Using Host Identity Protocol to Enable Zero Trust


By Bryan Skene, CTO, Tempered

What is a Host Identity Protocol?

Host Identity Protocol, or HIP, is a host identification technology that provides a method of separating the endpoint identifier and the locator roles of an IP address. HIP works by partitioning and isolating the network into trusted microsegments, providing users with an easy and cost-effective way to secure their network. Essentially, HIP represents a new security networking layer within the OSI stack.

Why does it matter?

TCP/IP protocol was the foundation of the internet and originally created for connectivity. Unfortunately, this protocol did not include features around security, mobility, or trusted authentication. IP addresses, as used today, have a dual role as locators and identifiers. The issue with IP networking is that it doesn’t truly deliver on both of these roles. While IP networking has successfully handled the billions of nodes on the internet, it has failed miserably with the identity aspect. Some believe this shortcoming is the reason we have a network security industry today.

Organizations, particularly those in the industrial space, should consider network security solutions that utilize HIP. A successful cyberattack to this sector could be catastrophic, as they are in control of critical infrastructure. For example, the Israel Water Authority recently reported a cybersecurity breach that affected six of their facilities. The attack caused a pump to continuously operate at one facility, data loss at another and operating system issues at several other facilities. Honda manufacturing also experienced an attack this June with ransomware designed to target industrial control system networks. The attack put production on hold, affected the company’s ability to access computer servers and disrupted its manufacturing systems.

Also of concern, recently, networking giant Cisco disclosed four critical security flaws in its router equipment using its IOS XE and IOS software as well as three IOS flaws affecting its industrial routers. The CallStranger IoT vulnerability also highlighted the importance of having networks that are invisible to unauthorized users.

All of these incidents serve as a reminder that legacy network security technology is outdated and not built for today’s evolving threat landscape.

Thankfully, using a trust protocol such as HIP can protect your network from unwanted users. The protocol only allows access to a network once a connection has been authenticated and authorized based on its cryptographic identity. Only these authorized endpoints can communicate within an overlay segment, creating a fully isolated, hardened network zone that is operationally much simpler. HIP services also provide software-based policy enforcement, segmentation, cloaking, identity-based routing and IP mobility.

How HIP enables zero trust

With an increased number of remote workers, organizations across the industrial space and any other industry touching sensitive data must adopt a zero-trust approach. In doing so, all users, applications, systems and cloud providers must be thoroughly authenticated, even if they have been granted previous access. With every endpoint representing a potential gateway to the network, trust needs to be explicitly granted by the network admin or by a trusted authentication provider.

Today, there are state-of-the art solutions that provide total invisibility and network security at any scale. The most effective utilize HIP and a variety of technologies that partition and isolate the network into trusted microsegments — and can be deployed as overlays on top of any IP network. The overlay network creates a direct tunnel between the two things you want to connect. These technologies together create a modern, zero-trust approach to network security that minimizes the common flaws we see in legacy products.

Many companies are using temporary stop gaps like VPNs, but these introduce additional complexity and provide less security once the user is connected to the corporate network, precisely because users can see and potentially access things they shouldn’t.  By making every device, transaction and user invisible to unauthorized users and devices, you prevent criminals from getting in, let alone finding the door.