Application Specific Networking as a factor in MFA

As the world looks to work from home for many jobs previously done in an on campus setting, securing the applications and data of the enterprise is of paramount concern for IT and security teams around the world. Multifactor authentication (MFA) is a common solution to these issues but comes with its own price. The maintenance of the MFA system, outages, the logistics involved in hardware tokens, if used, etc. can place a serious burden on the IT support resources. Properly implemented certificate based, application specific access networking can alleviate many of these issues while retaining or improving the security of the enterprise.

 Application specific networks, such as NetFoundry networks, provide authenticate before connect functionality. This allows the network to know what device is attempting to connect before it is allowed to access the network resources to reach configured applications. This sounds like a VPN, but it is so much more. VPNs, by their nature, require an open access point. As several high profile vulnerabilities have shown recently, the VPN is an application to be hacked itself. By their nature, VPN's provide an open access port for incoming connections. This allows the entire world access to these ports to attempt logins, or exploit vulnerabilities. Using brute force methods, capitalizing on patterns in user names, and dictionary type attacks optimized from the details of thousands of password dumps and other open source intelligence operations, these attacks are highly automatable, and can be brutally effective. The 2020 Verizon DBIR states that 49% of breached features hacking and 80% of those were the use of stolen credentials or brute force. 

 The problem is the intersection of user behaviors with passwords, a perennial headache of security and IT teams, and the necessity to connect from anywhere. This allows the malicious actors to turn their systems on, and wait for results. Automating the bulk of the "busy work" makes them much more effective, as they can then turn over the "leads" to human operators, or more advanced systems. The most common mitigation to these issues is the use of MFA, requiring a 2 or more step process to provide access, making it much more difficult to guess the right combination.

 Application specific networking mitigates this issue in a different way. Utilizing similar technology to that which protects your bank, payroll service, medical records, and other applications we use on a regular basis, the network validates the connecting machine, the same way the users' machines validate the server; by public/private key cryptography. The ports of the network controllers are open to all comers, as they must be, similar to VPNs. However, upon connection, the accessing system must prove its identity before the TCP connection is completed. Similar to the methods used for HTTPS, the client validates the server AND the server validates the client. Properly bootstrapped trust means that this system can be trusted to access the network. The user can then access the configured applications and log in. In the classic MFA description of something you have and something you know, MFA is achieved. The computer the users access the application from is the thing they have, and the application's password is the thing they know. Importantly, this puts the password "behind" the thing you have. Unless you have access to the network, brute force, dictionary attacks, even stolen credentials are useless.

How does this mitigate the issues faced by VPNs today? Public/private key cryptography is widely understood to be highly secure. The mathematical basis of the exchange makes it computationally infeasible to crack it. Another very important point is that the key never leaves the accessing system. It does not reside in a database somewhere that can be hacked and dumped. Created mathematically, it can't ever be "June2020!" or related to a favorite sports team. This breaks all the highly automated and efficient methods used by the majority of cybercriminals today. To gain access to the key, the endpoints would have to be compromised, one at a time, as each is unique. Standard endpoint protections protect these keys, even if they are in a file store on the system. For more secure needs, hardware roots of trust can be used for the keys, meaning that the device must be physically compromised, again, a laborious process, and not generally profitable enough for the majority of actors, who are financially motivated, and the majority of which are organized crime. (Vz DBIR 2020)

Another major benefit of application specific solutions is end user satisfaction. The ease of use of these systems is very high. As the user logs into the machine, the software connects automatically and opens the paths to the applications and resources they are configured for. Browsing to a web app or using a software client, the lower level connection is made to only those resources as allowed, and the user logs into the application using a one step process. The user doesn't have to continuously get text messages or emails with a code, or open an authenticator application to access the resources. The certificate on their system is already providing that layer of security. Additionally, noninteractive systems, sensor systems, industrial control systems of various types, etc., can leverage this certificate based authentication to protect the confidentiality and integrity of the data collected.

Performance can also be a significant benefit of NetFoundry architecture. As the security control plane is separated from the actual data plane, you don't have to "go somewhere to get somewhere", while maintaining the security of the connections. Most VPN solutions provide single, or limited, aggregation points, and are expensive to scale. In today's multi-cloud, multi-data center realities, coupled with the highly mobile workforce, large ecosystems of suppliers, etc. this is a significant advantage, but that is a topic for another day.

In the world, as we see it today, with the sudden requirements to work from anywhere, due to the COVID-19 pandemic, agility is a third major benefit of the NetFoundry application specific networking solutions. As a 100% software solution, secure connectivity can be deployed and scaled at will, within minutes.

Application specific networking is a new paradigm in software connectivity. It challenges the current models which have served in the past but are not flexible and agile enough for the new realities of secure connectivity needs. Combining the flexibility of open source software with the modern API first model for our orchestration and operations platform, NetFoundry can bring a new level of ease of use and security to your information. Please visit us at https://netfoundry.io, or view our open source projects at https://ziti.dev and https://openziti.github.io.