If you are ultra paranoid, what could be better than hiding your network traffic in such a way that no one could possibly intercept it? This is what Unisys is offering with its new Stealth appliance, which could make man-in-the-middle attacks and keylogger exploits obsolete, or at least more difficult to mount.
Stealth has been around since 2005, when it was developed exclusively for the Defense Department, which remains one of its largest customers. Several years ago Unisys took it to commercial enterprises and has paid for various independent tests to try to compromise the system, all of which have failed.
This is because Stealth uses four layers of security: each packet is encrypted with AES256, then split into three separate pieces and dispersed across the network, destined for a particular group of users that have to be running its protocols.
To deploy Stealth, you create virtual "communities of interest" that tie two or more PCs together in such a way that they can only communicate with each other. No one else can join in, and no one else can intercept the traffic.
Different PC endpoints can be associated with multiple communities, so your CEO for example can talk to both your finance group and your marketing group, but the members of each group can't see each other's network traffic, server shares, or even ping each other. All of this works on top of whatever directory services you are running, including Active Directory, LDAP or RADIUS.
Stealth uses a special packet driver that sits on top of Layer 2 and is available for a wide collection of both 32 and 64-bit Windows and Linux desktops and servers. Stealth's traffic is still routed by ordinary switches, firewalls and routers without any additional configuration. But the traffic now is hidden from prying eyes, even over the public Internet.
Think of this solution as an overlay to your existing network, essentially hiding your secrets in plain sight.
The XP angle
For those of you concerned about the security of aging Windows XP-only applications, you can hide them with Stealth and only allow access to people who also have the Stealth drivers on their desktops. Everyone else will be locked out, including hackers trying to run XP exploits.
It is an intriguing idea. Unisys markets the product with the tag line, "you can't hack what you can't see," and we have to agree with them. We ran Wireshark's packet analyzer to try to track down the hidden traffic, but were unsuccessful. We did record both source and destination IP addresses on the analyzer, but no other payloads, protocol details or traffic could be decoded. We knew our machines were talking to each other, but not much else about what ports or protocols or applications they were using. It was actually a bit eerie to see the packet traces with such little information.