Network Cloaking is NOT just a marketing term for a Firewall (For Network Engineering Geeks)

I was talking to a savvy cybersecurity professional about BlastWave the other day, and he asked me a question that has triggered me since I joined the company. As I explained what we do, he asked, “Network Cloaking is just a marketing term for firewall functionality, right?”.

</Deep Breath>

As I (calmly) began my response, it occurred to me that I had fallen victim to one of the classic blunders. The most famous of which is, “Don’t get involved in a land war in Asia,” but only slightly less well known is this: “When a clever term for marketing something becomes hot, everyone co-opts it.”

What is Network Cloaking (BlastWave Version)?

At the foundational level, Network Cloaking starts with a firewall's capability to block access to protocols and ports. However, the central tenet of Network Cloaking is more like the policies you would see on a VPN box; that is, only a single port is open (for remote access requests). All other ports are not just blocked; traffic to those ports is silently dropped on the floor as if it did not exist. This is where the name for network cloaking comes from. Like wearing a black cloak hides anything you have on underneath, a network cloak prevents a hacker from seeing what is on your network. A better analogy for what BlastWave does is more like an invisibility cloak that can only be seen from a very specific vantage point (in BlastWave’s case, with a valid PKI authentication request). A hacker doesn’t even know that you are there, so they can't attack or formulate a method to attack you if she doesn’t know there is a target there.

Beyond Firewall Capabilities

But as Ron Popeil would say, “But Wait, There’s More!”

Also, like a firewall, Network Cloaking can hide private IP addresses behind a single public IP address and perform Private-to-Public Network Address Translation. However, in the OT market, Network Cloaking acts like a Virtual Air Gap system or Data Diode, preventing internal devices from talking to the internet directly (You can allow it, but it is not desirable). Unlike most firewalls, however, you can use that NAT functionality to further protect a system from other internal systems by performing Private-to-Private NAT - forcing even internal traffic to pass through the BlastWave Gateway to reach the protected system (We can make this happen even if you are connected to the same Layer 2 network and switch, but I won’t give away ALL of our secrets here!). This provides another cloaking layer by hiding the private address from internal systems. It makes lateral movement much harder by forcing it through the BlastWave gateway or reducing access to physical access alone.

Summarizing the Powers of Network Cloaking

How would I summarize the powers of Network Cloaking?

In a fun way, I’ll use Loki’s powers from Norse mythology. Network Cloaking is initially like an astral projection of your network that hides whatever is behind it. You can attack it all you want; it won’t do any damage, and you can’t determine Loki's vulnerabilities. It also performs a limited version of teleportation by “moving” IP addresses around to protect systems with enhanced NAT capabilities. You could argue that Layer 2 lateral movement protection is a shape-shifting or molecular rearrangement version used to disguise yourself from someone standing next to you.

“But Loki is a villain!” you might say - but not if you saw Loki Season 2. I won’t spoil it, but the best defenders think like attackers and win wars, not just a single battle.