Byos Platform Technical Deep Dive
A Technical Deep Dive of the Byos Platform
Introduction
This Technical Deep Dive (TDD) White Paper outlines the use of the Byos Platform and its various concepts—Edges, Assets, Policy Groups, and Zones—to help network administrators protect mission-critical network devices and infrastructure. This is achieved through the cloaking of assets with the Byos Secure Edge™, rendering them both unreachable and undiscoverable, while also exerting granular control over the flow of traffic to and from assets within the network. By instituting microsegmentation at the Edge and adopting a “assumed to be compromised” approach, this whitepaper aims to diminish the blast radius of any potential threat, confining its impact zone to just one.
This document is technical in nature is was written for:
- CISO/CIOs
- OT practitioners - Controls Engineers, etc.
- IT practitioners - Network Engineer, IT Security Engineer, etc.
Why was Byos created?
Byos initially was founded on the premise that every device that connects to a network is exposed to the network, and there was no protection layer that was not installed on the OS of the Device, or on a large managed network.
After digging into the problem from a business standpoint, there are a number of challenges faced by network administrators in respect to both security and managing a network:
- Complete Isolation / Air-gapping of assets within networks is expensive and does not scale - it requires physical access to service endpoints, large travel budgets and longer than acceptable outages.
- Traditional Segmentation provided by Firewalls, DMZs, or VLANs fail to contain attacks; attackers easily navigate private segments, bypassing these perimeter protections.
- Since the Asset’s Operating System governs the software, they are bypassable during an attack. Additionally, solutions like SASE or VPNs cannot protect Legacy or unmanaged systems.
These challenges typically rear their heads as operational inefficiencies in Critical Infrastructure, Manufacturing, Defense and Government, Energy, and Healthcare Networks.
- Collecting data from machines is time consuming manual process
- Remote troubleshooting and maintenance of assets is disparate and insecure
The Byos Platform offers both Operational ROI and reduced security risk for network operators.
Full Demo
This article has been made into a full video demo that can be watched below.
Byos Microsegmentation Platform Overview
Platform Nomenclature
Here is a brief description of the various nomenclature concepts within the Byos Platform:
- Edges: physical delivery mechanism for the Byos security solution. The Edge will discover the Asset(s) attached to it, and innately block any exposed vulnerability via ports and protocols.
- Assets: devices on the network that communicate with each other in the operation of performing tasks, contributing to processes, and delivering information.
- Policy Groups: are how Edges are grouped and administered access and restrictions. Each group contains both internal (microsegment) and external (Overlay Zone) network settings as well as filters for geofencing.
- Zones: the Layer 3 segmentation within the Byos Overlay network. Edges are placed into Zones via the Policy Groups and this segmentation allows for further granularity of traffic distribution.
Watch this video below for a 5-min introduction of the Nomenclature and architecture of the solution.
Base Network Diagram
Starting first with a generic network diagram that represents a conventional network connectivity structure and IP addressing, employing standard non-routable IPs assigned by the ISP Access Point. It incorporates conventional network components, including local and remote PCs, a managed Ethernet Switch, an IP Camera, an ISP-provided Access Point for network access, and a perimeter Firewall.
Byos Secure Edge Technology
Byos Secure Edge™ devices are introduced into the network, placed in front of the exposed Assets, effectively positioning them between said Assets and the traditional infrastructure equipment.
The Byos Secure Edge provides all networking and security on behalf of their connected assets:
- Inbound protection from malicious networking attacks
- “First-hop” protection across OSI Layers 1-5 through Hardware-enforced Isolation
- Obfuscating the protected endpoint to become effectively invisible on the network
- Outbound traffic protection and control
- Network Access Control (NAC)
- Route enforcement
- Traffic anonymization through layer 4+ data encapsulation and exit node enforcement
Byos is a layer of protection that is isolated from the Asset’s OS, which typically can’t support software-based security.
