Zero Trust with Zero Reliance on IP Addresses

Zero trust security has been a cyber security concept for over a decade. First, it was an idea that was codified into a term. Then the term became a buzzword every security vendor tried to incorporate into their product. Now, “zero trust” has finally rounded the corner to where it is considered the foundation for access control. While the term is still marketing worthy, end users hardening their networks and vendor companies selling to those end users realize that a zero trust architecture is the gold standard for protecting today’s networks.

Yet, even after a decade of familiarity, “zero trust security” means different things to different people, particularly vendors who are doing their best to develop products that drive revenue and keep the company viable in a crowded market. However, zero trust isn’t just a concept; truly implementing zero trust requires companies—both product makers and end users—to operate in a different fashion. It means taking old, ingrained processes and policies and throwing them out the window if they don’t conform to the tenets of zero trust. While practitioners and product vendors agree that implementing zero trust doesn’t have to be an infrastructure-wide “rip and replace,” implementing zero trust in just one area—e.g., at the device level or at the application level—requires a completely new set of processes and policies to meet the definition of zero trust.

It is therefore ironic that some so-called zero trust vendors use the same, outdated control plane to enforce zero trust policies. Specifically, I am referring to TCP/IP. Backing up a bit, in the early days of networking, address-based protocols were sufficient; anyone or anything that needed network access was verified once at the perimeter and then trusted as an insider. Over the years, the perimeter as we know it has all but dissolved, thus obfuscating perimeter controls. Firewalls then moved inside networks to create smaller and smaller subnets, leading to the microsegmentation market we know today.

And while continuous, adaptive authorization and authentication inside the network and around sensitive applications is helpful, the underlying protocol—TCP/IP—on which most microsegmentation relies is flawed. IP addresses are easily hijacked or tampered with, making them unreliable as a verification mechanism. Most vendors recognize the hazards of IPSec as a control plane and have thus layered additional attributes as identifiers to increase efficacy. Still, IP addresses remain at the core of many zero trust products. It’s what companies know. It’s comfortable. It’s what worked for a long time.

A new look at the firewall

One company wasn’t satisfied with the status quo. Their idea isn’t popular—to date, Ed and I haven’t seen a single other company with the same approach to firewalling—but it sure makes sense. Jeff Hussey, CEO and Founder of Tempered Networks, is the former Founder and CEO of F5 Networks. After six and a half years building F5, he retired, but like most cyber security entrepreneurs, he found himself thinking about all the problems in the industry waiting to be solved. In particular, Hussey fixated on the dual use of IP addresses as both an identifier and a locator and their contribution to successful exploits.

During this time, Hussey came across a technology being used by Boeing: Host ID Protocol (HIP). Rather than using an IP address in its entirety, Boeing engineers decoupled the locator aspect of the protocol from the identity aspect, creating a new layer between IP and TCP. By 2012-2013, those same engineers left Boeing and re-wrote the solution for commercial use. Hussey saw an opportunity, and in 2014 he founded Tempered Networks using this fundamentally different control plane.

"Anyone who wants to actually prevent unauthorized access,” Hussey told us during a recent call, “can’t honestly think they’re going to do it using TCP/IP. You can’t get a legitimate zero trust environment with it. Host Identity Protocol is truly zero trust.” He explained that Tempered Networks’ platform, called Airwall, uses HIP and builds a cryptographic ID for every authorized entity in the system. Access policies require the combination of HIP + cryptographic ID for verification, which means that devices can be anywhere and users can move locations or have multiple connections to different workloads without disrupting the connection or creating network insecurity.

In a follow up call with Tempered’s Senior Security Architect, Jay Sawyer, Ed and I discussed HIP and its use in security. “HIP has a good legacy,” Ed said to Sawyer, “but it’s completely dormant. It’s more secure than TCP/IP, so why aren’t any other vendors using it?” Sawyer answered that “It’s an industry-wide design decision. Adding the extra layer is tedious and costly, and vendors using IP addresses for verification purposes have guaranteed revenue; everyone buys a firewall, and standard firewalls use IP addresses. IPSec had its place, but now it’s ineffective. When you take perimeter away, HIP is the match.”

Removing fatal flaws

Tempered Networks is on a mission to change network security. They’re passionate people who believe in their solution, but they’re up against big players with substantially more name recognition. Tempered has a ton of market education in front of them on the path to success. However, given today’s network security needs, the only way to improve protection for the network and network communication is to stop basing access control decisions on protocols with known fatal flaws. The solution is to remove trust from that which is untrustworthy, in this case, TCP/IP.

Zero trust dictates that organizations remove all trust from our systems and implement continuous verification and explicit policies at the orchestration layer. This only works if the tools companies use to secure their networks don’t already contain vulnerabilities. TCP/IP is a known vulnerability, and smart companies understand this. We’ve seen several firewall vendors move away from TCP/IP as the sole control plane, but none using HIP, which makes Tempered unique. Their claim is that their solution uses HIP and cryptographic identity to cloak infrastructure, eliminate lateral movement, and authenticate and encrypt every connection. The message is similar to others in the industry, but the fundamental approach is different. To borrow from cloud nomenclature, Tempered’s solution is “HIP-native,” meaning the technology is built on HIP rather than adapted from TCP/IP. Sawyer calls it their “esoteric security secret sauce.”

Host Identity Protocol isn’t as familiar to security practitioners as other network protocols, but it just might be a new wave of applying zero trust. To echo earlier comments, truly implementing zero trust means managing a characteristically different model. HIP is just that, but adoption requires security end users to break free of old processes, procedures, and technologies. As industry luminary Wendy Nather is fond of saying, “right now, ‘zero trust’ is a new way of managing security. But in the future, we’re just going to call it ‘security.’” I believe that to be true. Tempered is betting on Airwall to change network security at the core, starting with not trusting a protocol we all know to be untrustworthy. Isn’t that the real premise of zero trust?