My last post advocated OT/IT convergence to better protect critical infrastructure that is increasingly being connected to the Internet. The primary motivation for convergence is to avoid catastrophic damage of an unprecedented scale that can be caused by a cyberattack.
Companies are deploying advanced networking technologies to deliver services to increasingly remote and mobile users faster and more effectively than ever before. IT networks – traffic bottlenecks until the recent past – are migrating toward software-defined network (SDN) architectures and hyper-converged infrastructure (HCI) to provide greater management and control over the delivery of these services.
However, as these networks carry ever-growing volumes of IIoT (Industrial Internet of Things) data generated by industrial control systems (ICSs) and myriad devices connected to the network, the attack surface expands exponentially. This not only compromises the data, but more dangerously, control over the physical infrastructure itself.
This post explores microsegmentation as a strategy to provide more granular security in order to minimize an attacker’s ability to compromise an entire network and wreak havoc with critical infrastructure. Then, we’ll look at Host Identity Protocol (HIP) as a layered security approach to facilitate success with microsegmentation.
Microsegmentation for Greater Security
Network segmentation is a defense strategy to prevent an attacker from moving laterally within a network. This type of lateral movement is also known as east-west traffic.
The most basic form of segmentation is a host connected to the Internet with a firewall in between. The firewall is intended to protect the host from the Internet. This is commonly referred to as north-south traffic.
Security teams use VLANs and Layer 3 network interfaces to segment the network further. A firewall zone, or a DMZ, can also reduce the attack surface within a network.
But because there may be many hosts within a DMZ, none of these provide adequate security. First, the network allows all traffic to pass between VLANs. And since the Access Control Lists (ACLs) on routers differ from firewall rules, increased congestion and complexity can result.
East-west traffic bypasses firewalls and intrusion prevention systems (IPSs), which inspect and secure traffic coming into the data center in a north-south direction. If multiple hosts reside within a DMZ, an attacker can still move laterally if they’ve penetrated the zone. Deploying firewalls – even virtual ones – at every interconnection point to inspect east-west traffic flows is expensive and adds to management headaches, including significantly increasing the number of alerts. And as more virtualized hosts become part of the infrastructure, not only does cost and complexity rise, but scalability can become an issue too.
Besides, hackers have learned how to circumvent firewalls to gain access to secure data, often using social engineering such as phishing to compromise a client and credentials. Once inside the internal network, the more east-west traffic they gain access to as the compromised host within a zone communicates with other hosts.
A more granular approach
Microsegmentation represents a more granular approach to preventing lateral movement between hosts. It allows secure communications policies to be configured down to the individual workload, virtual machine (VM) or network interface. Secure zones can be created around isolated workloads, with only necessary actions and connections permitted. Everything else is blocked, effectively limiting the attacker’s ability to move laterally.
Moreover, these policies move with a VM or workload through migrations or network configuration changes. This ability to move makes the policies more persistent than with hardware-based firewalls, which restrict access based on IP addresses or other security policies.
Finally, microsegmentation delivers efficiencies. By defining granular security zones in software, it’s easier to manage and scale than myriad access control lists, routing rules and firewall policies.
Host Identity Protocol (HIP): Zero Trust Security
HIP is one approach to successful microsegmentation. It only allows whitelisted communication between trusted endpoints that must mutually authenticate before a TCP session is established.
HIP is based on the zero-trust model of cybersecurity, a term originally coined by Forrester Research. The premise of the zero-trust model is that neither internal nor external networks can be trusted. With the evolution toward hybrid cloud environments, persistence is critical as the need for security is ubiquitous.
Every device connected to the Internet has an address. This address provides two pieces of vital information about a device:
- The Domain Name System, or DNS, tells us which network the device is connected to (i.e. a government, corporate or personal home network);
- An IP address, which is a unique identifier for that device that tells other devices on the network how to communicate with it.
HIP (Host Identity Protocol) provides a network layer alternative to using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for application security. HIP separates the role of host (device) identity and its physical location.
It replaces the unique IP address with a host identity (HI) namespace. This HI namespace is a cryptographic identifier, which is based on public key security infrastructure. It is most often self-generated by the device/host itself. Thus, the host, or device, can maintain its connection to the network, while its identity remains cloaked.
Since host identities are based on public key cryptography, they are computationally difficult to forge. As a result, HIP helps defend against DDOS, MiTM (man-in-the-middle) attacks, IP spoofing and other types of network and transport layer attacks. In essence, intruders cannot attack devices they cannot see.
HIP is easier to deploy and manage because it overlays the TCP/IP stack. It requires no configuration changes on the local devices it is protecting. It also enables host mobility and multi-homing, or device/host connections to multiple networks.
As more IIoT devices get connected to the Internet, a microsegmentation strategy using HIP represents a more secure, cost-effective and manageable complement to traditional security solutions such as firewalls, IPSs and SSL/TLS. Protecting critical infrastructure becomes all the more important as companies and government entities deploy applications on various combinations of private and public clouds and networks that include more outsourced elements.
