A few weeks ago I posted a blog entry suggesting that network perimeter security had begun to break down with the advent of the cloud and the use of ubiquitous mobile devices to access resources stored in the cloud. The need of these devices to have a secure yet transparent method to access cloud resources has surpassed the ability of current Internet protocols and solutions to provide them. This is leading to the development of a new solution where devices can securely and seamlessly access network resources without imposing a great burden on the cloud itself.
Network perimeter security focuses on the monitoring, inspection and fire walling of packets entering or leaving the cloud. However the new problem that is emerging is devices outside the network such as tablets, laptops, smart phones, etc. need secure access to these resources in the cloud at a level beyond what application layer security and/or firewalls provide.
Firewalls open up access to the cloud for any device. But the downfall of firewalls is that they must process requests from any device that requests access to cloud resources.
In this situation, if a device repeatedly requests access to the cloud but was previously determined to be a threat or not authorized for cloud access, these repeated requests chew up resources (CPU, memory, network) on the firewall. Aggravating the problem, it inhibits the cloud from processing the requests of those devices that have a legitimate need to access its resources.
This exposes a limitation of current Internet protocols: they do not support a strong authentication mechanism for authoritatively identifying these devices to the cloud. This leads to a situation where administrators need to rely solely on applications properly (and securely) authenticating users. But in so doing it opens up questions as to what occurs if the application is compromised before its authentication is complete.
A more elegant solution to this problem would be to authenticate the device before any data is transmitted, providing the type of device authentication that both those accessing the cloud and those providing cloud services increasingly need. So while the Internet has yet to catch up to this burgeoning corporate need, BlackRidge Technology has already developed both the software and hardware to give TCP this added capability.
BlackRidge is currently offering both a client side authentication driver as well as a standalone network appliance, the Transport Access Control (TAC) Gateway. While a bit oversimplified, the BlackRidge TAC technology works as follows:
- An application on the device sends a TCP/IP connection request to the operating system
- The TAC client driver adds the TAC authentication information to the very first packet (SYN)
- The packet is sent out to the internet and eventually to the TAC Gateway
- The BlackRidge TAC Gateway recognizes the TAC authentication information, and optionally inserts authentication information into the first response packet (SYN-ACK) providing mutual authentication
- The TAC Client completes the TCP connection and data begins to flow
- The TAC Gateway controls access to the cloud based on the authentication state of the traffic
The takeaway here is that each TCP packet from the device includes all the data necessary to identify itself to the TAC Gateway so decisions as to whether or not the device should be granted additional permissions can be made by the TAC gateway before a TCP session is even formally established.
This First Packet Authentication is one of the more important aspects of BlackRidge’s TAC technology. In its simplest form this determination is an on/off decision based on whether the packet contains TAC identity data. If no TAC identity data is present the packet is silently dropped. In more complex deployments, the TAC Gateway may send TAC identified traffic to one server and and non-TAC traffic to a different server.
There are two deployments where this strategy can best be leveraged at this time:
- One, in environments where a cloud environment is being accessed from another cloud or an internal network. In this deployment both cloud providers would place BlackRidge TAC Gateways at their perimeters and leverage the devices to control TCP traffic between the two sites.
An example might be two cloud environments that are exchanging data between each other using REST or a similar web based protocol. In this configuration any unauthorized device or network that attempts to communicate with either side of the connection will be dropped immediately reducing attack vectors and saving bandwidth.
- Two, remote clients needing access to cloud resources. This is the classic “road warrior” example. In this deployment all devices that need access to cloud resources install a proprietary driver on their device that adds TAC identity data to all outbound TCP packets. The organization would then install a TAC Gateway on the perimeter of its server network.
An example work flow here might be a corporate webmail application or even web based VPN. Devices such as sales force laptops with TAC clients would be given access to the resources just like a standard firewall with a port opened to the internal resources.
There is another key difference from a standard firewall setup in both of these scenarios. On firewalls administrators are sometimes forced to leave ports open and trust user authentication at the application level to authorize the connection. By then it may be too late.
Using BlackRidge’s TAC Gateway that is avoided as the TCP session is never established. While this prevents an attack vector, it more importantly makes it appear to unauthorized devices that the port is not even open. This hides the network resources from port scans. Other options are available as well, including forwarding authenticated and non-authenticated sessions to different servers.
BlackRidge is currently in the late stages of its first beta. Its development road map already includes a virtualized TAC Gateway to ease adoption by users as well as numerous improvements to the granularity of their packet filtering and bandwidth throttling capabilities on the horizon.
A severe need for device based authentication is emerging driven in large part by the need for easy, secure access to cloud resources that occurs without disrupting performance. BlackRidge is in the early stages of providing a TCP/IP based device authentication that does exactly that using TCP to do so.
This is why any organization that is looking to store data in the cloud or provide cloud services is encouraged to investigate how TAC can fit into its current environment. Seamless, secure access of data stored in the cloud is not a luxury or a nice-to-have but a necessity that today’s network perimeter solutions are poorly equipped to provide. BlackRidge’s TAC solution gives organizations their first viable solution to address this mounting concern.