Aunigma Technology Motivation
Most network communication technologies in use today are multiple revisions and add-ons to networking protocols developed 20 or more years ago as part of the network Open Systems Interconnect (OSI) model. The current inefficiencies, complexities and insecurities of many components of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite OSI Layer 3 and up (e.g. DNS, NAT, PKI, IKE, SSL/TLS, etc.) are well known, yet we still rely on them.
Today’s legacy security solutions cannot defend against a growing adversarial landscape armed with on-demand attack resources that easily uncover and penetrate even the smallest of Information Technology system weaknesses. Additionally, these outdated protocols are unable to keep pace with the extension of communications and computing beyond the perimeter.
To overcome these problems Aunigma Network Solutions Corporation was founded to develop a highly advanced ultra-secure suite of holistically integrated technologies named ANS FabriX®. Aunigma’s ANS FabriX suite of technologies brings out of the box thinking to address a host of network and communication weaknesses using a building block process of technologies to establish an ultra-secure foundation.
Focusing on the TCP/IP suite’s most significant and prolific security threat vectors (i.e. intrusion, MITM, DoS/DDoS/APDoS and system/server/service hopping), these game-changing technologies enhance a number of the OSI layers’ functions and facilitates them in unique ways. ANS FabriX operates on OSI layers 2, 3, and 4 to establish securely authenticated and invisible communication zones (segments) named ANS Security Zones™.
Aunigma has developed these core mechanisms to form its ANS Dynamic Adaptive Darknet™ defenses within the ANS Security Zones using a combination of ANS PacketLok® and ANS Secure Frame Layer (SFL)™. ANS FabriX communications uses ANS PacketLok as its primary transport authentication method that utilizes a stateless and transparent one-time pad filter (OTF) value technique that provides private and vector-less connectivity.
ANS Secure Frame Layer is the ANS FabriX packet transport technology that utilizes ANS PacketLok protocol that dynamically encrypts packets with a symmetrical block one-time pad (OTP) for ultra-secure and unspoofable communications.
Aunigma employs all of these technologies to construct a “real-time” software defined security “control/administration layer” that orchestrates drop-in dynamic machine-to-machine (M2M) authentication with protection from current and future threats as its ANS FabriX offering.
ANS FabriX Technology Overview
ANS FabriX suite of technologies is Aunigma’s real-time, high availability, software defined, node-based security and networking platform. ANS FabriX suite incorporates ANS PacketLok, ANS Secure Frame Layer and several other cutting-edge security and network/data transport features and functions:
- real-time adaptive and sustainable communication detection and defense,
- granular and flexible access control integration within dynamic polymorphic segmentation, and
- real-time topology visibility though advanced event logging with near zero false positive alert notification for each ANS FabriX node.
ANS FabriX current suite of highly advanced technologies offers a blend of ultra-secure functional solutions:
- ANS PacketLok
- ANS Secure Frame Layer (SFL)
- ANS Security Zones
- ANS Dynamic Adaptive Darknet
ANS FabriX operates within, conforms to, supports, or exceeds common flexible or open framework functionalities and requirements defined in current and evolving standards. This includes but is not limited to: NIST, ISO, ETSI/TIA, CSA SDP, SDN/ NFV, ONF, OpenStack and others. These standards cover legacy infrastructure and emerging Software Defined (SD) topologies such as: NFV/VNF, SDP, SDDC, SDLAN, and SD-WAN.
ANS FabriX technology suite brings to the enterprise network; real-time, dynamic operations and feedback, adaptive behavior, and an enigmatic mode of communications (aka ANS Dynamic Adaptive Darknet) within ANS Security Zones for unprecedented operational protection, agility and capability.
ANS PacketLok patented technology is a base packet management technology that provides a number of (in memory) core processes used by virtually all other components within the ANS FabriX administration ecosystem:
- Every transmitted packet contains a computationally transparent one-time filter (OTF) pad value that is a dynamic pseudo identity for ultra-secure lossless connectivity.
- Supports ANS FabriX Dynamic Firewall Control whereby packets with valid authentic filter values are passed while all non-authenticated packets are dropped statelessly.
- Enables stateless dynamic whitelisting using automated port administration which also resists all packet flood attacks by statelessly dropping unauthenticated packets pre pre-CPU processing.
The PacketLok technology establishes a stateless presence because it does not reply to nor create a firewall state or a CPU session with an endpoint for any packet or request. This attribute is the essence of stealth or invisible endpoint (by eliminating the attack vector), mitigating flood attacks (DoS/DDoS/APDoS), intrusion and authentication manipulation protection for every packet.
ANS Secure Frame Layer
ANS PacketLok works in concert with Aunigma’s ANS Secure Frame Layer (SFL) transport protocol. SFL’s dynamic encryption uses a symmetrical block cipher one-time-pad (OTP) to dynamically cypher-text each packet. The symmetrical block cipher uses matching cipher keys at each end of the communication session, where the OTP places a unique value within each packet for secure cypher-texting of each packet payload. This process includes non-repeating computationally unique OTP values.
