Domorela's Blog: Intranet of Things Security deployment (II)

Once we have secured our network we need to implement security at upper layers of the OSI Model. To do so there are many techniques that can be applied depending of the scope, we will consider them from two points of view: enforce inspection and/or protection of application data at network equipment and/or rely on data protection at every End Node or host of the network.

First one of the above mentioned points of view is named as Unified Threat Management (UTM). By this technique a single host is acting as security node for the Upper Layers of the OSI Model in the same way as a Firewall does for Lower Layers, so many people speak about Layer 7 Firewall instead of UTM. An UTM unit usually not only inspects application data in packets that traverse it but also incorpores Intrusion Prevention System (IPS) and Antivirus Engine. Usually is possible to activate them separately, so you can activate only Layer 7 Firewall, Layer 7 FW + IPS or Layer 7 FW + AV Engine or activate all of them.

Second one is commonly and, from my point wrongly, based in protection software installed on End Points, commonly know as Antivirus Software. This technique requires more powerful CPUs and is a must with certain operating systems family that needs/allows system calls to non-admin users in order to execute applications and tasks, but not needed by Unix-like systems that isolate user-space from kernel-space avoiding system calls from user-space.

As many people can think, the above is commonly applied in any ICT infrastructure, so nothing new for now in this article. But the key point here is how to apply the above mechanisms for the IoT. Well, thinking about low consumption CPUs used in embedded systems commonly used to implement IoT devices we told about in a previous article answer is very simple: if our IoT only includes Unix-like systems we don't need an Antivirus and our security can rely only in UTM node with Layer 7 Firewall + IPS.

Having read the above sentences, many people can think about the discussion about existence of virus for Unix-like systems or not. The answer to that controversy is very clear: Unix-like systems can't be affected by virus. On the other hand, virus aren't the only existing threat from the point of view of an operating system and, of course, is a must to harden any kind of node in any ICT infrastructure. But there isn't necessary an Antivirus running on a Unix-like system.

Said all the above, our recommendation is to use Unix-like systems to implement Intranet of Things server node and, after deployment of our system, apply security measures to properly harden it to avoid exploits (not virus) from external attackers. We can rely on many GNU/Linux distributions or, if we want, we can opt for OS X Server.

As we told on our previous article, security can be implemented at every layer of the OSI Model. This article will refer to the Upper Layers of this OSI Model:

Group     # Layer name Data type Scope Protocols/Technologies
Upper Layers  7 Application  data  application data  HTTP, DNS, SMTP, etc
6 Presentation  data representations  MIME, SSL, etc
5 Session

 data exchange between devices

 Sockets, RPC, etc

 

So to implement security on IoT End Nodes we need to enforce it at every one of the OSI Upper Layers. To do that, first we need is to identify threats affecting our system. If we rely only on Unix-like systems we only need to pay attention on exploits, so we only will need to harden our system to avoid common exploits and follow security updates published to know if they are relevant to our installation and apply them when needed.

Having identified possible threats affecting our system, we need to follow best practices in order to properly harden it paying attention on the different mechanisms related to each of the Upper Layers of the OSI Model:

  1. stablish session control mechanisms for Layer 5
  2. use of secure protocols and mechanisms like SSL in Layer 6
  3. to achieve the most secure configuration for our applications at Layer 7

 

And our recommendation about Internet of Thinks Upper Layer Security Deployment is as follows:

OSI Layer     Elements deployed Recommended Best Practices
Session (L5) UTM with L7 FW + IPS

 Block all unwanted sessions on the UTM

 Use the UTM log to identify all suspect sessions

 Update applications' signatures frequently on the UTM

Unix-like OS server & devices

 Apply relevant security updates to OS and applications

 Harden End Nodes by reducing unused listeners 

Presentation (L6)

UTM with L7 FW + IPS

 Update applications' signatures frequently on the UTM
Unix-like OS server & devices

 Avoid OS default configurations and remove residual ones

 Apply relevant security updates to OS and applications

 Harden End Nodes using application's security best practices 

 Application (L7) UTM with L7 FW + IPS

 Use the UTM log to identify all suspect applications

 Update applications' signatures frequently on the UTM

Unix-like OS server & devices

 Avoid Application default and residual configurations

 Apply relevant security updates to applications

 Harden End Nodes using application's security best practices

 

As said in a previous article, it's possible to deploy a Domorela unit as core node or as edge gateway in an Intranet of Things, so the above "Unix-like OS server" could be a Domorela Unit. From the point of view of security, the advantage to use a Domorela unit instead of a PC server is that Domorela doesn't need OS installation and is properly hardened from factory.