Domorela's Blog: Intranet of Things Security deployment (I)

If we want to name Intranet to our IoT deployment is a must to harden our network with security measures. As we told on our first article related to security, Domorela includes several security mechanisms, but security must be implemented from outside to inside in any Intranet. So, we need to implement perimetral security in order to put a virtual fence between any outside network and our LAN, MAN or CAN.

Perimetral security can be implemented at several layers of the OSI Model. This article will refer to the Lower Layers of this OSI Model:

The most of the people consider to implement from the OSI Layer 3 to above levels, but we think that the first level to implement perimetral or network security is OSI Layer 1. Lets think about a wireless network in a building and potential attackers wanting to acces this network. As the physical media is air, the attacker could initiate an intrusion attack with a WiFi sniffer. Attackers don't need to access to the facilities being attacked and only to be in the WiFi range and could start the attack even from a neighbor building.

Other consideration to keep in mind are DoS attacks. How easy could be to lock down a WiFi network or destroy their waves by interfering with another radio signal equipment? And how easy could be to lock down a wired network by cutting a phisical cable? I'm going to let the readers answer this question, but I've asked on many occasions to WiFi vendors' personnel and resellers if they keep in mind this possibility and they simply had not even tought about it.

If we go up to OSI Layer 2 we find that main attacks are those related to MAC, DHCP and ARP. MAC attacks can overflow CAM table in network switches and turn them into hubs destroying network segmentation, also the attackers may use MAC spoofing techniques, DHCP attacks are performed through starvation of leases and through rogue DHCP server nodes, while ARP attacks are performed poisoning ARP tables to catch and inspect all the traffic from the network in the attacker node. There are also attacks related to STP and VLAN mechanisms.

While Layer 1 should be enforced by avoiding, or restricting, the use of wireless and implementing physical security to avoid the access to wired facilities, Layer 2 can be also enforced by restricting access to facilities and by using network equipment that implements countermeasures to the above types of attacks.

Going to OSI Layer 3 we find there the Internet Protocol (IP), the basis of the IoT, and many more possibilities to attackers that can be located inside and outside our network: IP spoofing, DoS/DDoS (ICMP flooding), and other techniques. The main equipments used to gather IP security are Firewalls and their primary function is to isolate IP network segments between them, so we can isolate servers allowing only privileged IP nodes to access them. We can also implement Layer 3 security with Layer 3 switches and IP routers, but we recommend the use of Firewall equipment to provide better security to any kind of Intranet. The better option is to extend Firewall security with the support of Layer 3 switches and IP routers.

If we go up to the OSI Layer 4 we find there with TPC/UDP stack of protocols. Without them it will be impossible to implement any Internet Service, nor any Intranet Service. Attackers can use SYN flooding in DoS/DDoS attacks and many other techniques related to the different protocols and software using TPC/UPD stack. Firewalls are the key equipment to protect the network again, they must be the central node of perimetral security and we can extend security through the entire Intranet by using Layer 4 switches and IP routers.

Said all the above, we recommend an Intranet of Things Security Network Deployment as follows:

In our next article we will speak about security for OSI Upper Layers in an Intranet of Things.