I have mentioned the Unisys Stealth Solution for Network in a previous blog about encrypting data-in-motion in the Cloud. Unisys developed Stealth to solve a serious problem in the defense and intelligence community: access to different classes of data must be physically separated. If you walk into an intelligence analyst’s office, you are likely to see a single keyboard, monitor and mouse connected to multiple physically separate workstations. Each workstation is connected to a physically separated network jack in the wall, and behind each jack a completely separate network including cables, routers, switches, wiring closets, all the way back to separate data centers. When the analyst is working on project A, the analyst switches the keyboard, mouse and monitor to the workstation that is connected to the network that allows access to project A data. When the analyst needs to work on a different project, or wants to go out on the Internet to do background research, the analyst switches to a different workstation and a different network that allows access to that project’s data or the Internet as appropriate.
These kinds of air-gapped networks are obviously very expensive to build, and very complicated to maintain. After the 9/11 attacks, for example, there were a lot of military and intelligence personnel that found themselves with different assignments. Those new assignments often required that they have access to new networks. In some of those cases, getting an analyst access to those different networks required construction work to get the correct network to the correct office in a secure manner. There were cases where analysts had to wait weeks to get that access. Not very agile.
While perhaps not to the same level, these requirements are not unique to the defense or intelligence communities. Hospitals usually have multiple networks: for patient care, administration and an open network for patients and visitors. Colleges and universities have many networks, to keep the students out of the grade management and administration systems. Often grants have confidentiality requirements that force separate networks. Even if these networks are wireless, so ripping into walls is not necessary, role changes do require significant effort to make sure that individuals are only given access to the data permitted for their role(s).
As we have said earlier, 48% of all data breaches are enabled because people have too much privilege, often caused by a failure to correctly remove privilege when a user’s role change.
Enter Stealth. The basic principle behind Stealth is to only allow a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on.
When a user signs on, Stealth gets that user’s list of COIs. Stealth will not allow any communication with another device that does not share a COI. In addition, Stealth creates separate encryption keys for each communication connection. If you are communicating with two different servers at the same time, both in the same COI as you are, you are using different encryption keys for those connections. Therefore another device in your COI cannot decrypt the communication between you and that device. These keys are created and destroyed entirely by Stealth – no operations or user involvement is required.
In addition to encryption, Stealth also provides assurance that the data was not changed while in transit, either through deliberate actions or intermittent network failures. Thus Stealth not only directly addresses the confidentiality aspect of protecting your data, but also assures the integrity of your data-in-motion.
Stealth is implemented in software that sits in the workstation’s or server’s network stack, just above the Link layer. The importance of this placement is that it is above the actual network infrastructure and below the operating system and all applications. This means that to implement Stealth you do not have to make any changes to your physical network structure nor any applications. The operating system and applications do not know that Stealth is even there.
It also means that you do not have to implement Stealth everywhere at once. Stealth can integrate one group of users at a time.
Unisys claims that Stealth cloaks the device, meaning that an unauthorized user cannot even determine the existence of the device let alone communicate with it. The usual way to determine what devices actually exist in a network is to “ping” each possible address. A ping is a short message sent to a device over a network to verify that the device is reachable, and allows the measurement of round-trip time. With Stealth, a ping message is ignored unless it comes from another device that shares a COI. But it is not just Unisys claiming this. Unisys has participated in CWID (Coalition Warrior Interoperability Demonstration) exercises. The Chairman of the US Joint Chiefs of Staff sponsors CWID each year to test new information sharing capabilities or significant improvements to existing capability. The demonstrations focus on technology discovery, risk reduction and coalition interoperability. The results from the 2010 CWID exercise result: the Assessment Working Group Information Assurance assessment team “recommends with no vulnerabilities found and the penetration testing unable to exploit the trial’s infrastructure, Stealth continue to follow the Department of Defense (DoD) Security Technical Implementation Guide and Ports and Protocols directives ensuring proper secure configurations.”
