Stealth can protect networks by making parts invisible
- By Paul McCloskey
- Sep 27, 2013
“You can’t hack what you can’t see.”
The phrase has lately become a mantra at Unisys Corp., which is hoping government customers will embrace the logic of a software-based approach to network security that makes network assets and workgroups “invisible” to hackers.
The application, called Stealth, helps control who sees what on a network, by letting managers authorize a group of people for access to certain information, applications or parts of a network that those operating outside of a designated workgroup are unable to see.
“If I’m not a member of that community of interest, I don’t even know it exists,” said Unisys Chief Executive Officer Edward Coleman at a recent customer conference in Chicago.
Based originally on requirements from a Defense Department project, Unisys has been developing Stealth for several years. The company now believes the time is right for customers to embrace the technology, as firewalls and other fixed security tools become more limited in scope, and advanced, analytics-based security is still emerging. It could be effective against hackers trying to probe a network or insider threats.
“I think everyone has concluded that a traditional perimeter defense no longer works,” Coleman said. “In trying to defend different elements of the network by building new firewalls inside the perimeter, change management has become a nightmare.”
Stealth works by loading a software agent at a network endpoint – a designated PC, a server or virtual machine in a cloud, for instance. The software agent takes control of the IP header of that address, then encrypts and authenticates it.
“That essentially darkens the endpoint,” said Rodney Sapp, vice president of products and technology portfolio management at Unisys. “Now no one can see that IP header unless they are authorized into that device, the application.”
Authorizations are set up from Microsoft Active Directory or LDAP, the Lightweight Directory Access Protocol for managing directories over IP. Stealth then creates encryption keys to provide workgroups access to specific devices and applications.
To handle data in motion between endpoints, Stealth encrypts a message bearing the data; the information is then split into pieces, transmitted over the Internet and reassembled at the endpoints. “If someone is able to hack into that transmission they are only getting partial information – it’s going to be meaningless,” Sapp said.
Because it operates underneath existing topologies, Unisys executives believe the technology is a good fit for large enterprises whose network security perimeters may have become balkanized and where security maintenance may be irregular.
“I’m not here to say it will replace everything,” Sapp said. “But it can help minimize the number of physical networks,” which tend to proliferate when network managers want to add new user groups.
Unisys believes that’s especially true in government, where they see potential for the technology.
“A typical public-sector environment has multiple agencies – police, human services – all on separate physical networks because they believe their data is too sensitive to put on a shared infrastructure,” Sapp said. “With Stealth you bring all those agencies into a shared infrastructure or community cloud so that health and human services can maintain their separateness from state police and vice versa.”
Unisys envisions a number of ways organizations can use Stealth, including those hesitant to store sensitive data in a public cloud. Recently it announced a deal with Amazon Web Services that provides for “Stealth enabling” virtual services in the Amazon cloud.
In using the service, an agency could extend a virtual machine or other service from its data center to the cloud, where it would also be covered by Stealth. “No one else on the Amazon cloud would see your virtual machine is even there – not even Amazon,” Coleman said.
Crystal Cooper, Unisys’s vice president for public sector, said Stealth is an especially useful tool for government, where, once a contract is written, hundreds of consultants are often using their own laptops to access sensitive information. Because Stealth is based on segmenting networks across such communities, third-party access to project files and databases can be more easily secured and managed, she said.
Other potential applications for Stealth include secure data center segmentation, supply chain management and assistance for managing networks of remote workers and branch offices.
The company also is expected to announce an enhancement that would Stealth-enable the mobile enterprise. Mobility brings the dimension of space and time to the network, so future applications might involve ways to restrict access to the network to members of a community at certain locations or times of the day, according to Unisys officials.
Overall, the firm is optimistic about uptake of the technology, in government and other parts of the enterprise market. “This idea of being able to use software to make something effectively dark on the network we think is pretty disruptive in the marketplace,” said Coleman.
Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.