Byos Platform Technical Deep Dive

This Technical Deep Dive (TDD) White Paper outlines the use of the Byos Platform and its various concepts—Edges, Assets, Policy Groups, and Zones—to help network administrators protect mission-critical network devices and infrastructure. This is achieved through the cloaking of assets with the Byos Secure Edge™, rendering them both unreachable and undiscoverable, while also exerting granular control over the flow of traffic to and from assets within the network. By instituting microsegmentation at the Edge and adopting a “assumed to be compromised” approach, this whitepaper aims to diminish the blast radius of any potential threat, confining its impact zone to just one.

This document is technical in nature is was written for:

Byos initially was founded on the premise that every device that connects to a network is exposed to the network, and there was no protection layer that was not installed on the OS of the Device, or on a large managed network.

After digging into the problem from a business standpoint, there are a number of challenges faced by network administrators in respect to both security and managing a network:

These challenges typically rear their heads as operational inefficiencies in Critical Infrastructure, Manufacturing, Defense and Government, Energy, and Healthcare Networks.

The Byos Platform offers both Operational ROI and reduced security risk for network operators.

This article has been made into a full video demo that can be watched below.

Here is a brief description of the various nomenclature concepts within the Byos Platform:

Watch this video below for a 5-min introduction of the Nomenclature and architecture of the solution.

Starting first with a generic network diagram that represents a conventional network connectivity structure and IP addressing, employing standard non-routable IPs assigned by the ISP Access Point. It incorporates conventional network components, including local and remote PCs, a managed Ethernet Switch, an IP Camera, an ISP-provided Access Point for network access, and a perimeter Firewall.

Byos Secure Edge™ devices are introduced into the network, placed in front of the exposed Assets, effectively positioning them between said Assets and the traditional infrastructure equipment.

The Byos Secure Edge provides all networking and security on behalf of their connected assets:

Byos is a layer of protection that is isolated from the Asset’s OS, which typically can’t support software-based security.

In the Diagram, Two Byos Gateway Edges are deployed within the physical network environment, with one situated in front of the Cell 1 Laptop and another in front of the Cell 2 Laptop, Switch, and Camera. We also connect a Byos Endpoint Edge to one of the Remote Laptops, establishing secure connectivity for a remote worker or contractor.

[insert image]

The Byos Gateway Edges have now received the standard non-routable IP Addresses from the ISPs Access Point, while the Assets being protected, have been assigned new Addresses in the 10.10.2.x and 10.10.4.x IP range.

The first section in the Byos Management Console is the Edges page. Based on the preset page navigation features, there are currently:

Using a filter, the Edge table is only showing the Edges represented in the diagrams above. Take note of:

Visible from this screen is also Byos IP associated with each Edge, the Policy Group governing behavior and the Zone to which it belongs.

The Assets screenshot below shows i) the list of discovered Assets, the Edge they are connected to, the Byos IP, as well as the local or private IP in the popup and exposed ports and protocols.

Looking at the IP Camera and the Ethernet Switch, we can see that they are attached to JLGW-2 as reference in the network diagram above and that they both share the Byos IP 10.20.40.9. Perhaps most importantly, the ports and protocols that the Byos scan found to be exposed can be explicitly seen…TCP 80, 554 and 1935 for the Camera and TCP 22, 80 and 443 for the Switch.

These addresses have been distributed from the Byos Edge devices via the Policy Group governing each Edge within the Byos environment. From a networking perspective, all devices within a Microsegment, can still speak to each other as if Byos didn’t exist. The Cell 2 Laptop can launch an SSH connection to the Switch or the WebUX of the camera, for example, via the local (Private) IP addresses of the devices.

Check out this Video below for an introduction to Edges and Assets in the Management Console.

In the screenshot below, we see the Policy Groups menu table. After filtering out unrelated Policy Groups, we are left with the 3 Groups governing our 3 Edges and the Assets attached to those Edges. Again, making the correlation to the Network Diagram and comparing to the Edges menu, we can see the Edge // Zone // Internal Network Address of the Microsegment

We can also see the External Network scenario as well as the  number of blocked countries associated with each Policy Group.