In the Diagram, Two Byos Gateway Edges are deployed within the physical network environment, with one situated in front of the Cell 1 Laptop and another in front of the Cell 2 Laptop, Switch, and Camera. We also connect a Byos Endpoint Edge to one of the Remote Laptops, establishing secure connectivity for a remote worker or contractor.
[insert image]
The Byos Gateway Edges have now received the standard non-routable IP Addresses from the ISPs Access Point, while the Assets being protected, have been assigned new Addresses in the 10.10.2.x and 10.10.4.x IP range.
The first section in the Byos Management Console is the Edges page. Based on the preset page navigation features, there are currently:
- 39 Edges total in this Instance
- 7 Edges online
- 6 connected to Secure Lobby (the Overlay)
- 23 Activated, indicating that there are still 16 Edges in the Fleet, yet to be Activated.
Using a filter, the Edge table is only showing the Edges represented in the diagrams above. Take note of:
- JLEE-1 which is attached to the remote laptop
- JLGW-1 which is attached to Cell 1 Laptop
- JLGW-2 which is attached to Cell 2 Laptop, the Ethernet Switch, and IP Camera.
Visible from this screen is also Byos IP associated with each Edge, the Policy Group governing behavior and the Zone to which it belongs.
Assets
The Assets screenshot below shows i) the list of discovered Assets, the Edge they are connected to, the Byos IP, as well as the local or private IP in the popup and exposed ports and protocols.
Looking at the IP Camera and the Ethernet Switch, we can see that they are attached to JLGW-2 as reference in the network diagram above and that they both share the Byos IP 10.20.40.9. Perhaps most importantly, the ports and protocols that the Byos scan found to be exposed can be explicitly seen…TCP 80, 554 and 1935 for the Camera and TCP 22, 80 and 443 for the Switch.
These addresses have been distributed from the Byos Edge devices via the Policy Group governing each Edge within the Byos environment. From a networking perspective, all devices within a Microsegment, can still speak to each other as if Byos didn’t exist. The Cell 2 Laptop can launch an SSH connection to the Switch or the WebUX of the camera, for example, via the local (Private) IP addresses of the devices.
Check out this Video below for an introduction to Edges and Assets in the Management Console.
Policy Groups
In the screenshot below, we see the Policy Groups menu table. After filtering out unrelated Policy Groups, we are left with the 3 Groups governing our 3 Edges and the Assets attached to those Edges. Again, making the correlation to the Network Diagram and comparing to the Edges menu, we can see the Edge // Zone // Internal Network Address of the Microsegment
- Edge Jim-Lab-A // Lab-1 Zone // 10.10.2.0/24
- Edge Jim-Lab-B // Lab-2 Zone // 10.10.3.0/24
- Edge Jim-Lab-C // Lab-3 Zone // 10.10.4.0/24
We can also see the External Network scenario as well as the number of blocked countries associated with each Policy Group.
Each criterion for the Policy Group can be administered by clicking on the select button to the far right of the screen, and choosing the appropriate menu item. In this example, we chose the Internal Network settings. The Internal Microsegment Network ID is set to 10.10.4.0/24 and has DHCP enabled. This would be where the Cell 2 Laptop, Ethernet Switch and IP Camera get their addresses from.
Check out this short video below on Managing Policy Groups and External Network Settings.
Byos Secure Lobby Overlay
Now that the Byos Edge protection is in place, and the Assets have been cloaked and hidden inside the Microsegment, we add on the Secure Lobby™ Overlay network to add in segmentation and control the flow of information from Asset to Asset.
The Byos Secure Lobby™ Overlay is an Secure Software-Defined Network (SDN) Overlay network, enabling Byos Edges to have secure communications between themselves and the Internet using Layer 2 Tunnels. It provides:
- Secure remote access without endpoint exposure or packet leakage
- Policy-driven Layer 2, 3, and 4 access control per microsegment
- Invisible to both the Local Network and the Internet
When an Edge is connected to Secure Lobby, it gets assigned a Byos IP Address. The Byos IP is the routable IP address that each Edge (and the Assets protected by the Edge) are reachable within the Overlay from and is determined by the Zone setting. Per the diagram, there are three different Zones, each with different network settings as shown by each Byos IP.
