By Bob Gourley
Editor’s note: I’ve referenced before my participation on the board of Centripetal Networks, and their ability to deliver large scale commercial solutions of MITRE’s IBIP are an area I am particularly proud of. – bg
Over the last several years The MITRE Corporation has published pieces about their development of enhanced security protocols in the construct of Identity-Based Internet Protocol (IBIP). In February 2014 they published a succinct overview on the topic which you can find at this factsheet.
This innovative solution dramatically increases the security and resiliency of operational networks and does so in a way that increases network functionality at the same time. It is particularly virtuous because it does so in a cost-effective manner using largely existing infrastructure. Since it is very economical, enhances functionality, and increases security I see this as a very likely disruptor in the security space.
Here are some details from the factsheet:
- IBIP was designed to prevent compromises from spreading to other hosts on a network.
- Compromises are also detected so they can be remediated
- IBIP relies on the concept of both host and user identity, as well as on defining permissible use policies within which network traffic is required to operate.
- IBIP inserts within each packet the identities of both the users and the hosts that are the source and destination of the packet, as well as user organization and role, ensuring that all internally-generated traffic can be evaluated for conformance to policy.
- Traffic that violates policy can be blocked or can trigger and alert or both. IBIP may also reconfigure infastructure assets to respond to detected threats in real time.
- Enforcement is policy based, humans remain in control. Things you want to occur in the infrastructure (like people communicating with people or computers behaving like they should) are done more efficiently.
- Traffic that violates policy can be immediately blocked.
- Anonymous traffic can be blocked. This means, for the first time, a means can be put in place to prevent covert tunnels in enterprise networks.
- Adversaries, even those insiders with authorized credentials, can now no longer send traffic from spoofed IP addresses to gain access to a host and exploit a zero day vulnerability or pre-planted back door. Adversaries who use network reconnaissance to try to locate network devices to target will be thwarted.
- All identities are associated with a set of permissible use policies that define what the identified element is allowed to do on the network.
The system, when implemented with Centripetal Networks, is easy to reconfigure and scales to the largest of enterprise sizes.
Another source of information is a great talk by David Pisano, network engineer at MITRE captured here on YouTube:
This video is a year old so the concept has only been proven more since then, but still it provides a great overview that will help you better understand how this works. It is also a great articulation of why this type of solution is very important.
Other great references include conference papers and published research hosted by IEEE, including this paper presented at MilCon 2012 titled “Identity Based Internet Protocol Networking”