Are you a trusting person? Too bad. That’s going to get you hacked. Respect and privacy are admirable things, but they are not guaranteed by today’s Internet. In addition to all the incredible employees, partners, suppliers and customers that you hold in high regard, there is a dark underbelly of professional criminals, hobbyist & mercenary hackers, mischief makers, psychotics, and nation states with agendas all trolling the same network. Some are looking for victims of opportunity. Others have you in mind as a target. Can your firewall and VPN fend them off?
The Virtual Hopefully Private Network Connection
The VPN or Virtual Private Network was designed to make the Internet act more like a private line or MPLS (Multi-Protocol Label Switching) network. Even if you have a T1, DS3, OC3 or Ethernet private line at the office, you have a big security hole when an employee out on a sales or repair call stops by the coffee shop and connects back using the free Wi-Fi provided by the store.
Free really means free and open. That guy in the corner staring at his laptop is watching your traffic. He either hacked the shop’s WiFi or created his own look-alike “free” WiFi network that you connected to instead of the real one. This is called “man in the middle” and it is what VPN was designed to protect against. The VPN creates an encrypted connection called a “tunnel” from your employee’s computer to your office server. That makes it pretty hard for someone to get in the middle of the conversation unless they have the private key… and they don’t.
VPN Weaknesses
Not all VPNs have a rugged 256 bit military-grade encryption. Some use protocols that are relatively easy to crack with available hacker tools. PPTP (Peer to Peer tunneling Protocol) is over 20 years old and is desirable because it is fast and easy to setup and use. It’s also more vulnerable than protocols with stronger encryption.
Not all VPN vendors are equally capable. Weak ones may have back doors in their servers or other weaknesses that make it easy to hack the VPN server in the cloud and get everybody’s data. You won’t know until you are hacked and can’t figure out how.
An overall weakness of VPN is that it just protects the tunnel into your company. If that is compromised one way or the other, your entire network and everything on it is wide open to explore and perhaps attack. it would be better if only a small part of the company assets were exposed instead of everything all at once.
The Software Defined Perimeter Black Cloud
The idea behind a Software Defined Perimeter (SDP) is that trust is minimized by allowing access to resources user by user on a need to know basis. The research was done by the U.S. Department Information Systems Agency (DISA) and has come to be known as a “Black Cloud.” The black designation means that the network infrastructure is hidden within the cloud. There are no visible DNS or IP addresses.
SDP authenticates each user and only gives them access to the resources you have approved for that particular user so they can do their jobs. The user or IoT device has no idea what else is on the network. They can’t see it. If they can’t see it, they can’t get access. Someone impersonating that user can’t either.
A system of SDP Hosts and Controllers communicate and verify the authorizations. The Controller has the job of connecting the Initiating and Accepting Host data channels through a Gateway, once authentication and authorization has been completed through the control channels.
The SDP is not only between clients and the data center. It is also deployed within the data center to partition the network to isolate high-value applications. Only a limited number of users with have access to the highly protected application or even know it exists.
Encryption and cloaking are key to SDP security. The usual network probing, such as port scanning, won’t work because nothing will show up in the scan. In a way, SDP is creating virtual networks on a user by user, session by session, basis. What goes on behind the curtain is a complete mystery.
The End of Networks As We Know Them?
The TCP/IP network that has served us so well for decades has to go underground to keep its relevance in today’s high threat environment. We can no longer do business without the Internet and there are just too many bad actors on the public Internet. Technology must evolve to provide the illusion of a simple open Internet but with none of the familiar network topology visible.
Has your company network been hacked or are you concerned about the business disruption this might cause? Right now would be a good time to see what advances have been made in network security, especially managed security solutions in the cloud.