Zones
This section the Management Console explored here outlines the Zones of the SL Overlay. In the screenshot below, the 3 Zones represented in the reference Network diagram are shown…Lab-1, Lab-2 and Lab-3. Admins can see the number of Inbound and Outbound connections allowed from other Zones, how many Policy Groups are assigned to each Zone, how many total Edges (and their attached Assets) are in each Zone and the Network ID of each.
Similarly to Policy Groups, each criterion of the Zone settings is configurable through the menu by using the select button to the far right in the table. The Zone Details menu dictates the Zone Network ID…in this case, 10.20.40.0/24…which will assign or distribute the Byos IP to whichever Edge resides in that Zone.
Administrators typically configure the Zones of the Overlay in various different fashions to meet the needs of their operation.
- Per Physical location (Geographically or within a Building)
- Per Manufacturing Process/Function
- Per Asset Vendor Type
Check out this short video below that explains how Zones work.
End to End Secure Remote Access
To summarize up to this point:
- A generic network structure was initially depicted, where all Assets had predominantly unrestricted access to each other and other internal and external resources.
- By introducing Byos Secure Edges positioned in front of the Assets, the Assets became cloaked, protected, and Byos facilitated communication on behalf of these Assets in a secure way.
- Open/exposed Resources (ports and protocols) for each Asset were discovered by the Byos Edge, and access was subsequently restricted to any other Asset or resource external to each Microsegment.
- Following this, the Byos Secure Lobby Overlay network was implemented, so that Assets could be accessed easily through the Overlay, without direct exposure to the Local Network, nor the Internet.
Accessing Assets through the Overlay
First, while everything is still locked down, we have an example of local Asset to Asset communications, within the Microsegment. From the screen capture below, there is a Windows Machine (Cell 2 Laptop) with an IP address of 10.10.4.197 (via the CMD output), accessing the local IP of the Edge at 10.10.4.1 and the second tab is the Ethernet switch accessible at 10.10.4.47.
The next two screenshots below, depict first a MacBook Pro (Remote laptop) accessing the dashboard of its local Edge (JLEE-1) via 10.10.3.1 and second, an attempt to reach the Ethernet Switch via its local IP of 10.10.4.47.
By logging into the Management Console, navigating to the Assets page again, it can be seen that all of the exposed Ports and Protocols of the Switch are grey, meaning they are not enabled to be accessible in Secure Lobby, thus blocked by Byos and the Console of the Switch not loading in the browser.
In order to access the switch from outside the Microsegment, Port 443 TCP needs to be opened for the Switch, so that it can communicate with the Overlay.
Now when trying to access the Switch remotely, the Byos IP address is used and the Byos Secure Edge decides if my request for access to the Asset, and ultimately the resource, is allowed.
Looking at the screenshot above, the Remote Laptop has accessed the Asset via 10.20.40.9 which in turn has forwarded that specific resource request directly to TCP port 443. This sort of granular resource access is then carried out, throughout the environment, limiting and controlling traffic on a contextual basis.
As another example, the screenshot below shows an attempt by the Switch to access a resource on the internet. But due to the routing rule set by the external network settings in the Policy Group governing Lab-2 Zone, no internet traffic may be initiated from inside the microsegment.
In summary, this article has outlined how the Byos platform uses the combination of the Byos Secure Edges and the Byos Secure Lobby™ Overlay to establish communications between Assets on different physical networks, without packet leakage or device exposure. The Byos offers many different protections across the OSI layers 1-5, making it an innovative solution for secure networking in complex multi-site environments.
- Encrypted Layer 2 tunnelling for traffic protection
- Layer 3 segmentation via Zones inside the protected Byos Secure Lobby overlay
- Granular port and protocol resource access controls at Layer 4 & 5
Check out this short video below to see the Byos solution working End to End.
Last updated on January 11, 2024