How to create truly private connections on the public Internet
Written by Marc Barry
Unbreakable, 2000, directed by M. Night Shyamalan, Touchstone Pictures
Unbreakable was a superhero thriller movie in which a former star football quarterback turned security guard gains the ability to sense criminal acts. In one scene he sees a janitor invading a family home, “I like your house. Can I come in?”
This scene is a terrifyingly accurate metaphor for security on the public Internet.
Connect first, authenticate later.
If we consider that the Internet is a bit like our road networks and the cars and trucks travelling across it are our data packets, then today anybody can get in their car, drive to your house and try to break in. Even without a key they can try the locks, peer through the windows or wait around for an opportunity to enter.
Uninvited parties can approach computer networks and connected systems at will, unless precautions are taken because the Internet functions on the principle of “connect first, authenticate later”..
Universal connectivity embodies the modern Internet, but its open-by-default design forces us all to adopt reactive, time-consuming and error-prone approaches to computer security — effectively requiring us to play a strong defensive game.
This asymmetry between security and connectivity has spawned an entire industry of security companies which, over the last two decades, have flooded the market with solutions and middleboxes that aim to police traffic by building higher walls and digging deeper moats at the edges of our networks.
Next-generation firewalls and VPN servers, no matter how advanced, are still playing a defensive game. Our industry’s collective mind set still assumes that good security requires a good defence, because you’re going to get attacked. Right?
The Shodan.io project shows us just how hard this is to get right. Looking for connectable database servers at the time of writing, we find:
That’s over two million publicly accessible database servers which will gladly greet you with the phrase “Hi, I’m the production database server! Who are you?”.
All of these systems are potential targets for misconfiguration, weaponized exploits, worms, brute force attacks and stolen or weak credentials. Why? Because building private connectivity is still too hard.
For the last twenty years, private networks have largely been a myth.
Every time we open a port on the firewall, or configure a server to accept incoming connections to build private connectivity it’s just more of the same, no matter how much security middleware we add.
Enclave is different. It builds end-to-end encrypted and direct (peer-to-peer) connectivity between systems, removing the need for VPN servers in between.
Even when firewalls, VMs, or containers are in between, it just works. In fact, by utilising outbound-only traffic to build connectivity, Enclave allows firewalls on both sides of a connection to remain closed, darkening your systems to the public Internet.
By allowing your firewalls to do their job, Enclave reduces attack-able surface area and cloaks applications with invisible network access gates which only materialise when certain trust standards are met, protecting you from discovery, targeting and attack.
Secure, micro-segmented connectivity without the hassle of a VPN or ever needing to think about network configuration or look at a firewall again.