Security technology

The secure difference

Leveraging the layer concept of networking

Today’s network traffic is essentially governed by the internet protocol. IP is part of a protocol stack, in which the different aspects of network communication are dealt with in separate layers and each layer adds functionality to that from the layers below. Mappable onto the OSI 7-layer model, the TCP/IP 5-layer protocol stack describes a hardware, a network interface, an internet, a transport and an application layer. When network data is being sent or received at a host, the message traverses through the layers, in each of which a header is prepended to or removed from the datagram before passing it to the next level. Various protocols for each of the different layers can be combined freely, allowing for flexibility in implementation details and varying underlying technologies.

Standard TCP/IP networking contains no security whatsoever. Upon transmission, the TCP/IP messages themselves and all header data can be read, manipulated and abused by everyone down the line. Application-level encryption can protect the message, but data from the packet headers remains visible or can easily be tampered with. Furthermore, proper encryption requires careful configuration; mistakes can be made easily and will compromise the protection.

Data & metadata encryption

Address obfuscation

The open concept of the protocol stack may be the weak spot of networking, but it can also facilitate a solution. At every point in the network, protocols and the way data are handled can be changed. This is what Circle Networks’ secure switches do to make networking secure by design: in direct vicinity of the hosts, they repackage and reorganise the datagrams such that they cannot be read or manipulated. Secure switches receive the network frames, strip the frame headers from the IP packets and encrypt the latter. They then attach proxy IP headers with obfuscated address information and forward the now secured frames to the outbound connection.

By doing so at the point where the data enter or leave the network — the access switches or WiFi access points to which all hosts are connected — they also protect data within the local network and thus provide security against lateral movement from compromised hosts.

Network address translation

The legacy format of the proxy IP and frame headers ensures full compatibility with existing networks and the internet. To clients, servers, and third-party switches and routers in between the secure devices, Circle Networks’ switches are normal network devices that support IP and deliver and accept standard frames. There is no need to replace existing infrastructure.

While VPN secures connections at the outer perimeter of the network and does not prevent lateral movement, secure switches build a tunnel for each individual connection and protect the network from the inside.

Improving security while taking the operational burden away

Circle Networks’ secure switches pose a significant improvement over VPN solutions or application-layer protection solutions that are widely used:

Automatic key management

  • VPN tunnels are notoriously cumbersome to set up. Distributing security certificates to all participating switches, servers and clients requires great effort and often leads to connections that fail to establish, negatively affecting network availability. Secure switches take care of certificate distribution and tunnel set-up automatically, thus reducing installation costs and improving network availability.
  • VPN tunnels are difficult to set up correctly. Configuration mistakes are easily made and can leave the system vulnerable without the user being aware of the lack of protection. Secure switches are configured automatically and leave no room for mistakes.

Network virtualisation

  • VPN tunnels are typically set up for wide-area connections — leased lines to connect various sites: so-called site-to-site VPNs — and for mobile devices that are operated outside an enterprise network — so-called remote-access VPNs. As such, VPN secures the outer perimeter of the network; hosts on the internal network are not mutually protected. Secure switches build a separate tunnel between each and every point-to-point connection within the local network, thus effectively protecting against lateral movement from compromised hosts within the network.

Data & metadata encryption

  • Application-layer protection — like encrypted email or the secure hypertext transfer protocol (HTTPS) for websites — reveals all transport and network layer information, including the network addresses and open ports of the communicating hosts.

Secure switches create a tunnel at the internet layer, obfuscating the actual host addresses behind it and thus preventing the disclosure of the locations and roles of the various clients and servers.