A HIP way of securing a wide range of endpoints

The host identity protocol is emerging as an alternative way to secure a range of physical endpoints beyond laptops and smartphones

Security threats continue to rise in number, strength and originality on a daily basis.

While this is a major concern for all companies and individuals, in the world of industry and cyber security, the stakes are almost limitless. Imagine the impact of a successful cyber attack on a nuclear power station, a hydro-electric dam, a gas or oil plant, or even a major retailer. 

In all these cases, the targets are vulnerable endpoint devices, for example manufacturing equipment, water pumps, PLCs (electric grid), control devices, ATMs, point of sale (POS) systems and other similar devices depending on the industry. 

This creates a very different challenge to securing networks themselves, network segments and users or groups of users. Although firewalls have advanced significantly – especially in terms of Deep Packet Inspection capabilities – they are still very much designed for perimeter or blanket security measures.

It can also be argued that both firewalls and virtual private networks (VPNs) are cumbersome to deploy and manage in large numbers and require extensive IT skills, which are expensive resources or a resource that an enterprise may simply not have. For example, configuring VPNs for a few point-to-point connections is not complex, but try rolling out a deployment in the hundreds or more and the cost and complexity can rise exponentially. 

Network access control (NAC) emerged a few years ago as a means of securing endpoint access and was designed to use a set of protocols to define and implement a policy that describes how to secure access to network endpoints on initial access. However, it really made sense as a means of preventing already-infected devices, such as users’ laptops, from being able to gain network access.

It is also important to stress that TCP/IP was not initially designed as a secure protocol. A host and its location are identified using internet protocol (IP) addresses in the current internet architecture. However, IP addresses can serve only as short-term identifiers because a considerable number of hosts are portable devices and they change their IP addresses when moved from one network to another. 

Short-term identifiers

Short-term identifiers disrupt long-term transport layer connections, such as internet phone calls, and make it more difficult to locate the peer host. Therefore, mobility and multi-homing (a computer or device connected to more than one computer network) are hard to implement securely in the present internet. 

Upon changing an IP address, the host must prove to its peers that it is the same entity they communicated with before, requiring the use of cryptographic identities.

Impersonation attacks are possible because IP addresses are relatively easy to forge

Another challenge is the fact that deployed protocols in the internet are prone to denial of service (DoS) attacks. Substantial memory state can be created before the communicating peer is authenticated. Impersonation attacks are possible because IP addresses are relatively easy to forge. 

Because of difficulties in configuring IP security (IPsec) for users, most internet traffic is still transmitted in plaintext, which makes it easy for attackers to collect passwords or lists of visited websites, for example, in public wireless local area networks (WLANs).

So what are the alternatives for securing physical endpoints, not simply a laptop or smart phone, but – in the case of industry – complex, ultra-critical devices? That said, how critical is a file server, database server or core router, for example, in these days when the network, data and applications ARE the business? 

In other words, there is a real challenge here to all forms of business, especially as networks become more fragmented by a combination of public and private networks, internet, public and private cloud and other outsourced network elements.

Host identity protocol

One option has emerged in the form of HIP – host identity protocol – not to be confused with HIP meaning host inspection protocol, as some firewall suppliers use the term. HIP, in the former definition, offers an internet engineering task force workgroup-specified alternative to traditional encryption methodologies. 

It effectively decouples the transport layer of the OSI model from the network layer, with a presence on the private local area network (LAN) and the shared network (WAN or internet, for example) equally but, unlike traditional security devices, it has no IP address on the private side (thereby negating attack possibilities) and requires no configuration changes on the local devices it is protecting. 

HIP enables consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses

Instead, it introduces a host identity (HI) name space, based on a public key security infrastructure. So, in HIP networks, all occurrences of IP addresses in applications are eliminated and replaced with cryptographic host identifiers.

