1. External Use
TM
Achieving visibility and security in
IoT networks using SDN and NFV
technologies
Srini Addepalli
saddepalli@freescale.com
June, 2015
2. TM
External Use 1
Agenda
• IoT Networks & Building Blocks
• IoT Security and Challenges/Considerations
• Introduction to SDN and NFV
• Application of SDN and NFV in securing IoT resources
and Data
3. TM
External Use 2
IoT Network Topology – An example
IoT nodes Routers Edge/Border
Gateways
Lower Power Network such as
802.15.4x
Traditional Network
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)
4. TM
External Use 3
IoT Network Topology – Move towards IP Connectivity
802.15.4
6LoWPAN
IPv6, RPL
DTSL+UDP TLS + TCP
CoAP MQTT HTTP
Common
App Layer (eg. SEP 2.0)
DTSL+UDP TLS + TCP
CoAP to HTTP
Proxy
MQTT
broker
IoT node specific Edge Gateway
specific
DNS/mDNS Servers
HTTPS + APP Servers
(eg. SEP 2.0 Server)
Registration /Access
Control Server(s)
Analytics Servers
• IPv6 is the main choice Large number of addresses.
• CoAP/DTLS/UDP or HTTP/TLS/TCP are also being added to the IoT devices (low memory stacks, hardware
encryption, hardware random number generator are becoming common)
• RESTful API (over CoAP or HTTP) - Availability of many existing solutions.
• Subscribe/Publish Model Using MQTT or HTTP push method.
DHCP Server(s)
CA, OCSP etc..
Orchestration
Server(s)
5. TM
External Use 4
Typical Security Functions
Security Elements
Security on Wire
• DTLS, TLS
• MAC Level Security
• IPSec
Security at rest
• Crypto file systems
• Encrypted Data in flash
• Key Privacy
• Tamper Protection
Threat Security
- Network Traffic Filtering
- Network Traffic Rate Limiting
- NetworkIntrusion Prevention and Detection.
- OWASP recommended attack Prevention.
- API Level security (Intrusion, Firewall, Filtering and Rate limiting )
Vulnerability Analysis
- Constant monitoring of devices with latest known vulnerabilities.
Proactive Data Gathering (Traffic Visibility and Monitoring ) & Quarantine
- Spot and Prevent reconnaissance/scans
- Off-line analytics for attack signatures
- Historical analysis
Secure firmware/Images
- Upgrade facilities, Secure Upgrade and Secure boot, Real time Integrity checks
6. TM
External Use 5
IoT Specific Security Considerations
Considerations / Challenges
Battery Powered IoT Devices
• Ensure only relevant traffic goes to the IoT nodes.
• Do as little security processing at the IoT nodes (Put more processing on front-end device that are
powered from mains)
IoT Devices that don’t support Image Upgrades
• Front end devices to check for vulnerabilities
• Monitor for abnormal behavior in the traffic to/from the devices.
• Quarantine the device upon some threshold.
Rogue IoT Node Detection
• Device Certificate based registration/Commissioning
• Ability to make the registration inventory DB available for interested security solutions and DHCP
Servers, thereby ensuring no rogue device participate in the network.
• Ability to manual on-board devices that don’t have secure registration capabilities
Large number of IoT Devices
• Centralized Control of Traffic filtering, mirroring, rate limiting etc..
SDN (Software Defined Networking) makes it easier to mitigate above
security challenges.
7. TM
External Use 6
IoT Specific Security Considerations
Considerations / Challenges
RESTful API
• Many Application protocols are using XML/JSON over HTTP for transferring application data
between IoT nodes and Data Centers.
• Vulnerability analysis (Buffer overflow detection, cross-site scripting, SQL injections and other
analysis) at API level is important as com
• Visibility of application data.
Many Applications and more&more coming. Newer application versions
• Application visibility requires new security & visibility plugins – Dynamism is important.
• Flexibility to adopt security solutions from various vendors.
• Able to launch and provision/configure new security solutions in matter of minutes.
NFV / Dockers makes it easier to mitigate above security challenges.
8. TM
External Use 7
SDN
• Disaggregation of Layers
• Centralization of CP across multiple data paths
(SDN Controllers such as ODL) – Central
Intelligence
• Centralized Management (Openstack
Neutron/Congress/GBP etc..) – Single dash
board
• North bound protocols
− JSON-over-HTTP, NetConf, OpFlex etc..
• South bound protocols
− Openflow 1.x (OF)
Management Plane
Control Plane
Service Plane (Normal Path)
Data Path
North bound Protocols
South bound Protocols
Data Path
Configuration / Management
Agent
Control/Service Plane
Data Plane/Fast Path
Physical Network Function Appliance
(Integrated control & Data)
SDN – Separation of Layers
IoT Routers/Edge-Gateways
as Data Path Elements
Centralize all control at one
logical entity.
