Domorela's Blog: Intranet of Things Security deployment (I)
If we want to name Intranet to our IoT deployment is a must to harden our network with security measures. As we told on our first article related to security, Domorela includes several security mechanisms, but security must be implemented from outside to inside in any Intranet. So, we need to implement perimetral security in order to put a virtual fence between any outside network and our LAN, MAN or CAN.
Perimetral security can be implemented at several layers of the OSI Model. This article will refer to the Lower Layers of this OSI Model:
Group | # | Layer name | Data type | Scope | Protocols |
Lower Laryers | 4 | Transport | datagrams/segments | communication between software | TPCP/UDP, SPX and others |
3 | Network | datagrams/packets | messages between devices | IP, IPv6, ICMP, IPX, routing protocols | |
2 | Data Link | frames | low-level messages between devices | Ethernet, FDDI, ATM, etc | |
1 | Physical | bits | electrical or light signal | Ethernet, FDDI, ATM, etc |
The most of the people consider to implement from the OSI Layer 3 to above levels, but we think that the first level to implement perimetral or network security is OSI Layer 1. Lets think about a wireless network in a building and potential attackers wanting to acces this network. As the physical media is air, the attacker could initiate an intrusion attack with a WiFi sniffer. Attackers don't need to access to the facilities being attacked and only to be in the WiFi range and could start the attack even from a neighbor building.
Other consideration to keep in mind are DoS attacks. How easy could be to lock down a WiFi network or destroy their waves by interfering with another radio signal equipment? And how easy could be to lock down a wired network by cutting a phisical cable? I'm going to let the readers answer this question, but I've asked on many occasions to WiFi vendors' personnel and resellers if they keep in mind this possibility and they simply had not even tought about it.
If we go up to OSI Layer 2 we find that main attacks are those related to MAC, DHCP and ARP. MAC attacks can overflow CAM table in network switches and turn them into hubs destroying network segmentation, also the attackers may use MAC spoofing techniques, DHCP attacks are performed through starvation of leases and through rogue DHCP server nodes, while ARP attacks are performed poisoning ARP tables to catch and inspect all the traffic from the network in the attacker node. There are also attacks related to STP and VLAN mechanisms.
While Layer 1 should be enforced by avoiding, or restricting, the use of wireless and implementing physical security to avoid the access to wired facilities, Layer 2 can be also enforced by restricting access to facilities and by using network equipment that implements countermeasures to the above types of attacks.
Going to OSI Layer 3 we find there the Internet Protocol (IP), the basis of the IoT, and many more possibilities to attackers that can be located inside and outside our network: IP spoofing, DoS/DDoS (ICMP flooding), and other techniques. The main equipments used to gather IP security are Firewalls and their primary function is to isolate IP network segments between them, so we can isolate servers allowing only privileged IP nodes to access them. We can also implement Layer 3 security with Layer 3 switches and IP routers, but we recommend the use of Firewall equipment to provide better security to any kind of Intranet. The better option is to extend Firewall security with the support of Layer 3 switches and IP routers.
If we go up to the OSI Layer 4 we find there with TPC/UDP stack of protocols. Without them it will be impossible to implement any Internet Service, nor any Intranet Service. Attackers can use SYN flooding in DoS/DDoS attacks and many other techniques related to the different protocols and software using TPC/UPD stack. Firewalls are the key equipment to protect the network again, they must be the central node of perimetral security and we can extend security through the entire Intranet by using Layer 4 switches and IP routers.
Said all the above, we recommend an Intranet of Things Security Network Deployment as follows:
OSI Layer | Elements deployed | Reccomended Best Practices |
Physical (L1) |
Wires (copper/FO) |
secure the facilities to avoid unauthorized acces to wires and connections |
Wireless nodes |
avoid their use in outdoor if possible secure them to avoid unauthorized physical access use directive antennas pointing them to the inside of your buildings |
|
Data Link (L2) | L2 switches |
locate them in locked closets filter remote management access use IEEE 802.1X to validate devices connected use STP and protections againts DoS attacks use VLANs to isolate broadcast segments use countermeasures to avoid most common attacks |
Wi-Fi nodes |
filter remote management access use WPA2 Enterprise and IEEE 802.1X to validate clients use end-to-end encryption as much as possible use countermeasures to avoid most common attacks |
|
LPWAN nodes |
filter remote management access use end-to-end encryption |
|
Network (L3) | L3 switches |
L2 measures for switches use VLANs to isolate IP segments use countermeasures to avoid most common IP attacks use IP access-lists whenever you can |
IP routers |
locate them in locked closets use countermeasures to avoid most common IP attacks use IP access-lists whenever you can |
|
Firewalls |
locate them in locked closets filter remote management access extend VLANs whenever is possible use IEEE 802.1X to validate devices connected use certificates to validate VPN users connected use countermeasures to avoid most common IP attacks |
|
Transport (L4) | L4 switches |
L2 & L3 measures for switches use countermeasures to avoid most common TCP/UDP attacks use TCP/UDP access-lists whenever you can |
IP routers |
L2 & L3 measures for IP routers use countermeasures to avoid most common TCP/UDP attacks use TCP/UDP access-lists whenever you can |
|
Firewalls |
L2 & L3 measures for firewalls use countermeasures to avoid most common TCP/UDP attacks use TCP/UDP access-lists whenever you can |
In our next article we will speak about security for OSI Upper Layers in an Intranet of Things.