If you are ultra paranoid, what could be better than hiding your network traffic in such a way that no one could possibly intercept it? This is what Unisys is offering with its new Stealth appliance, which could make man-in-the-middle attacks and keylogger exploits obsolete, or at least more difficult to mount.
Stealth has been around since 2005, when it was developed exclusively for the Defense Department, which remains one of its largest customers. Several years ago Unisys took it to commercial enterprises and has paid for various independent tests to try to compromise the system, all of which have failed.
This is because Stealth uses four layers of security: each packet is encrypted with AES256, then split into three separate pieces and dispersed across the network, destined for a particular group of users that have to be running its protocols.
To deploy Stealth, you create virtual "communities of interest" that tie two or more PCs together in such a way that they can only communicate with each other. No one else can join in, and no one else can intercept the traffic. A
+ ALSO ON NETWORK WORLD 15 free security tools you should try +
Different PC endpoints can be associated with multiple communities, so your CEO for example can talk to both your finance group and your marketing group, but the members of each group can't see each other's network traffic, server shares, or even ping each other. All of this works on top of whatever directory services you are running, including Active Directory, LDAP or RADIUS.
Stealth uses a special packet driver that sits on top of Layer 2 and is available for a wide collection of both 32 and 64-bit Windows and Linux desktops and servers. Stealth's traffic is still routed by ordinary switches, firewalls and routers without any additional configuration. But the traffic now is hidden from prying eyes, even over the public Internet.
Think of this solution as an overlay to your existing network, essentially hiding your secrets in plain sight.
The XP angle
For those of you concerned about the security of aging Windows XP-only applications, you can hide them with Stealth and only allow access to people who also have the Stealth drivers on their desktops. Everyone else will be locked out, including hackers trying to run XP exploits.
It is an intriguing idea. Unisys markets the product with the tag line, "you can't hack what you can't see," and we have to agree with them. We ran Wireshark's packet analyzer to try to track down the hidden traffic, but were unsuccessful. We did record both source and destination IP addresses on the analyzer, but no other payloads, protocol details or traffic could be decoded. We knew our machines were talking to each other, but not much else about what ports or protocols or applications they were using. It was actually a bit eerie to see the packet traces with such little information.
Stealth ships with a turnkey hardware appliance along with various client licensing options. You also need to set up encryption certificates with Stealth's specialized Windows certificate authority, along with creating the communities of interest. A
We tested Stealth using a collection of pre-set virtual Windows 2008 R2 Servers and Windows 7 desktops, along with a sample XP machine. Unisys set all this up for us, but we spent some time looking over the various configurations to make sure they weren't trying to hide anything.
While the product works as advertised, the configuration screens are somewhat obtuse, and you have a two-step process to save and then commit any of your changes to the Stealth server. All the configuration parameters make extensive use of XML schemas, which could be an issue if you need to do extensive debugging. Unisys is working on a better and clearer interface.
We pulled the network connection on the Stealth server and within a few minutes all communications stopped between two PCs that had been talking to each other over the Stealth encrypted channel. This means you want your Stealth server protected from power and network outages, otherwise you will have your users calling you when it is disconnected.
Another downside is if users have administrative rights to their PCs they could easily or inadvertently turn off the Stealth features, if they know where to look. A much better option is to make use of managed PCs or to provide tighter access rights so that users can't change their configurations so readily.
You also want to make sure that you understand what network resources you are hiding and which ones you might need for non-stealthy activities, such as obtaining DNS lookups or authenticating yourself at login time or running other protocols that don't need the extra protection.
Stealth comes in several packaging options, including a more secure VPN tunnel, a matched pair to extend its encryption to a remote site across the Internet, and versions that can secure remote access via USB keys and mobile phones. The entry-level cost is $30,000 although these options can quickly double this price.
Stealth is an interesting product that might just be a great way to hide from hackers.
Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.
Read more about wide area network in Network World's Wide Area Network section.
This story, "Unisys unveils invisibility cloak for network traffic" was originally published by Network World.