Most importantly, keys are never exposed, internally or to the wire, thus making decryption extremely unlikely. Even if SFL data streams were captured, unlike common encryption techniques, the OTF and OTP values are never repeated; so the more SFL data captured, the further away key deciphering becomes.
Operating from a lower level OSI model layer, SFL is purposely built not to rely on problematic legacy IP suite components. Therefore, by not depending on TCP, DNS, MAC addresses and digital certificates or credentials, SFL provides MITM, eavesdropping, and advanced snooping protection. When combined with a built-in Quality of Service (QoS) feature, these breakthrough SFL attributes provide unlimited flexibility and efficiencies for network connectivity.
ANS Security Zones
ANS Security Zones are (dynamically adaptive) polymorphic network segmentations which supports current and future topology or Software Defined (SD) architectures. ANS Security Zones provide easily deployed and maintained polymorphic security segments that dynamically morph the zone’s shape and coverage as needed to meet any operational condition:
- Nano Segmentation – connecting two Nodes (devices) to establish direct private communications (e.g. NBI or SBI → 1-to-1).
- Micro Segmentation – to connect a number of Nodes for specific communication requirements (e.g. SDLAN or SDDC → 1-to-many).
- Macro Segmentation – establishes specific communications across a large number of domain or topology agnostic Nodes (e.g. IoT or SDWAN → many-to-many).
Dependent upon scope and scale deployed; including public/private network/cloud topologies, any of the ANS Security Zones segments may be used in any combination to fit the desired requirements or operational need.
ANS Agents™ (ANS Controller™, ANS Server™, or ANS Client™) are used to establish the ANS Security Zone and utilize ANS Dynamic Adaptive Darknet to communicate across the administrative plane with the benefits of secure; undetectable, breachable and sustainable capabilities.
ANS Dynamic Adaptive Darknet
ANS Dynamic Adaptive Darknet is zonal communications utilizing ANS PacketLok dynamic whitelisting techniques to resist nearly all common attack vectors including DoS/DDoS & APDoS. ANS Dynamic Adaptive Darknet provides the control/administration layer information Confidentiality, Integrity and Availability (CIA):
- Maintains session Confidentiality within the zonal communication thread
- Establishes a private point-to-point communication session that’s immune to alteration, injection or obfuscation for true information and operational Integrity
- Supports communications Availability with mitigation against flood or other disruptive attack methods
ANS FabriX Functional Offerings
ANS FabriX technology suite provides innovative and future proof solutions to meet every day and potential future requirements across a broad range of functional capabilities. ANS FabriX current functional offerings include:
- ANS Authentication™ – Node to Node or machine to machine (M2M) lower layer communication process which provides positive identification of all endpoints within the ANS Security Zone.
- ANS SDN™ – VNF to secure SDDC, SDLAN, SDWAN and other SD (NFV) concepts or technologies.
- ANS Appliance™ – Device administration communication security
- ANS Tap™ – Secure communications bridging enabling deep packet inspection within ANS Security Zones.
- ANS Monitoring™ – Configurable secure ANS Agent™ nodal event detail for reduced false-positive SIEM or other event/alert reporting.
ANS Authentication is a secure command and control network layer (L2, L3 & L4 ‘administration plane’) which is deployed as ANS Security Zones using ANS PacketLok and ANS Secure Frame Layer OTF/OTP technologies to mitigate Insider and Outsider Threats and subsequent risks. Is a highly advanced ultra-secure Controller Plane/Administration Layer communication solution. ANS Authentication may be delivered in any combination of the following solution offerings:
- ANS Bump-in-the-Wire (BitW)™ – ANS Server or ANS Client is used to protect those nodes who’s operating systems is closed or simply do not have processing capacity to run the ANS Agent.
- ANS Bent-Pipe (Bpipe)™ – ANS Server and ANS Client is used in the cloud when direct application is not practical or where external communication may need to be directed prior to entering an internal communication structure.
ANS FabriX supports a number of Use Case driven solution offerings to protect control/administration layer communications Confidentiality, Integrity and Availability. These include but are not limited by current topologies or infrastructures:
- ANS SDN – Secures the SDN (NFV) Controller Plane against loss/interruption of connectivity or administrative take over. Designed to operate at Telco Class speeds with extremely low processing overhead.
- ANS Appliance – Secures the local/remote administration data communications layers within or for Appliances or other devices.
- ANS Monitoring – Securely captures ANS Dynamic Adaptive Darknet and ANS Security Zone nodal communication Syslog event detail for statistical analysis, event identification, and alert notification. The level of detail is configurable and supports Syslog client (local logs) and server modes (SNMP v3).