A Product Overview of the Byos Secure Gateway Edge
A plug-and-play, Industrial gateway form factor, providing secure connectivity for OT, IoT and IT devices as well as legacy infrastructure.
What does it do?
It makes endpoints invisible on the network through microsegmentation. It physically isolates and protects endpoints from the local network and provides traffic route enforcement.
What problem does it solve?
- It eliminates exposure of unpatched legacy networked devices to internal threats like lateral movement and ransomware, reducing the risk of a severe security incident.
- Helps make remote management more efficient and secure, streamlining operations and saving money on on-site field service & maintenance scheduling
- Helps ICS network owners reduce risk and increase control over 3rd party access
Why was it created?
- Securely prolong the life of OT infrastructure running legacy applications and unsupported OS that are not ready to be retired.
- Connected previously air-gapped devices to the network for more efficient and secure remote maintenance and monitoring.
What are some main differentiating features?
- Non-intrusive deployment to existing network configurations, without having to expose internal devices to the internet.
- Eliminate the use of insecure public static IP addresses for remote access that add exposure risk to the entire corporate network.
- It's plug-and-play, working with any TCP/IP device regardless of age, with nothing to install on the endpoint, making UX simple.
What industries does it serve?
- Manufacturing, Critical Infrastructure, Food&Beverage: Controllers, production equipment, etc.
- Energy/Oil & Gas: refineries, oil fields/rigs, pipelines, etc.
- Healthcare: hospitals, clinics, research facilities
- Retail: Refrigeration and HVAC
- FinTech: POS, ATMs, etc.
What endpoints is it used with?
- ICS endpoints: PLCs, RTUs, HMIs, Industrial PCs, Robotics
- Medical Devices:
- Connected injection devices
- Hospital terminals at nursing workstations
- Patient telemetry devices
- Stationary imaging devices, etc.
- Legacy infrastructure: servers, workstations, etc.
- 1x - 1000Mbps Ethernet port
- 1x - 100Mbps Ethernet port
- 802.11ax Wi-Fi Interface
Reliability and Environmental
- MTTF - > 200,000 hours
- Operation Temperature
- Commercial: 0° to 60° C
- Extended: -20° to 60° C
- Industrial: -40° to 80° C
- Storage Temperature - 40° to 85° C
- Relative Humidity
- 10% to 90% (operation)
- 05% to 95% (storage)
- Dimensions - 112 x 84 x 25 mm
- Enclosure Material - Aluminum
- Cooling - Passive, fanless design
- Weight - 450 grams
- Regulatory - CE, FCC
- EMC - EN 55032/5, EN 61000-6-2, EN 61000-6-3
- Safety - EN/UL/IEC 62368-1
- Supply Voltage - Unregulated 8V to 36V
- Power Consumption - 2W - 7W
How is edge microsegmentation different from standard network segmentation (using Firewalls and VLANs)?
- No single point of attack/control/failure - Byos Edge microsegments are finite in numbers of endpoints residing in each, often 1-to-1 up to a maximum of 7, and all operate independently of each other.
- Physical isolation vs logical isolation - reducing dependence on the endpoint in case of corruption/infection.
- Simplified changes to topologies and configurations - nothing to install on the endpoint, and no changes needed on the network.
- More granular control - able to isolate endpoints from the internet (while maintaining control) to remediate issues, as well as different policies across different microsegments.
- Secure Lobby™ - We facilitate secure remote diagnostics and maintenance to identify, prevent, and recover from abnormal operations or failures, without exposing the network or degrading it’s security.
Do Byos Secure Edge devices create a tunnel between Edges across the LAN?
Each Edge in the Byos network creates the tunnel with our cloud-based control plane, not with each other across the LAN. All traffic is routed centrally through our cloud before reaching any edge. However, we do offer the option of deploying an on-prem control plane with larger rollouts, that way the traffic will still stay inside your perimeter.
Is the Byos Secure Edge doing a Source NAT on the traffic going to the other devices on the internal LAN?
Byos does not allow traffic outside the overlay, because that is the main way to exploit lateral movement to spread the attack surface after a breach. If this is really a need for you, we should discuss the implications before considering enabling that feature for you.
Can the network behind the device be subnetted and firewalled via the Gateway Edge? For example, if I had a Gateway Edge connected to the internet with two devices behind it, a workstation and an HMI. If I allow inbound access to the workstation for a user, can I prevent that user from accessing the HMI from the workstation?
Each edge is technically firewalling and subnetting the edges inside of it’s microsegment, so everything inside the microsegment is visible to each other. If you want to have more granular control, you’ll need to deploy on a 1:1 basis where the HMI and the workstation have their own gateway edge. Then you can restrict traffic on a port/service basis between the edges through our Secure Lobby overlay. As an example, the policy could be that HMI can only be reached over Port 1025 using service X and Workstation only has SSH/22, RDP/3389, and HTTP/80 enabled.
