Domorela's Blog: Intranet of Things Security deployment (I)

If we want to name Intranet to our IoT deployment is a must to harden our network with security measures. As we told on our first article related to security, Domorela includes several security mechanisms, but security must be implemented from outside to inside in any Intranet. So, we need to implement perimetral security in order to put a virtual fence between any outside network and our LAN, MAN or CAN.

Perimetral security can be implemented at several layers of the OSI Model. This article will refer to the Lower Layers of this OSI Model:

Group     # Layer name Data type Scope Protocols
Lower Laryers  4  Transport  datagrams/segments  communication between software TPCP/UDP, SPX and others
3 Network datagrams/packets  messages between devices  IP, IPv6, ICMP, IPX, routing protocols
2  Data Link frames  low-level messages between devices  Ethernet, FDDI, ATM, etc
1  Physical bits  electrical or light signal  Ethernet, FDDI, ATM, etc

 

The most of the people consider to implement from the OSI Layer 3 to above levels, but we think that the first level to implement perimetral or network security is OSI Layer 1. Lets think about a wireless network in a building and potential attackers wanting to acces this network. As the physical media is air, the attacker could initiate an intrusion attack with a WiFi sniffer. Attackers don't need to access to the facilities being attacked and only to be in the WiFi range and could start the attack even from a neighbor building.


Other consideration to keep in mind are DoS attacks. How easy could be to lock down a WiFi network or destroy their waves by interfering 
with another radio signal equipment? And how easy could be to lock down a wired network by cutting a phisical cable? I'm going to let the readers answer this question, but I've asked on many occasions to WiFi vendors' personnel and resellers if they keep in mind this possibility and they simply had not even tought about it.

If we go up to OSI Layer 2 we find that main attacks are those related to MAC, DHCP and ARP. MAC attacks can overflow CAM table in network switches and turn them into hubs destroying network segmentation, also the attackers may use MAC spoofing techniques, DHCP attacks are performed through starvation of leases and through rogue DHCP server nodes, while ARP attacks are performed poisoning ARP tables to catch and inspect all the traffic from the network in the attacker node. There are also attacks related to STP and VLAN mechanisms.

While Layer 1 should be enforced by avoiding, or restricting, the use of wireless and implementing physical security to avoid the access to wired facilities, Layer 2 can be also enforced by restricting access to facilities and by using network equipment that implements countermeasures to the above types of attacks.

Going to OSI Layer 3 we find there the Internet Protocol (IP), the basis of the IoT, and many more possibilities to attackers that can be located inside and outside our network: IP spoofing, DoS/DDoS (ICMP flooding), and other techniques. The main equipments used to gather IP security are Firewalls and their primary function is to isolate IP network segments between them, so we can isolate servers allowing only privileged IP nodes to access them. We can also implement Layer 3 security with Layer 3 switches and IP routers, but we reccomend the use of Firewall equipment to provide better security to any kind of Intranet. The better option is to extend Firewall security with the support of Layer 3 switches and IP routers.

If we go up to the OSI Layer 4 we find there with TPC/UDP stack of protocols. Without them it will be impossible to implement any Internet Service, nor any Intranet Service. Attackers can use SYN flooding in DoS/DDoS attacks and many other techniques related to the different protocols and software using TPC/UPD stack. Firewalls are the key equipment to protect the network again, they must be the central node of perimetral security and we can extend security through the entire Intranet by using Layer 4 switches and IP routers.

Said all the above, we recommend an Intranet of Things Security Network Deployment as follows:

 

OSI Layer Elements deployed Reccomended Best Practices
Physical (L1)

Wires (copper/FO)

 secure the facilities to avoid unauthorized acces to wires and connections
Wireless nodes 

 avoid their use in outdoor if possible

 secure them to avoid unauthorized physical access

 use directive antennas pointing them to the inside of your buildings

Data Link (L2) L2 switches

 locate them in locked closets

 filter remote management access

 use IEEE 802.1X to validate devices connected

 use STP and protections againts DoS attacks

 use VLANs to isolate broadcast segments

 use countermeasures to avoid most common attacks

Wi-Fi nodes

 filter remote management access

 use WPA2 Enterprise and IEEE 802.1X to validate clients

 use end-to-end encryption as much as possible

 use countermeasures to avoid most common attacks

LPWAN nodes

 filter remote management access

 use end-to-end encryption

Network (L3) L3 switches

 L2 measures for switches

 use VLANs to isolate IP segments

 use countermeasures to avoid most common IP attacks

 use IP access-lists whenever you can

IP routers

 locate them in locked closets

 use countermeasures to avoid most common IP attacks

 use IP access-lists whenever you can

Firewalls

 locate them in locked closets

 filter remote management access

 extend VLANs whenever is possible

 use IEEE 802.1X to validate devices connected

 use certificates to validate VPN users connected

 use countermeasures to avoid most common IP attacks

 Transport (L4) L4 switches

 L2 & L3 measures for switches

 use countermeasures to avoid most common TCP/UDP attacks

 use TCP/UDP access-lists whenever you can

IP routers

 L2 & L3 measures for IP routers

 use countermeasures to avoid most common TCP/UDP attacks

 use TCP/UDP access-lists whenever you can

Firewalls

 L2 & L3 measures for firewalls

 use countermeasures to avoid most common TCP/UDP attacks

 use TCP/UDP access-lists whenever you can

 

In our next article we will speak about security for OSI Upper Layers in an Intranet of Things.

Blog Articles