategy and go-to-market execution for the company. Prior to Tempered, Erik served on the executive team at ExtraHop Networks as the SVP of Marketing and Business Development. During his four year tenure at ExtraHop, Erik and his team helped grow revenue 15x taking ExtraHop from a startup to the market leader in IT Operations Analytics. Before ExtraHop, Erik was the SVP of Product Management and Product Marketing at F5 Networks where he was responsible for the go-to-market strategy for the company’s flagship BIG-IP application delivery controller products.
Mohamed Faten Zhani
Mohamed Faten Zhani is an associate professor with the department of software and IT engineering at l’École de Technologie Supérieure (ÉTS Montreal) in Canada. His research interests include cloud computing, network function virtualization, software-defined networking and resource management in large-scale distributed systems. Faten has co‑authored several book chapters and research papers published in renowned conferences and journals including IEEE/IFIP/ACM CNSM, IEEE/IFIP IM/NOMS, IEEE INFOCOM, IEEE transactions on cloud computing and IEEE Journal on Selected Areas in Communications (JSAC). He served as the general or technical program chair of several international workshops and conferences. He is also co-editor of the IEEE Communications Magazine series on "Telecom Software, Network Virtualization, and Software Defined Networks", associate editor of Wiley international journal of network management, and deputy managing editor of the IEEE softwarization newsletter. He is co‑founder and vice-chair of the IEEE Network Intelligence Emerging Technology Initiative and a cluster lead at the IEEE P1916.1 SDN/NFV Performance standard group. Faten recently received the IEEE/IFIP IM 2017 Young Researchers and Professionals Award as a recognition for outstanding research contribution and leadership in the field of network and service management. More details are available on his web page.
Subscribe to IEEE Softwarization
Join our free SDN Technical Community and receive IEEE Softwarization.
Article Contributions Welcomed
Download IEEE Softwarization Editorial Guidelines for Authors (PDF, 122 KB)
If you wish to have an article considered for publication, please contact the Managing Editor at firstname.lastname@example.org.
IEEE Softwarization Editorial Board
Laurent Ciavaglia, Editor-in-Chief
Mohamed Faten Zhani, Managing Editor
TBD, Deputy Managing Editor
Syed Hassan Ahmed
Dr. J. Amudhavel
Atta ur Rehman Khan
Muhammad Maaz Rehan