HIP enables consenting hosts to securely establish and maintain shared IP-layer state, allowing separation of the identifier and locator roles of IP addresses. HIP uses public key identifiers from a new host identity namespace for mutual peer authentication. The protocol is designed to be resistant to DoS and man-in-the-middle (MitM) attacks. 

It should also be made clear that HIP is no “overnight success”, but has matured over 15 years of research, development and deployment by companies such as Boeing, Verizon and Ericsson, as well as research institutions around the world. It is simply that only now is it finally being ratified and productised. 

Cryptographic mechanisms

Out of several proposals that were under consideration at the IETF, mainly due to positive developments in public key cryptography and increased computational resources of hosts enabling the use of cryptographic mechanisms to handle identities securely, HIP has emerged in the form of HIP RFC 5201, approved by the IETF as a proposed standard. 

This is an important step, but the true measure of a standard is adoption and this always takes longer than is ideal.

So the question is: does anyone actually offer this new alternative? And can HIP be effective as a complementary solution, rather than a “rip out and start again” option, the latter patently not a realistic proposition for most companies? 

One early supplier/adopter of HIP is Seattle-based Tempered Networks, with a product based on technology that came out of Boeing, hence the Seattle connection. Importantly, a HIP-based system, as implemented by Tempered Networks, is a transparent drop-in solution that provides private overlay networks and a “defence in depth” approach. In this way, it protects the existing investment a company has made in its security strategy and implementation, but adds endpoint security without affecting the underlying network infrastructure, configuration and management in any way. 

The key element here is that the endpoint device is specifically secured, rather than groups of users or network segments

Another non-proprietary element of the Tempered Networks solution is that it uses HIP alongside IF-MAP, which provides a common interface between the security appliances and a database server. Although initially aimed at protecting critical control systems in industrial environments, the system is applicable to most enterprise network environments. The key element here is that the endpoint device is specifically secured, rather than groups of users or network segments.

One early adopter is Xcel Energy, a major US electricity and natural gas company with annual revenues of $10.9bn. Based in Minneapolis, Minnesota, the energy provider has regulated operations in eight Midwestern and Western states, and provides a wide range of energy-related products and services to about 3.5 million electricity customers and 1.9 million natural gas customers through four operating companies. 

Classic target for cyber terrorism

In other words, it is a classic target for cyber terrorism, hence the interest in HIP as a means of active security against that kind of threat.

“The premise of HIP is quite powerful and compelling,” says Doug DeGrote, CISO, director of IT security and risk management at Xcel Energy. “It changes the lingua franca of internet communications and gives everyone their unique rosetta stone to introduce trust and integrity into computer networks.”

HIP also offers a specific solution to a specific problem that is relatively simple to deploy and manage. Typically, a HIP solution will include a scalable orchestration engine that co-ordinates configuration, security policies, trust relationships, monitoring and analytics between the endpoint connection devices, industrial and datacentre-grade security appliances, and a management console and user interface. 

HIP offers a specific solution to a specific problem that is relatively simple to deploy and manage

So it is very much an overlay solution, rather than being fully integrated within the existing network, but, as already explained, it has to be this way in order to be effective. That said, it is very much a one-off deployment, with no endpoint configuration changes. This impacts positively on both deployment and day-to-day management costs, potentially reducing months and weeks of configuring and reconfiguring to just days.

It also simplifies the logistics of who deploys and who manages what is very much a security, rather than a network, solution. IT governance is a hot topic these days as networks continually expand and job roles start to overlap. A HIP solution is designed to enable IT to delegate user-level administration for self-service departmental provisioning. It is also a classic case of providing the right tool for the job, rather than contriving a new use out of something that was never designed to do the job.

In summary, the importance of simplifying the security of device endpoints – especially those open to industrial sabotage – cannot be overstated. HIP provides the technical means of securing these devices, and an approach that simplifies the deployment from cost, ease and political aspects. It neither impacts on the existing security strategy, nor who owns that space, but simply improves upon it.

Read more on Endpoint security