In-Depth

Cloaking Assets With Identity-Level Firewalls

New technology lets you hide and verify network identity inside the packets themselves.

• By Mathew Schwartz
• 04/28/2004

Enter identity-based firewalls. Instead of trying to merge authentication, authorization, and auditing with network segmentation technologies (such as firewalls), organizations can essentially cloak their important assets, denying packet-level access without appropriate credentials.

Security Strategies spoke with the Trusted Network Technologies’ Stephen Gant, CEO; David Shay, chief technology officer; and Steven Russ, chief marketing officer, about the identity firewall concept, and how to hide identity information in individual packets.

Let’s frame some authentication issues. How effective are usernames and passwords today?

Gant: At the keynote at RSA Conference [in February 2004], Bill Gates basically said that usernames and passwords are dead. So that can’t be the main means for protecting critical information inside your organization.

Of course organizations are doing a lot of work on the identity front. They’re saying, "I need to be proactive about who’s on my network and which assets are on it," and they’re investing time and effort. In the whole identification management side of things—which I think is the right thing—they’ve spent so much time and effort on it, it’s their network. It’s core to their business. They ought to know and control the assets and people that are on their networks.

How do packet-level identity tools fit into that?

As the perimeter begins to dissolve, and it is—everyone’s punching holes through the perimeter—I realized that fundamentally, the Internet protocol itself was lacking one sort of root-cause issue, and that was identity. There was never a design or thought when they designed it 30 years ago that it would be used in such an environment. So they never added a means for [really] identifying users.

My goal was to design something that irrefutably identifies someone—friend or foe, if you will, for the network. So Dave [David Shay] basically came up with a way to insert continuous transport identity into every packet that flows on the network.

Wouldn’t identity management software give companies this kind of functionality?

Identity management is primarily an application-level-focused technology. So as identity management folks look around and think about a fully implemented approach, they say, "OK, my application layer is secure, but what about my network and operating system components?" Where people have traditionally turned for that is to the standard firewall and IDS, but those are identity blind. What we’re introducing is the first identity-aware firewalls, which you combine with your identity-based information store. So you can be proactive, monitoring a connection to determine if there’s malicious activity. We’re saying, now that you have identity down in the packet, let’s identify the initiator down at the packet level before we even let the connection occur.

How is it you can add identity information to packets?

Shay: The packet has a formation on it that you can’t really play around with. If you play around with it, then you must be willing to change the whole fundamental concept that networks use to communicate. Our patents are very focused on that question. So, our technology has the capability to place the ID that describes you as a user—by name—plus a system ID and a session ID, transparently in a packet without changing that packet in any way, and without adding a single additional bit of overhead. It’s a very exciting way of doing this. Your networks and transport systems can still operate normally, because the packets you’re sending and those you receive look like every other packet you’re receiving on the wire.

Gant: My analogy is spread-spectrum technology. It’s a technology that’s been around in the RF [radio frequency] world. What they do is place information where there’s noise, and in essence what we’re really doing is, we have an algorithm that determines where there is useless information in the packet, and we replace that with information that has meaning. So we’re not increasing the total count in the packet, but we’re creating meaning where there is none, so that allows us to securely transmit your identity in every packet that you send.

Isn’t this approach vulnerable to man-in-the-middle attacks?

Shay: Our design team’s core competency is security encryption, and one of the features of the software is that your ID changes every time you hit the wire, so mathematically the probability of your ID showing up the same twice in a row is so slim that our system monitors for that. If [it happens], it blocks it. Even if it was real, we don’t change the stack, so your protocol in your system should go back and retry anyway, with a different code. So if we see the same code again, we’ll know it’s a bad guy who’s spent hours listening with a sniffer and trying to get in.

Gant: Coming from a security background, we say never say never, but boy it’s going to be super hard to figure out how to sit in the middle. Literally what it comes down to is they’d have to figure out a way to physically steal the system, because it would be so hard to do it [otherwise].

Russ: Because an identity-enabled packet looks like any other packet, you’ve also got to be able to figure out where to even start looking for that identity information.

Where do you get the identity information?

We import [LDAP and Active Directory] information, so we don’t require customers to recreate any information. Once we have the groups, individuals, [and] users, we now have the ability on a very simple interface to drag and drop systems [and] applications to users to create a policy for your network. So there are no complex firewall rules, IDS rules, or signatures that you have to apply to your network.

What’s an example of how this technology might be used?

Gant: Say I want to separate my entire development organization from my production systems, and I only want to have auditable access when I allow the development side to go into production—such as with real patient or financial data. We provide you with a strong audit and forensics trail for those [who] have access to the asset that I’m protecting.

Wireless protection is another example. Say I build a trusted network with our I-Gateway [product] in front of each one. Let’s say you’re a guest and go to a facility [secured like that]. You present your credentials to the front desk—let’s say your drivers license. What they do is ID you, then give you a badge that says he’s a contractor (or whatever), and [gets access to the] first or third floor, that sort of thing. We basically are that badge, for networks.

Are there any drivers for instituting this level of identification?

One of the things that’s causing people to really think about internal security is the huge regulatory pressure [to prevent and stem] critical-asset losses inside organizations. With digital identity theft, they’re thinking, as a bad guy, I could steal a user ID or password one by one. Or what if someone internally could be turned, or someone internally could just compromise a whole database? So a lot of the regulatory efforts in the U.S. and Europe are making sure all kinds of important aspects of your enterprise are protected.

So there’s the theft of your proprietary, personal-information perspective, but then there’s also a corporate governance perspective. The Sarbanes-Oxley Act, for instance, is keeping security [highlighted] in corporations today.

More and more, there’s no difference anymore between the insider threat and the outsider threat. Couple that with the identity blind, and there’s basically no means of identifying someone. Most assets are still being identified by username and password.