SlideShare ist ein Scribd-Unternehmen logo

CIRA Labs - Secure Home Gateway Project 2019-03.pptx

Als PPTX, PDF herunterladen
S
ssuserfb92ae

Secure home gateway

Geräte & Hardware
1 von 40
1 SECURE HOME GATEWAY PROJECT CIRA Labs Secure Home Gateway Project Update Jacques Latour March 2019
Project Evolution – From Idea in late 2016 2 Need security access controls Need a new framework to prevent lightbulbs from killing the internet! Has to be easy to use In the home Gateway x x ? MIRAI Dyn Attack October 2016
No Standard Home Network Security Framework The many problems of today’s Home Gateway 3 No standard onboarding process No outbound traffic security controls Not globally reachable (no domain name) No unique WIFI keys per home device No device quarantining processes No visibility on network activities Home Gateway
IoT Device Security Landscape 4 Many are Vulnerable Software is out of date Time to market - Not to build correctly Contribute to DDoS attacks Cloud architecture dependencies Compromise your network Steal private information Record video and voice Steal WIFI credentials Distribute malware Send spam Some are Unsupported Many standards being developed Full access to the ENTIRE Internet • Lack of secure testing and design Require active monitoring
IoT vendors are creating dependency on cloud architecture 5 At home IoT Cloud Services On the road Direct is better Personal information is of great value to vendors IPv6 with CIRA delegated names for the home makes this possible
We put a team together to work on the idea 6 CIRA Labs Sandelman Software TwelveDot Viagénie TELUS / Algonquin College SIDN Labs Canadian Multistakeholder Process: Enhancing IoT security iotsecurity2018.ca Secure Home Gateway Project
Project Evolution – To a Secure Home Gateway (SHG) Prototype 7 MUD Server Repository / Curation Secure Home Gateway openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor SHG App “Ease of Use” SIDN (.NL) SPIN prpl Foundation (prplWrt) Mozilla IoT - Web Thing API SHG Security Access Controls CIRA DNS & SHG Provisioning Standards Development IETF, CSA/UL, ISO/IEC Enhanced WIFI security In progress: DOTS, DNSSEC, Domain aware NFtable Secure Home Gateway Framework Running Code Proposed Standards
8 Let’s look at the solution we have so far
9 x x Secure Home Gateway (SHG) Goals Protect the internet from IoT devices attacks Protect IoT devices from the internet attacks
Current state of Home Gateways 10 Users don’t know who to contact when there is a security issue either with their devices or network. Devices and current home gateways are not secure by default Users typically lack the technical know-how to configure the devices. These technologies and their configurations are typically technically complex which results in many using default configurations or users making mistakes when configuring them.
Scope of work 11 Develop functional prototype Open source code Simple management interface Framework to provision SHG domain names New standards requirements Enhance small network privacy & security
Best practices – Apply enterprise security framework to home networks 12 Home Security PDAP Appliances PDAP Sensors PDAP Management Application IoT Cloud Services PDAP: Per Device Access Policy Scale Enterprise solutions to fit the home network
New standards – MUD - Manufacturer Usage Description – RFC8520 13 I’m an ACME water sensor - MUD File at: https://acme.corp/mud/ws1.0.json MUD FILE: - I have WIFI & apply the water sensor access policy - I need to upgrade my firmware at https://acme.corp - Configure me at https://myip/setup - Alerts available at https://myip/alerts It would be nice if the IoT device could advertise it’s current firmware version and/or current MUD file URL via WIFI or network connection (DPP, DHCP, LLDP…) on order to setup correct security profile
14 MUD Controller (1) Scan MUD QR code & send to MUD Controller (DHCP in future) CIRA SHG MUD Repository SHG App (2) Send to CIRA (2) Get vendor MUD file ACME.CORP MUD Repository SHG ACME.CORP IoT Water Sensor (1) (3) User accepts provisioning instructions MUD QR Code (1) (4) IoT device added to network with specific network access controls Network Access control: Allow access to ACME.CORP Allow to send alerts internally Allow to be configured by app Deny all other internet access (4) (IP Tables) MUD Supervisor
