1. External Use
TM
Achieving visibility and security in
IoT networks using SDN and NFV
technologies
Srini Addepalli
saddepalli@freescale.com
June, 2015

2. TM
External Use 1
Agenda
• IoT Networks & Building Blocks
• IoT Security and Challenges/Considerations
• Introduction to SDN and NFV
• Application of SDN and NFV in securing IoT resources
and Data

3. TM
External Use 2
IoT Network Topology – An example
IoT nodes Routers Edge/Border
Gateways
Lower Power Network such as
802.15.4x
Traditional Network
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)

4. TM
External Use 3
IoT Network Topology – Move towards IP Connectivity
802.15.4
6LoWPAN
IPv6, RPL
DTSL+UDP TLS + TCP
CoAP MQTT HTTP
Common
App Layer (eg. SEP 2.0)
DTSL+UDP TLS + TCP
CoAP to HTTP
Proxy
MQTT
broker
IoT node specific Edge Gateway
specific
DNS/mDNS Servers
HTTPS + APP Servers
(eg. SEP 2.0 Server)
Registration /Access
Control Server(s)
Analytics Servers
• IPv6 is the main choice  Large number of addresses.
• CoAP/DTLS/UDP or HTTP/TLS/TCP are also being added to the IoT devices (low memory stacks, hardware
encryption, hardware random number generator are becoming common)
• RESTful API (over CoAP or HTTP) - Availability of many existing solutions.
• Subscribe/Publish Model  Using MQTT or HTTP push method.
DHCP Server(s)
CA, OCSP etc..
Orchestration
Server(s)

5. TM
External Use 4
Typical Security Functions
Security Elements
Security on Wire
• DTLS, TLS
• MAC Level Security
• IPSec
Security at rest
• Crypto file systems
• Encrypted Data in flash
• Key Privacy
• Tamper Protection
Threat Security
- Network Traffic Filtering
- Network Traffic Rate Limiting
- NetworkIntrusion Prevention and Detection.
- OWASP recommended attack Prevention.
- API Level security (Intrusion, Firewall, Filtering and Rate limiting )
Vulnerability Analysis
- Constant monitoring of devices with latest known vulnerabilities.
Proactive Data Gathering (Traffic Visibility and Monitoring ) & Quarantine
- Spot and Prevent reconnaissance/scans
- Off-line analytics for attack signatures
- Historical analysis
Secure firmware/Images
- Upgrade facilities, Secure Upgrade and Secure boot, Real time Integrity checks

6. TM
External Use 5
IoT Specific Security Considerations
Considerations / Challenges
Battery Powered IoT Devices
• Ensure only relevant traffic goes to the IoT nodes.
• Do as little security processing at the IoT nodes (Put more processing on front-end device that are
powered from mains)
IoT Devices that don’t support Image Upgrades
• Front end devices to check for vulnerabilities
• Monitor for abnormal behavior in the traffic to/from the devices.
• Quarantine the device upon some threshold.
Rogue IoT Node Detection
• Device Certificate based registration/Commissioning
• Ability to make the registration inventory DB available for interested security solutions and DHCP
Servers, thereby ensuring no rogue device participate in the network.
• Ability to manual on-board devices that don’t have secure registration capabilities
Large number of IoT Devices
• Centralized Control of Traffic filtering, mirroring, rate limiting etc..
SDN (Software Defined Networking) makes it easier to mitigate above
security challenges.

7. TM
External Use 6
IoT Specific Security Considerations
Considerations / Challenges
RESTful API
• Many Application protocols are using XML/JSON over HTTP for transferring application data
between IoT nodes and Data Centers.
• Vulnerability analysis (Buffer overflow detection, cross-site scripting, SQL injections and other
analysis) at API level is important as com
• Visibility of application data.
Many Applications and more&more coming. Newer application versions
• Application visibility requires new security & visibility plugins – Dynamism is important.
• Flexibility to adopt security solutions from various vendors.
• Able to launch and provision/configure new security solutions in matter of minutes.
NFV / Dockers makes it easier to mitigate above security challenges.