Each criterion for the Policy Group can be administered by clicking on the select button to the far right of the screen, and choosing the appropriate menu item. In this example, we chose the Internal Network settings. The Internal Microsegment Network ID is set to 10.10.4.0/24 and has DHCP enabled. This would be where the Cell 2 Laptop, Ethernet Switch and IP Camera get their addresses from.

Check out this short video below on Managing Policy Groups and External Network Settings.

Now that the Byos Edge protection is in place, and the Assets have been cloaked and hidden inside the Microsegment, we add on the Secure Lobby™ Overlay network to add in segmentation and control the flow of information from Asset to Asset.

The Byos Secure Lobby™ Overlay is an Secure Software-Defined Network (SDN) Overlay network, enabling Byos Edges to have secure communications between themselves and the Internet using Layer 2 Tunnels. It provides:

When an Edge is connected to Secure Lobby, it gets assigned a Byos IP Address. The Byos IP is the routable IP address that each Edge (and the Assets protected by the Edge) are reachable within the Overlay from and is determined by the Zone setting. Per the diagram, there are three different Zones, each with different network settings as shown by each Byos IP.

This section the Management Console explored here outlines the Zones of the SL Overlay. In the screenshot below, the 3 Zones represented in the reference Network diagram are shown…Lab-1, Lab-2 and Lab-3. Admins can see the number of Inbound and Outbound connections allowed from other Zones, how many Policy Groups are assigned to each Zone, how many total Edges (and their attached Assets) are in each Zone and the Network ID of each.

Similarly to Policy Groups, each criterion of the Zone settings is configurable through the menu by using the select button to the far right in the table. The Zone Details menu dictates the Zone Network ID…in this case, 10.20.40.0/24…which will assign or distribute the Byos IP to whichever Edge resides in that Zone.

Administrators typically configure the Zones of the Overlay in various different fashions to meet the needs of their operation.

Check out this short video below that explains how Zones work.

To summarize up to this point:

First, while everything is still locked down, we have an example of local Asset to Asset communications, within the Microsegment. From the screen capture below, there is a Windows Machine (Cell 2 Laptop) with an IP address of 10.10.4.197 (via the CMD output), accessing the local IP of the Edge at 10.10.4.1 and the second tab is the Ethernet switch accessible at 10.10.4.47.

The next two screenshots below, depict first a MacBook Pro (Remote laptop) accessing the dashboard of its local Edge (JLEE-1) via 10.10.3.1 and second, an attempt to reach the Ethernet Switch via its local IP of 10.10.4.47.

By logging into the Management Console, navigating to the Assets page again, it can be seen that all of the exposed Ports and Protocols of the Switch are grey, meaning they are not enabled to be accessible in Secure Lobby, thus blocked by Byos and the Console of the Switch not loading in the browser.

In order to access the switch from outside the Microsegment, Port 443 TCP needs to be opened for the Switch, so that it can communicate with the Overlay.

Now when trying to access the Switch remotely, the Byos IP address is used and the Byos Secure Edge decides if my request for access to the Asset, and ultimately the resource, is allowed.

Looking at the screenshot above, the Remote Laptop has accessed the Asset via 10.20.40.9 which in turn has forwarded that specific resource request directly to TCP port 443. This sort of granular resource access is then carried out, throughout the environment, limiting and controlling traffic on a contextual basis.

As another example, the screenshot below shows an attempt by the Switch to access a resource on the internet. But due to the routing rule set by the external network settings in the Policy Group governing Lab-2 Zone, no internet traffic may be initiated from inside the microsegment.

In summary, this article has outlined how the Byos platform uses the combination of the Byos Secure Edges and the Byos Secure Lobby™ Overlay to establish communications between Assets on different physical networks, without packet leakage or device exposure. The Byos offers many different protections across the OSI layers 1-5, making it an innovative solution for secure networking in complex multi-site environments.

Check out this short video below to see the Byos solution working End to End.