With Stealth, you know with whom or what you are communicating. If some criminal has spoofed a web site or DNS server to send you to his own site to capture your username and password, it will not work. Your workstation, protected by Stealth, will not allow a communications channel to that site. Any malware running on your Stealth-protected workstation cannot communicate back to its evil home base. It works both ways. You always know that it is a real customer or partner who is talking to your Stealth-protected server.
In an April 2011 Press Release Unisys announced that Unisys Stealth Solution for Network was awarded EAL-4+ certification from the US NSA. EAL-4+ certification is very difficult to obtain. In addition to actually testing the product, EAL-4 also reviews the design and development practices and processes Unisys used in the creation and release of Stealth. Along with the FIPS certified encryption algorithms, this EAL-4+ certification and the CWID testing means that Stealth really does what Unisys claims it does.
There are a number of options for using Stealth in the Cloud. But we need to mention one other Stealth component first. There is a Stealth appliance that can sit at the edge of a Stealth network. One side of a Stealth appliance is all clear-text traffic, the other side is all Stealth encrypted traffic. It acts as a gateway between the Stealth world and the non-Stealth world.
- From the workstation in your facility to your connection to the Internet.
- Across the Internet.
- From your CSP’s connection to the Internet to the physical server containing your Web Server.
- Through the hypervisor (virtualization) layer of that physical server to your Web Server virtual service (VM, for Virtual Machine).
Using the picture above, lets look at three possible scenarios.
- Protect the Internet Traffic:
Put a Stealth appliance at the edge of your site (at the 1-2 junction in the picture) and another at the edge of the CSP’s site (at the 2-3 junction). Stealth then protects the communication across the Internet, assuring the confidentiality and integrity of that traffic. This leaves everything the same inside your facility and inside the CSP’s facility. This is probably most appropriate in a Private Cloud implementation.
- Protect the CSP Traffic:
Put a Stealth appliance at the edge of your site (at the 1-2 junction) and run the Stealth driver on all servers processing your work. Since Stealth runs in the OS network stack, Stealth runs in each virtual machine (VM). In this case, Stealth protects 2 through 4 in the picture above, and prevents a hypervisor failure or configuration error from allowing communication between one of your virtual servers and another customer’s virtual server.
- Protect Everything:
In addition to running Stealth in the CSP servers, run Stealth in each of your own servers and workstations. This protects the confidentiality and integrity of all of your data-in-motion traffic
In most cases, your CSP considers you to be a single customer. All of your users are allowed the same access to all of your servers in the CSP site unless your existing software has its own checks. With Stealth, you don’t have to have just a single COI. Using the hospital example we mentioned earlier, you could have two COIs, one for patient care and one for administration. Stealth would then enforce what servers were visible to a user based on that user’s COI. The unsecured patient and visitor network would not require a COI. Those users would not be able to access any of the secure servers or workstations since they do not share a COI with them.
Unisys has hinted that there are two additional solutions in the Stealth suite of products, but I do not believe they have been generally released.
- Stealth for SAN takes the same technology and applies it to SAN (Storage Area Network) storage systems. Using another feature of the underlying technology, Stealth for SAN offers some unique data dispersion capabilities that could change the way companies protect backup, disaster recovery, and archived data. This product has also been tested at CWID.
- Stealth Secure Virtual Terminal takes the Stealth for Network technology and puts it on a USB drive. Inserting it into a laptop boots up a malware-free secure OS and a Stealth-protected connection to predetermined Stealth endpoint. This provides a simple solution for companies with customers or traveling employees who must have secure communication “back to the office” from anywhere.
The last word:
To learn more about Stealth, visit www.UnisysStealthSolution.com. This takes you to the Unisys eCommunity, a place where Unisys stores documents about its products and services. You must register with the eCommunity, but it is free. In my experience they never send you unsolicited information.
Stealth is very interesting technology that can solve real security issues in the Cloud. For some reason, Unisys is keeping very quiet about it. I guess that is Stealth Marketing.
Keep your sense of humor.