8. TM
External Use 7
SDN
• Disaggregation of Layers
• Centralization of CP across multiple data paths
(SDN Controllers such as ODL) – Central
Intelligence
• Centralized Management (Openstack
Neutron/Congress/GBP etc..) – Single dash
board
• North bound protocols
− JSON-over-HTTP, NetConf, OpFlex etc..
• South bound protocols
− Openflow 1.x (OF)
Management Plane
Control Plane
Service Plane (Normal Path)
Data Path
North bound Protocols
South bound Protocols
Data Path
Configuration / Management
Agent
Control/Service Plane
Data Plane/Fast Path
Physical Network Function Appliance
(Integrated control & Data)
SDN – Separation of Layers
IoT Routers/Edge-Gateways
as Data Path Elements
Centralize all control at one
logical entity.

9. TM
External Use 8
NFV – Network Function Virtualization
• Each network function as VM (vNF)
− Scale-Out (Bring more VMs on demand basis based on load)
− Multiple network functions can share a NFV node (Compute node)
− One common hardware for all types of network functions
Virtual Switch, KVM / QEMU (NFVI)
vNF1 vNF2 vNF3
pNF1
pNF2
pNF3
Network functions include Reverse proxies, firewall, WAF, API Security
and application visibility functions.

10. TM
External Use 9
Usage of SDN
IoT nodes Routers Edge/Border
Gateways
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)
South Bound (eg. Openflow)
Traffic
Policing App
Traffic
filtering App
Traffic
Monitoring App
Service
Function
Chaining
Traffic
Mirroring App
North Bound API (REStful)
Rogue
Device
Detection
SDN Controller
• Flexible data path in the
routers -> Openflow is a
great candidate.
• Controlled by centralized
controller
• Newer security application
don’t require upgrade to
the routers – Only upgrade
of SDN controller.

11. TM
External Use 10
Usage of NFV
IoT nodes Routers Edge/Border
Gateways
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)
Security / Visibility
Services
QEMU/Dockers
PF
PF
SF1
SF2
SFn
Openstack Controller
NOVA (VIM)
Neutron (NV)
SFC Manager
Key Orcehstrator
• PF (Proxy Functions) acting as reverse proxies (TLS->Clear and Clear->TLS)
• Various Security Functions (SF) as Dockers or VMs  WAF, API Firewall, API IDS/IPS, API
Encryption, SEP 2.0 security, and many more…) on a common hardware.
• Openstack Controller to bring up/bring down/scale-out/scale-in network functions on demand.
Dockers (VIM)

12. TM
External Use 11
Summary
• IP Connectivity from IoT nodes is enabling usage of existing IP
infrastructure
− Service Discovery using DNS-SRV, mDNS.
− IP Addressability using IPv6 and DHCP Servers
− Secure Registration using RESTful messages using CoAP or even HTTP.
− Security-on-wire using DTLS/TLS.
• IP Connectivity is also enabling SDN & NFV usage in enabling threat
Security & visibility at the network and application level.
− Use similar techniques used in securing Cloud Services from clients.
− Apply same techniques on traffic between IoT nodes & Cloud Services.
− Thereby
 Reuse of technology and hence same security talent
 Common Hardware
 Ease of adding new security services.
 Simplify deployment
 Reduce CAPEX and OPEX.

13. TM
External Use 12
References
OWASP Internet of Things Top Ten Project https://www.owasp.org/index.php/OWASP_Interne
t_of_Things_Top_Ten_Project#tab=Main
Check recommendations specifically written for
“Manufacturers”, “Developers” and “Consumers”.
Insecurity in Internet-of-Things from Symantec https://www.symantec.com/content/en/us/enterpris
e/media/security_response/whitepapers/insecurity-
in-the-internet-of-things.pdf
Smart Energy Profile 2.0 http://sunspec.org/wp-
content/uploads/2012/02/Zigbee-SEP-2-docs-11-
0167-18-seed-app-spec-draft-for-editors-
review.pdf
http://smartgrid.ieee.org/standards/ieee-approved-
proposed-standards-related-to-smart-grid/935-
p2030-5-ieee-draft-standard-for-smart-energy-
profile-2-0-application-protocol-p
IoT Security Labs http://iotsecuritylab.com
OWASP Top Ten Project (for any WEB and
RESTful projects)
https://www.owasp.org/index.php/Category:OWAS
P_Top_Ten_Project

14. TM
© 2015 Freescale Semiconductor, Inc. | External Use
www.Freescale.com