How is Byos different than Airgap.io
Security-wise, what Airgap.io does is gives all the assets a 32 bit mask, which isn't really microsegmentation. By giving everything a 32 bit mask, you are initially forbidding them from communicating with the router directly. It is a poor mans way of "isolating" every asset and a simple way to prevent cross-talk, but it is tedious to manage (and adds latency). On the surface, each asset is in it's own 'network' but are only isolated at Layer 3 - there is no protection at layer 2, and nothing at layer 4. Implementing Airgap.io would still require investments in perimeter network security offerings. Byos protects across Layers 2-4 in a single solution that doesn't require changing how the underlying networking gear on the local network.
Aside from purely security benefits, Airgap.io doesn't provide:
- Wi-Fi capabilities for Legacy networked devices
- Secure, granular, and controlled remote access of assets inside the network
We learned the direct ROI saved by Manufacturers deploying Byos was two fold:
- Removed both PAN VPN and Ewon Cosy Hardware and costs associated (which was used for remote access)
- Saved on wiring costs of installing ethernet and networking gear to plant floor production equipment
How does Byos compare to OT solutions like Claroty and Dragos, and/or Rapid7, Tenable, and Forescout?
- Byos is complementary to threat detection and vulnerability management solutions
- Any customer that has these tools can use them on top of the Byos
How is Byos different than eWon Cosy
The core issue that plagues traditional networking products is that they work as point solutions, increasing the overhead needed to manage them.
The eWon Cosy is no different - it is simply a hardware VPN device that enables remote access into a network.
- To an IT security team, it's but one more thing to layer over all the other security controls, adding a “hole” in the network that they feel like they need to control.
- This is why they mandate opening/closing ports to let 3rd parties in/out when remote access is needed, and not just allowing access.
- In this traditional model, Security is always the objection that will make remotely accessing machines an operational headache.
Byos has taken a different approach - our microsegmentation solution was built as a security solution first - it makes the assets invisible to lateral movement on the network. This satisfies the IT security appetite for hardening their OT environment.
Given Byos’ position at the edge, it controls all ingress/egress traffic for the assets. This means that specific and granular secure remote access is a resulting capability, with the basis of security covered before letting a single packet through. Byos lets Admins control the “who, what, when, and how” of remote access, ensuring that access is only granted to the specific asset inside of the microsegment.
The key difference between generic remote access technologies and what Byos offers is that, once a 3rd-party is granted access, they are never on the underlying network; they are only on the Byos overlay network. The Byos overlay specifies which port and service they can only access, but is Layer 7 IP protocol agnostic. However, Byos ensures the 3rd party does not have visibility to any other asset that might be connected to the facility’s local network.
In addition, the Byos solution maintains “plug-and-play” simplicity on deployment, activation, and management, so that additional networking complexity is avoided altogether. No local networking changes needed, and easy integrations with other TCP/IP based technologies.
How does Byos approach Malware protection?
The beauty of having a protection mechanism that is decoupled from the asset itself, is that no matter what comms the asset tries to establish, the protection mechanism will be able to stop it. BYOS isn't a malware infection prevention tool - we leave that to EDRs and anti-phishing tools. But from a discovery/reconnaissance/lateral movement perspective post-infection we give the attacker no information, making the ROI on attack much less to a point where it becomes uneconomical to continue.
In the case of connecting BYOS to assets that have already been infected before deploying BYOS, those assets are going to try to continue their comms either to C2 or to the rest of the network, BYOS is going to stop it at the edge. It will never reach the network itself. You can do this on BYOS through policy management, geo-blocking, or simply applying specific routing policy rules on the network, to not permit a specific type of traffic from leaving the Edge.
However, way beyond that configuration piece, BYOS by design does not allow lateral movement, network scanning, or any type of discovery traffic to leave the edge, and will not respond (on both WAN and LAN side of the Edge) with any sort of information or intelligence on what the network looks like.
If the Malware is sitting on the asset side then it’s gonna try to get out and talk to other devices, but BYOS is not going to let it happen. BYOS is also not going to give the Malware any sort of information about what devices are out there. If the Malware is inside the Firewall, then it won’t be able to see any valuable information about the network itself because everything is going to be encapsulated and encrypted in the Layer-2 tunnel that BYOS establishes.
Malware at the Cisco layer will see gibberish and won’t be able to do anything with it, and Malware at the asset layer won’t be able to get anything out of BYOS to run its attack. And because BYOS runs decoupled from the asset, without any drivers, agents, or software in it, the compromised asset won't be able to kill/disable the BYOS protection.
Why is Byos a better microsegmentation solution for Securing Critical Infrastructure networks than what exists today?
- Combines many technologies into one easily deployable and ease to use solution
- Built to be secure by design (Security Experts architecting solutions vs. Developers jamming security into software)
- Ease of Deployment and Immediate Time to Value
- No other solution combines both Security and Access in the way Byos does.
- Compatible with all existing threat detection and vulnerability management solutions
Last updated on November 15, 2023