Solution Components
To implement and manage a secure overlay network in your enterprise, get familiar with the following basic components of the Tempered Networks™ solution.
- Underlay network
-
This is your existing network. HIPservices (HIPswitches, HIPrelays, and HIPclients) connect to the underlay and are centrally managed through an orchestration engine. They use standard services and interfaces for communication and obtain a underlay IP address using Dynamic Host Configuration Protocol (DHCP).
The Tempered Networks solution is comprised of these HIPservices, along with the orchestration engine, called the Conductor. HIPservices communicate with the Conductor using DNS or IP addresses. Administrators interact with HIPservices through a web-based user interface (UI) to implement a private overlay network managed by the Conductor.
- Overlay network
-
The Tempered Networks solution implements VPLS (virtual private overlay services) using the Host Identity Protocol (HIP). HIP provides an identity-based key exchange that is more efficient than the Internet Security Association and Key Management Protocol (ISAKMP) and provides additional benefits.
The secured communications channels (encrypted HIP tunnels) allow trusted devices to communicate securely with each other across the overlay network. They are controlled by HIPservices deployed throughout the underlay and administered by the Conductor.
- Conductor
-
The Conductor is the solution’s orchestration engine. The Conductor creates overlay networks between HIPswitches, HIPrelays, and HIPclients and manages their components including devices, trust policies, diagnostics, statistics, and user accounts. The Conductor implements an IF-MAP service to deliver real-time security coordination metadata to the HIPservices.
The Conductor also securely delivers real-time configuration and policy information to HIPservices. The default communication port used for the Conductor to HIPservices communication is TCP 8096 over TLS and SSL. See Confirm your Underlay Settings for more information on communication ports.
For an optimal experience, run the Conductor on the latest versions of Firefox, Chrome, and IE. The earliest supported versions are Firefox 19, Chrome 25, and IE 11. Versions earlier than these will have mixed performance and usability.Note: For security purposes, the Conductor times out after 30 minutes of inactivity. - HIPservices
-
HIPservices are hardware and software applications configured to manage network traffic directed to your protected devices. HIPservices can be either physically connected to protected devices, or connect to protected devices across a network. HIPservices cache their current policies and configuration to persistent storage, and if the Conductor becomes unavailable, HIPservices continue to operate using their cached policies and configuration.
Each HIPservice has a unique public/private 2048-bit RSA key pair and a Tempered Networks signed certificate that establishes a chain of trust to a Tempered Networks Certificate Authority (CA). The Conductor also has a unique Tempered Networks certificate. The Conductor and HIPservices use these certificates to authenticate to each other and establish secure communications. The Conductor and HIPservices can be provisioned with customer-signed certificates to be used in place of Tempered Networks signed certificates. When HIPservices with a customer-signed certificate are factory reset, it will begin using its Tempered Networks signed certificate.