# Secure end node

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Secure_end_node
> Markdown URL: https://mediated.wiki/source/Secure_end_node.md
> Source: https://en.wikipedia.org/wiki/Secure_end_node
> Source revision: 1282473737
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

{{Other uses|Node (disambiguation){{!}}Node}}

A '''Secure End Node''' is a [trusted](/source/Trusted_computing), individual computer that temporarily becomes part of a trusted, sensitive, well-managed network and later connects to many other (un)trusted networks/clouds.  SEN's cannot communicate good or evil data between the various networks (e.g. exfiltrate sensitive information, ingest malware, etc.).  SENs often connect through an untrusted medium (e.g. the Internet) and thus require a secure connection and strong authentication (of the device, software, user, environment, etc.). The amount of trust required (and thus operational, physical, personnel, network, and system security applied) is commensurate with the risk of piracy, tampering, and reverse engineering (within a given threat environment).  An essential characteristic of SENs is they cannot persist information as they change between networks (or domains).

The remote, private, and secure network might be organization's in-house network or a [cloud](/source/Cloud_computing) service.   A Secure End Node typically involves authentication of (i.e. establishing trust in) the remote computer's hardware, firmware, software, and/or user.  In the future, the device-user's environment (location, activity, other people, etc.) as communicated by means of its (or the network's) trusted sensors (camera, microphone, GPS, radio, etc.) could provide another factor of authentication.

A Secure End Node solves/mitigates [end node problem](/source/end_node_problem).

The common, but expensive, technique to deploy SENs is for the network owner to issue known, trusted, unchangeable hardware to users.  For example, and assuming apriori access, a laptop's TPM chip can authenticate the hardware (likewise a user's smartcard authenticates the user).  A different example is the [DoD](/source/United_States_Department_of_Defense) [https://web.archive.org/web/20100513172649/http://spi.dod.mil/ Software Protection Initiative]'s [https://web.archive.org/web/20110827182357/http://spi.dod.mil/docs/CFIBS_DS_20100422.pdf Cross Fabric Internet Browsing System] that provides browser-only, immutable, anti-tamper thin clients to users Internet browsing.  Another example is a non-persistent, remote client that boots over the network.<ref>SEN/SKG, {{cite web |url=http://www.spi.dod.mil/docs/SEN_SKG_DS_20081024.pdf |title=Archived copy |accessdate=2011-09-26 |url-status=dead |archiveurl=https://web.archive.org/web/20111018201408/http://www.spi.dod.mil/docs/SEN_SKG_DS_20081024.pdf |archivedate=2011-10-18 }}</ref>

A less secure but very low cost approach is to trust any hardware (corporate, government, personal, or public) but restrict user and network access to a known [kernel (computing)](/source/kernel_(operating_system)) and higher software.  An implementation of this is a [Linux](/source/Linux) [Live CD](/source/Live_CD) that creates a [stateless](/source/State_(computer_science)), non-persistent [client](/source/Client_computer), for example [Lightweight Portable Security](/source/Lightweight_Portable_Security).<ref>LPS main page, {{cite web |url=http://www.spi.dod.mil/lipose.htm |title=Software Protection Initiative - Lightweight Portable Security |accessdate=2012-07-31 |url-status=dead |archiveurl=https://web.archive.org/web/20120902023526/http://www.spi.dod.mil/lipose.htm |archivedate=2012-09-02 }}</ref><ref>Lifehacker, http://lifehacker.com/5824183/lightweight-portable-security-is-a-portable-linux-distro-from-the-department-of-defense</ref><ref>Linux Journal, http://www.linuxjournal.com/content/linux-distribution-lightweight-portable-security</ref><ref>InformationWeek, http://www.informationweek.com/news/government/security/231002431</ref>  A similar system could boot a computer from a flashdrive<ref>Secure Pocket Drive, {{cite web |url=http://www.spyrus.com/products/secure_pocket_drive.asp |title=SPYRUS Home |accessdate=2011-09-26 |url-status=dead |archiveurl=https://web.archive.org/web/20110903152235/http://www.spyrus.com/products/secure_pocket_drive.asp |archivedate=2011-09-03 }}</ref><ref>Trusted Client, {{cite web |url=http://www.becrypt.com/americas/products/trusted-client/product |title=Becrypt &#124; Americas TC - Product |accessdate=2011-09-26 |url-status=dead |archiveurl=https://web.archive.org/web/20101206140007/http://www.becrypt.com/americas/products/trusted-client/product |archivedate=2010-12-06 }}</ref> or be an immutable operating system within a smartphone or tablet.

==See also ==
* [Host (network)](/source/Host_(network))
* [Node (networking)](/source/Node_(networking))

==References==
{{reflist}}

Category:Computer networking

[de:Netzwerkknoten](/source/de%3ANetzwerkknoten)

---
Adapted from the Wikipedia article [Secure end node](https://en.wikipedia.org/wiki/Secure_end_node) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Secure_end_node?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
