Private and Secure Overlay Networking with Tempered AirWall

17 June 2020
Justin Warren

Tempered has a thing that is really quite nifty indeed, called AirWall.

It sets up a secure networking infrastructure that runs over the top of your existing IP-based network using the Host Identity Protocol.

It's similar, in some ways, to a circuit switching network from days of yore, like SS7. Until there's a circuit set up between endpoints, there is no way to contact them. Tempered is the system that manages the circuits for you, like the signalling channel of SS7. Once the connections are set up, the endpoints can communicate over the data channel, securely and privately because the whole thing uses strong encryption with mutual authentication.

Honestly I think something like what Tempered is doing here is the future of networking. The way we've done networking with Ethernet and IP addresses has been quite successful, but we're now starting to ask it to do things it wasn't really designed for. It's a good time to reconsider what we really want to do, and if there isn't maybe a better way to achieve our goals.

My favourite part about Host Identity Protocol is that it isn't trying to start completely from scratch. It's a much more incremental approach to change that is taking a quite focussed view of what the problem is that it's trying to solve, and just doing that. It isn't trying to throw out the entire Internet and start again (hello Internet2). It's trying to carve off a specific thing that isn't working that well, and just make that better, which then makes all the other stuff better as well.

I highly recommend watching the presentation by Ludwin Fuchs, Principal Engineer at Tempered on the details of how HIP works.

The smartest thing about Tempered's approach is that you can use it with the existing network infrastructure you already have. Requiring massive, wholesale and incompatible change to get the benefits of a new approach sets up huge switching costs. It's incredibly rare for large step changes like that to succeed.

Instead, there needs to be an easy-to-follow pathway from where people are today to the place you want to take them. Each step on that path needs to be relatively close to where you are so that taking that next step isn't too hard. You can call this a barrier-to-entry, a steep learning curve, whatever your favoured term is; they all refer to the same general idea.

Keeping all the stuff you already know and enjoy while gaining new benefits means you also don't have to come up against people's tendency towards loss aversion. Most people hate to lose more than they like to gain and change involves the risk of loss.

The fact that you can add Tempered's AirWall product into your existing network and get the benefits of this secured overlay network without losing all the functionality of the underlying network is a really good thing. It means you can add it into the mix for a special project that's low risk and high benefit, and it won't really bother anyone else. Then, assuming it works, you've got a nice demonstration of success that you can use to entice other people to take the gentle walk over to your demonstrably better place at a pace and a time of their choosing.

Done right, this approach has people asking to come over and join the cool kids rather than senior management trying to enforce a global company change that will be resisted by all the existing systems that have grown up in the environment today. Those systems are stable, and being stable means resisting attempts to change them.

Check out the Tempered demo video to see AirWall in action and you'll see what I mean. They've done a really nice job of abstracting away the complexity of what's happening so you can concentrate on the functionality you want to achieve.

I really hope HIP succeeds.

See Also

Related items

PathSolutions Security Operations Manager Helps Humans Find Security Gremlins

28 May 2020

PathSolutions Security Operations Manager looks like a solid option for mid-market firms that want an all-purpose security tool.

VMware Adds Distributed IPS/IDS to NSX

27 May 2020

VMware has added distributed IPS/IDS to NSX, but is it ready for real-world operations?

Juniper’s Active Network Defence Concept

16 June 2020

Juniper wants to turn the entire network into an AI/ML-driven active defence system. But are we ready?