Hardware-Based Authentication: Critical Imperative for Network Infrastructure
SD-WAN at Scale

By Stephan Tiriac – Senior Software Engineer

13 November 2018

Securing a company’s networking infrastructure is critical, given the ever-increasing threats to data and resources and the explosion of network edge devices driven by Internet of Things (IoT). Cyber-attacks range from stealing an organization’s intellectual property, to creating and distributing viruses, using web-based attacks, malware, denial of service attacks, malicious code, and even stolen devices. 

Statistics abound with data and predictions for the cost of protecting assets, detecting vulnerabilities, and recovering from security incidents. For example, a 2016 study by Cybersecurity Ventures predicts that global annual cybercrime costs (including damage and destruction of data, lost productivity, disruption to business, forensic investigation, restoration, and so on) will grow from $3 trillion in 2015 to $6 trillion annually by 2021.

Industry experts believe that the Internet of Things (IoT) will account for more than 25 billion devices generating 600 Zettabytes of data per year. This breaks down to 18.9 Petabytes of data per second. Less than 20 percent of this data would be considered “secure”. Of the 18.9 PB of data generated every second, 15.7 PB would be considered exploitable.


The cloud adds complexity to any enterprise security strategy. Virtual machines, containers, microservices and data routinely move from on-premises to off-premises clouds with an assumed fidelity of security from IT administrators.

In addition to the explosion of IoT data, organizations of all sizes face what may seem like an unmanageable number of network  devices open to new attack surfaces for hackers, using ever more sophisticated tools. These factors have led experts to predict that hacking will cost the global economy $8 trillion in 2022, increasing fourfold from a forecasted $2 trillion in 2019.

Key Network Infrastructure Vulnerability: Firmware-based Attacks 

Even though there is strong financial incentive to prevent attacks, securing network infrastructure is no easy task. Attack surfaces include the network perimeter, server applications and operating systems, data at rest and in transit, the platform hardware, and even the firmware in the server. Thus, protecting networks only at the perimeter firewall level or servers at the software and OS level is no longer sufficient to provide adequate protection against security threats. 

As the number of attacks and cost of threats rise, more and more attack surfaces are being “hardened” to defend against cyber-attacks. For example, manufacturers of software applications, hypervisors, and operating systems are each improving their systems to prevent cyber-attacks. In response, attackers are increasingly focusing on lower-level attacks, including attacks on the firmware. 

What is overlooked is that network infrastructure is critical to data center security, since cyber-attacks targeting firmware can be persistent, stealthy and very damaging. Firmware is becoming a more frequent target for denial of service (DOS) attacks since the firmware code operates in a privileged position and if compromised, can go for months without being detected. 

Thus, IT and IoT security strategies should consider critical areas of network infrastructure hardware design, on the one hand, and firmware, on the other. In this context, firmware includes several components, including BIOS, the baseboard management controller, hard drives and networking adapters as examples

Firmware Protection Based on Silicon Root of Trust

Roots of trust, as defined by the National Institute of Standards and Technology (NIST), are “highly reliable hardware, firmware, and software components that perform specific, critical security functions.” A root of trust is a component that measures or verifies certain security-related functions, and because it can be trusted, it provides the ability to test and verify other security-related functions that depend on it.

What is the value of a hardware (silicon)-based root of trust for network device authentication versus software-based approaches which may be quite secure? Quite simply, because as cyber security threats continue to evolve, hardening network infrastructure to stay ahead of those threats is critical. As operating systems, applications, and hypervisors become more secure by reducing the attack surface, the firmware becomes an increasingly attractive target. Because the firmware always loads over a million lines of code before the OS even boots, the firmware and BIOS must be protected. Only a few lines of corrupt code hidden among those millions of code lines could permanently brick a network device. An unauthorized driver or malware with kernel privileges could create a permanent denial of service (PDOS) attack by corrupting the data or devices required for proper booting and operation of the device. 


To protect against this, network infrastructure required a silicon root of trust for hardware authentication. The silicon root of trust provides an inextricably tied link between the silicon and firmware—making it impossible to insert any malware, virus, or compromised code that would corrupt the boot process. Now, rather than firmware checking the integrity of the firmware every time it boots, the device hardware determines whether to execute the firmware. And, because the silicon root of trust is embedded in the hardware itself, it is able to detect any compromised firmware—as far back as the supply chain process.

Trusted Platform Modules are computer chips that securely store passwords, certificates, or encryption keys, which are used to authenticate the platforms, such as network devices and server systems,  and validate software. TPM modules are also used with a measured boot process for the OS, which monitors the OS initialization process to see if the OS startup has been compromised. 

The latest TPM version, TPM 2.0, has several advantages over the earlier TPM 1.2, including a flexible algorithm, enhanced authorization, simplified provisioning, and internally protected assets using symmetric algorithms.

Interface Masters Technologies: Embedded Appliances with Hardware Authentication

Interface Masters Technologies is an innovator with an extensive portfolio of embedded appliances supporting the hardware root of trust-based Trusted Platform Module (TPM) deployments.  With TPM-enablement, Interface Masters’ embedded networking appliances include a silicon root of trust built into the hardware. This silicon root of trust allows firmware to be scanned and monitored through a series of integrity checks that initiate from an immutable link embedded in silicon. Because the chain of trust is established from the unalterable silicon hardware itself, customers can be confident that it is secure. These solutions enable secure enterprise and cloud datacenters to be architected with simple, low-cost, low-power configurations that provide computing building blocks with support of a full range of networking features.  Interface Masters’ embedded appliances provide the flexibility, power, efficiency, and cost savings that are essential for success in today’s challenging networking market, making them ideal for a range of applications requiring hardware-based security.

Interface Masters Technologies has for over 20 years been providing off-the-shelf innovative networking solutions with customization services to OEMs, Fortune 100 and startup companies. We are headquartered in San Jose, California in the heart of Silicon Valley where we proudly design and manufacture all of our products.  Based on MIPS, ARM, PowerPC and x86 processors, Interface Masters appliance models enable OEMs to significantly reduce time-to-market with reliable, pre-tested and pre-integrated appliance solutions that can meet the most challenging networking requirements.

Copyright © | Interface Masters Technologies