Packet-Based Authentication: An Interview with John Hayes of BlackRidge

A security policy violation that is all-too-common today involves unauthenticated packets sneaking onto the enterprise LAN. These packets, which can originate from anywhere, are required to establish TCP sessions, over which the desired application-level authentication process can begin. Viewed by analogy, this is like letting someone into your kitchen to determine if they should be allowed in your house. This makes absolutely no sense.

Solutions to this problem have not been easy to come by, simply because the authentication process is required at the network level, including layers 2 and 3, and such protocol enhancement has not been sufficiently addressed by the vendor community. Until now, that is. Reno-based, BlackRidge Technology, has developed a platform that enhances the TCP/IP suite to provide enhanced packet authentication.

We recently caught up with John Hayes, who serves as BlackRidge’s CTO, to learn more about how the technology can help identify the identity of a packet sender in order to enforce enterprise security policies before connections are established. We wanted to know whether this requires substantive changes to networks, or whether it can be easily integrated into existing or new deployments. Here is a synopsis of our discussion:

EA: Can you explain the basic concept behind the BlackRidge Transport Access Control method?

JH: The BlackRidge TAC solution uses identity to authenticate TCP sessions before allowing them to established, presumably into the enterprise network or other computing environment. Each TCP session is individually authenticated with a cryptographic token inserted into the first packet (TCP-SYN) of a TCP session. Our software approach enables deployment in enterprise, cloud, SDN and IIoT infrastructure. It is designed to require no reconfiguration to an existing network, and is easily integrated into a new one.

EA: What threats specifically are addressed by your technology?

JH: Using unauthenticated information in the access decision process provides an attack surface for the adversary. Unfortunately, most network security approaches use a combination of network addresses and content to make decisions. We all know that addresses cannot be authenticated, and content, when available, is not always authenticatible, meaning that it is encrypted. To address this problem, BlackRidge uses authenticated identity that is available at the network layer, independent from the content, whether encrypted or not. Another issue we take into account is how the authentication is performed. If the authentication requires interaction between the requesting party and the authenticating party, then the authentication mechanism itself can be used for mapping and discovery. This is how PKI certificates, TLS, and IKEv2 operate. BlackRidge uses non-interactive authentication, blocking scanning, and discovery from unauthorized sources, in addition to managing access to BlackRidge protected resources.

EA: What aren’t existing IP-based tools sufficient for authentication and security?

JH: Existing IP-based tools use a combination of rules, heuristics and statistical metrics for decision making. These tools use information which cannot be authenticated, and which often needs continuous updating. The limitation of these tools is that they suffer from both false positives and false negatives, limiting both their deployability and effectiveness. A false positive, by the way, is a false alarm, an indication of a security event when no event exists. A false negative is an undetected attack. It is the false positives that that preclude the automation of these tools for cyber defense. BlackRidge, with its cryptographically secured identity tokens, has an extremely low false positive rate, less than 0.0001%, thus enabling deployable cyber defense automation.

EA: How do customers integrate your solution into their security architecture?

JH: BlackRidge products are designed to work as an overlay software solution to block unidentified and unauthorized access and protects resources from discovery from unauthorized network mapping and reconnaissance. By integrating with existing Identity Management systems (IDMS) enables existing identities to be used to authenticate network sessions and automate security policies. We have also integrated our event reporting with several SIEM and analytics systems, thus providing visibility to events within a customer’s existing monitoring and response infrastructure. Operationally, we deploy our BlackRidge TAC software as transparent, inline layer 2 or addressed layer 3 enforcement points. Being able to select layer 2 or layer 3 operation enables us to deploy in both LAN environments and cloud/SDN environments. In this way, we can extend a customer’s identity-based security policies from the enterprise to the cloud, enabling an identity secured hybrid solution.

EA: What threat trends are you hearing from customers?

JH: The largest growth of threats we are seeing is coming from the Industrial IoT (IIoT) sector and in Operational Technology (OT) networks, all converging onto enterprise IT networks. This includes industrial control systems, building management systems, medical equipment, and factory automation. Legacy, non-networked devices that have been migrated to networks and new IoT devices have paid little attention to the security of the networks and devices, providing new surfaces for attack. Now we are being asked how to secure both legacy, brownfield IIoT as well as new greenfield deployments, and this can be applied as an on-the-wire solution.