9. TM
External Use 8
NFV – Network Function Virtualization
• Each network function as VM (vNF)
− Scale-Out (Bring more VMs on demand basis based on load)
− Multiple network functions can share a NFV node (Compute node)
− One common hardware for all types of network functions
Virtual Switch, KVM / QEMU (NFVI)
vNF1 vNF2 vNF3
pNF1
pNF2
pNF3
Network functions include Reverse proxies, firewall, WAF, API Security
and application visibility functions.
10. TM
External Use 9
Usage of SDN
IoT nodes Routers Edge/Border
Gateways
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)
South Bound (eg. Openflow)
Traffic
Policing App
Traffic
filtering App
Traffic
Monitoring App
Service
Function
Chaining
Traffic
Mirroring App
North Bound API (REStful)
Rogue
Device
Detection
SDN Controller
• Flexible data path in the
routers -> Openflow is a
great candidate.
• Controlled by centralized
controller
• Newer security application
don’t require upgrade to
the routers – Only upgrade
of SDN controller.
11. TM
External Use 10
Usage of NFV
IoT nodes Routers Edge/Border
Gateways
Cloud/Data
Center (Control
& Operations )
Clients &
Mashups
(M2M)
Security / Visibility
Services
QEMU/Dockers
PF
PF
SF1
SF2
SFn
Openstack Controller
NOVA (VIM)
Neutron (NV)
SFC Manager
Key Orcehstrator
• PF (Proxy Functions) acting as reverse proxies (TLS->Clear and Clear->TLS)
• Various Security Functions (SF) as Dockers or VMs WAF, API Firewall, API IDS/IPS, API
Encryption, SEP 2.0 security, and many more…) on a common hardware.
• Openstack Controller to bring up/bring down/scale-out/scale-in network functions on demand.
Dockers (VIM)
12. TM
External Use 11
Summary
• IP Connectivity from IoT nodes is enabling usage of existing IP
infrastructure
− Service Discovery using DNS-SRV, mDNS.
− IP Addressability using IPv6 and DHCP Servers
− Secure Registration using RESTful messages using CoAP or even HTTP.
− Security-on-wire using DTLS/TLS.
• IP Connectivity is also enabling SDN & NFV usage in enabling threat
Security & visibility at the network and application level.
− Use similar techniques used in securing Cloud Services from clients.
− Apply same techniques on traffic between IoT nodes & Cloud Services.
− Thereby
Reuse of technology and hence same security talent
Common Hardware
Ease of adding new security services.
Simplify deployment
Reduce CAPEX and OPEX.
13. TM
External Use 12
References
OWASP Internet of Things Top Ten Project https://www.owasp.org/index.php/OWASP_Interne
t_of_Things_Top_Ten_Project#tab=Main
Check recommendations specifically written for
“Manufacturers”, “Developers” and “Consumers”.
Insecurity in Internet-of-Things from Symantec https://www.symantec.com/content/en/us/enterpris
e/media/security_response/whitepapers/insecurity-
in-the-internet-of-things.pdf
Smart Energy Profile 2.0 http://sunspec.org/wp-
content/uploads/2012/02/Zigbee-SEP-2-docs-11-
0167-18-seed-app-spec-draft-for-editors-
review.pdf
http://smartgrid.ieee.org/standards/ieee-approved-
proposed-standards-related-to-smart-grid/935-
p2030-5-ieee-draft-standard-for-smart-energy-
profile-2-0-application-protocol-p
IoT Security Labs http://iotsecuritylab.com
OWASP Top Ten Project (for any WEB and
RESTful projects)
https://www.owasp.org/index.php/Category:OWAS
P_Top_Ten_Project
Commodity server hardware performance not sufficient to overcome VMM overhead for NFVI deployment.
Physical appliances based on x86 today are not 10G, mostly 2G
Many open source projects : tinyos, contiki and commercial toolkits for IoT nodes.
Gateway: OpenHAB, Open Remote and AyControl provide MQTT broker and CoAP proxy and many more… It allows one to add more items.
CoAP – Constrained Application Protocol.
MQTT – MQ Telemetry Transport. – Machine to Machine protocol.
SEP – Smart Engergy Profile.
DTLS – Datagram TLS.
TLS – Transport Layer Seccurity
6LoWPAN – Ipv6 over Wireles Personal Area Networks.
mDNS – Multicast DNS
RPL – Routing Protocol for Low-Power and Lossy Networks.
NV : Network Virtualization
SFC : Service Function Chaining
VIM : Virtual Infrastructure Manager
PF : Proxy Function
SF : Security Function