Certes Networks CryptoFlow Lays Security Overlay Atop Insecure Environments
Today, Certes Networks announced a new suite of CryptoFlow products, extending an enterprise security overlay capacity across mobile, cloud and external partner environments. Many enterprises are still struggling to make cybersecurity gains by implementing network zoning or segmentation within their networks as well as across their borderless Internet-based constituencies. Logical cryptographic controls can protect data in motion as well as isolate systems from inappropriate connections and make it more difficult for cybercriminals to harvest and use stolen credentials.
Source: Certes Networks
What is a Security Overlay?
First, we need to understand the concept of network security zones as groups of systems with common protection or communication requirements. De-militarized zones (DMZs) for externally-exposed services are one type of zone, restricted zones with no direct communication to or from the Internet are another. In between, enterprises typically have more zones for data center servers, end user computing facilities, visitors and other types of workers. Zones are often established to constrain the scope of Payment Card Industry (PCI) audits or to meet contractual requirements, such as the separation of multiple tenants without a cloud computing environment. Network zoning is one of the protections I recommended to Mitigate Common Attack Paths at the Core in a previous post.
Zone boundaries are enforced by perimeters. Perimeters can be logical or physical. Physical perimeters are provided by dedicated firewalls, routers or other network access control devices. But physical perimeters generally require hardware. Hardware is relatively expensive and inflexible compared to software – and difficult to deploy outside the borders of the facilities and networks the enterprise “owns.” Logical perimeters – aka security overlays – are provided by cryptographic hardware and software over open networks enabling them to be deployed potentially anywhere and to create more granular boundaries. A ubiquitous example of the security overlay is a Virtual Private Network (VPN), which establishes an encrypted tunnel between sites, or between endpoints used for remote access to enterprise networks.
Certes Networks Security Overlay
Whereas many VPNs comprise just a gateway appliance with support for standard encryption protocols and/or a client software, Certes Networks now offers a broader array of transit points, or policy enforcement points (PEPs) for the overlay. With enough PEPs, a security overlay can become quite versatile. Take a look.
- CryptoFlow WAN: Certes Networks’ “traditional” product line offer site-to-site and cryptographic acceleration functionality.
- CryptoFlow LAN: A Windows endpoint-based cryptographic overlay with policy enforcement based on information in Active Directory. CryptoFlow LAN is similar in concept to the Microsoft Server Domain Isolation OS feature from the past decade.
- CryptoFlow virtual gateway support: Increased flexibility for gateway topology. Can deploy in VMWare or KVM-based private clouds, smaller sites, even piggybacking on compatible routing and switching partner’s solutions.
- CryptoFlow Mobile: Announced today. CryptoFlow App is available from mobile app stores to provision mobile VPN functionality and policy to company-owned or BYOD smartphones and tablets. The app provides a cryptographically-protected tunnel for users only to the apps they are authorized to use through policy information acquired via LDAP.
- CryptoFlow B2B: Announced today. Operates similarly to CryptoFlow LAN or CryptoFlow Mobile, but intended for external third suppliers and partners.
In summary, centralized policies configured via Certes Network management tools and LDAP policy information stores are used to create logical network zones across a distributed WAN, LAN, virtual, mobile and B2B topology via the CryptoFlow enforcement points. Within the zones, access control is enforced at the network layer and data in motion encrypted.
Its important to note that Certes Network provides no presentation layer functionality, leaving the overlay completely invisible to users when working correctly. Consider a simplistic but typical use case where CrytoFlow underlies a web portal providing a menu of applications to users: As long as the portal personalizes each user’s menu using the same groups in Active Directory that Certes is consulting for user authorization, all would be well and the user could access what he/she sees.
And here’s the goodness. If a hacker stole that user’s credentials and tried to access the app from another machine, the attempt would fail.
Could CryptoFlow have Protected Target, Home Depot and Others from their Breaches?
In my briefing with Certes Networks, Chief Marketing Officer Adam Boone argued that appropriate use of CryptoFlow could have prevented Target, Home Depot and many other companies from getting breached through third party suppliers and/or remote access abuse cases. Previously, we covered the many lessons learned from Target. We listed things that Target could and should have done to prevent (reportedly) an air conditioning vendor’s account from being exploited to gain entry into the network and somehow introduce Poison Ivy malware on multiple Point of Sale (POS) devices in the stores. And then to prevent the credit card data from being exfiltrated via staging servers.
Hypothetically speaking: Zoning could have been an effective preventive control against the Target breach as we understand it. If Target had configured at least its PCI-scoped network environment into a strict zoning model using CryptoFlow LAN Enforcer software and policies, only designated systems could have accessed the POS devices – and those systems should not have included third party supplier endpoints, or most services the third parties had access to. Even if a hacker could discover the domain names or addresses of the POS devices, he/she might not have been able to connect to them due to the security overlay. Unable to attack over the network (i.e. exploiting an exposed vulnerability), the hacker would have had to find another attack vector. Similarly, security overlays based on CryptoFlow might have inhibited the attacker from gaining access to a staging server and exfiltrating the credit card data.
Certes Networks will be at RSA Conference next week. So will we. Hopefully, we can connect and explore the concept of the security overlay as implemented by CryptoFlow in some more detail!