Cloaking Cloud Resources

Cloud initiatives continue to gain traction across every industry and every company big or small. The administrators of these cloud solutions are faced with new challenges around network addressing and accessibility all while focusing on how to securely protect the cloud resources in this new elastic environment.   

In our context, the cloud is a set of resources that are ubiquitously available and accessible from the public Internet without the use of a VPN. Cloud resources are expected to be available from anywhere. “From anywhere” meaning the resources are available from my office, my home, and my coffee shop all via my phone or tablet while I am on a bus, train or plane. Since different access networks and different network providers serve each of these locations cloud resources must be available from any access network provided by any network provider.

Further complicating this is that most access networks use Network Address Translation (NAT) to translate from the temporary and dynamic internet addressing information given to a laptop, phone or tablet to the addressing information that ultimately appears to the cloud resource. Often, the originator or source addressing information is translated multiple times before it reaches the cloud resource. 

Cloaking is the ability to conceal or cloak the existence of cloud resources in the face of sophisticated port scanning and network reconnaissance cyber attacks. Cloaking is also the ability to identify, authenticate and authorize legitimate users of cloud resources while preventing access to cloud resources by anonymous (unidentified and unauthorized) users. 

Why is cloaking difficult?  Cloaking is difficult because TCP, the underlying protocol of HTTP/HTTPS, performs session establishment anonymously. The TCP protocol does not have a mechanism for communicating identity during session establishment. Specifically, TCP has no mechanism for communicating any user data, including identity credentials, until a session has been the established.

A TCP session is considered to be established after the three-way session establishment handshake (SYN/SYN-ACK/ACK) has been completed. This handshake requires that both ends of the TCP session participate, sending their respective session establishment information. A network resource must respond to a TCP session establishment request (SYN) in order to establish a TCP session and to provide network resources. It has long been recognized that this same session establishment mechanism is used by port scanning and network reconnaissance tools to locate, probe and determine attack vectors of cloud resources.

Our Transport Access Control (TAC) provides unidirectional and bidirectional sender authentication during session establishment. TAC works with the TCP protocol and engages on the First Packet; something that conventional firewalls and intrusion prevention systems are unable to do. First Packet Authentication enables TAC to completely cloak servers, network applications and cloud resources from unauthorized users, hackers and malware.  TAC enables fine-grained access control and allows administrators to reduce unwanted traffic on their networks.

TAC has low, deterministic latency that is tolerable by even the most latency and jitter sensitive applications such as voice and video. TAC policy engines can be load balanced for scalability and redundancy. The combination of First Packet Authentication and low latency make TAC policy engines less intrusive than many other forms of cyber security. TAC does not require the re-addressing of cloud resources or knowledge of client addresses and access network topology.

Protecting cloud resources are TAC gateways which perform policy enforcement. A TAC gateway extracts the identity token on the First Packet of a TCP session request, determines the inserted identity, and then applies the policy associated with the identity. Policies include block, forward or redirect to a different cloud resource. When a session request does not have an associated identity, it is classified as anonymous and the policy associated with anonymous is applied. 

Using BlackRidge’s Transport Access Control (TAC) it is now possible to cloak cloud resources while allowing authenticated and authorized users to access the resources from the public Internet.  Cloud resources that are cloaked by TAC are protected against Cyber attacks that use unauthorized access, port scans and network reconnaissance.  TAC can also be deployed inside a cloud to segment networks and prevent data exfiltration and viruses, malware and rogue applications from calling home or contaminating adjacent networks or clouds. 

Interested in cloaking your cloud resources?  Contact us.