NVIS Tech Overview
Last updated
Last updated
NVIS AI is a Zero Trust, Software Defined Perimeter (SDP) that makes networks invisible to external cyberattacks. With its foundational principle that "hackers can't hack what they can't see", NVIS takes an off-the-grid approach. It can cloak any network, regardless of size and complexity—in minutes—making it very simple and fast to deploy the Zero Trust architecture while eliminating the entire public attack surface. This is accomplished through three innovative features: the NVIS Overlay and AI Provisioning.
NVIS uses its proprietary global address space that appear like local IP addresses but behave like public IP addresses, so no gateways or routing are required. This NVIS IP address mirror the topology of the defined network. That way, public IP addresses are never exposed, and therefore cannot be sniffed, traced, or blocked. This also provides a performance boost from less propagation delay and TCP/IP overhead.
The NVIS IP ranges are 10.0.x.x, giving 16 bits, or 65,536 possible addresses. The difference is, NVIS also has a Security Context, consisting of a Group Name and Pre-Shared Key (PSK). This adds another dimension to the near infinite possible addresses.
Internally, IPv4 addresses are converted to IPv6, and these are internally converted to 64-bit Media Address Control (MAC) address assigned to each device (node).
Although this 64-bit MAC address could have been structured to be used as the Globally Unique Identifier, to keep the address in the ledger, it is paired with an address created on the Ethereum blockchain for node identity. This way, a physical node can have multiple identities.
Routing Tables
On each host computer, there are routing tables that map IP addresses to a gateway and interface that services it, like a Network Interface Card (NIC).
The notation is different on Windows, but on Linux, an example would be:
Note that the default gateway sends Internet traffic to interface enpls0. The NVIS IP traffic goes to the encrypted virtual interface tun0, which is in fact TAP to the physical network adapter, and an edge service runs continually to do encryption of outbound packets and decryption of inbound packets. This allows IP and NVIS IP to operate concurrently.
The data connection between the endpoints is direct peer-to-peer and encrypted at Layer 2, hiding the source, destination, and traffic (or payload) between endpoints. This protects the full stack from network (external) attacks, which occur on Layers 3 through 7.
All the complex network configurations needed to connect any network asset can be accomplished in seconds, not requiring manual configuration that is subject to misconfiguration. This allows quick, secure federated networks that can be a mesh of direct connections between any device, on-prem network, cloud, multi-cloud, IoT, OT, and even legacy OT.
The features of NVIS not only eliminate the public attack surface but also help illustrate the NVIS SDP architecture.
The SDP Controller represents the Admin UI, AI Provisioning Agent, and Policy Manager, which collectively administrates the network segments, NVIS addresses, and security contexts.
The SDP Hosts are on the edge, and any one of the hosts can initiate or accept. The data channel is also direct peer-to-peer and encrypted at Layer 2.
With NVIS Admin Web User Interface (UI) or via the Command Line Interface (CLI), the admin can segment networks and Zero Trust roles access to enable Least-Privilege Access. With the CLI, the admin can even deploy and remotely install in bulk to all the end user devices without requiring end user interaction.
As for Adaptive Authentication, NVIS enables the secure connection while not further complicating the login and authentication process.
The NVIS app agent on a node (or endpoint) issues a “who am I” query to network identify and available groups. AI provisioning configures and assigns it a unique address. Web Host Manager Complete Solution (WHMCS) then verifies this address. Then the Supernode registers the node and updates the global peer MAC address, ages out the inactive nodes, and the edge nodes interact independently thereafter. So long as NVIS is “on” in the end-user device, that node will have access to its assigned network without requiring additional authentication. The only authentication method remaining will be what existed prior to installing NVIS.