Work in progress architecture 15
That’s why we need a simple provisioning interface – this stuff is complex!! 16
Removing end-user complexity 17 A simple user interface
Quarantine of compromised devices -> Behavioural analysis • A standard process to quarantine and restore IoT Devices • https://datatracker.ietf.org/doc/draft-richardson-shg-un-quarantine • Manufacturer Usuage Description for quarantined access to firmware • https://datatracker.ietf.org/doc/draft-richardson-shg-mud-quarantined-access/ 18 Appliances Management Application x The refrigerator is quarantined - Bad lettuce 
Secure remote access: Trusted authentication & accessible 19 Mobile n3CE618.router.securehomegateway.ca The prototype will use securehomegateway.ca 3rd level domains 22
Automation 20 + Secure gateway provisioning automation Secure device provisioning automation INNOVATION
Step 1 – bundle with a DNSSEC signed 3rd or 4th level .CA domain 21 + QR Code to activate provisioning and domain 3rd level domain domain.securehomegateway.ca 4th level domain domain.router.securehomegateway.ca +
Step 2 – Secure Home Gateway setup 22 SHG application https://datatracker.ietf.org/doc/draft-richardson-anima-smarkaklink/ BRSKI enrollment of with disconnected Registrars – smarkaklink This document details the mechanism used for initial enrollment using a smartphone of a BRSKI Registrar system. …where the registrar device is new out of the box and is the intended gateway to the Internet (such as a home gateway), but has not yet been configured… kaklink 
Step 3 – External DNS/DNSSEC Provisioning 23 SHG External Domain Provisioning & Primary DNS External DNS view Hidden Primary Internal DNS view Secondary DNS D-Zone SHG External IP Address
Step 4 – Automated Wi-Fi setup 24 Scan MUD profile Wi-Fi credentials Device access policy
Simple user interface is key to this project 25 Swipe UP, DOWN, LEFT and RIGHT
Roadmap: Future functionality 26
IoT service / action type – Generic IoT home controller 27
28 Adding remote VPN access to trusted mobile and computers Mobile (1) Discovery services (2) Grant permission and credentials to mobile for remote home access 31
29 Should the inside of your car be part of your home network as well?
30 Adding your car Car (1) Discovery services Control car feature View car alerts View car status/location (2) Assign roles 32
There are many more IoT scenarios to be assessed! 31
This slide deck is a vision it’s what we’ll be seeing in five years. 32
Want more info? 33 Visit the CIRA Labs page and as well as GitHub https://cira.ca/cira-secure-home-gateway https://github.com/CIRALabs Don’t forget to share your feedback and input!
Questions? 34
• Our assessment of the home network and IoT security posture post MIRAI attack clearly identified a need for additional home security measures to protect the internet from compromised IoT devices and a very strong need for an enhanced open source home security framework. • Our work so far has identified a significant gaps in open source projects to implement an enhanced home security framework • We embarked on a journey to identify these gaps and start development of many open source projects to better the internet  35
Why are we working on this? -> Risk mitigation • For many internet organizations like CIRA the #1 risk on the risk register is a large scale (Dyn like) DDoS attack. • One of the mitigation mechanisms for this risk is to prevent ‘weaponization’ of IoT devices • Tightly controlling access ‘to’ and ‘from’ IoT devices inside the home or small office network is key to preventing ‘weaponization’ and causing harm on the internet. • The threat that IoT devices bring is the scale of attacks. The uncontrolled access of million/billions of IoT devices to and from the internet is the threat we need to mitigate. 36 CIRA Labs - Secure Home Gateway - 2018-09
Overview of the IoT threat landscape -> Scale and capacity • IoT device compromises: – Used in internet attacks i.e. MIRAI/DYN Attack (DDoS) targeting DNS servers (~1.2 Tbs) • IoT traffic generation, reflection and amplification – IoT device used various attacks (DDoS) NTP, DNS, SNMP and new vectors. – IoT device have the capacity to generate large traffic load – Home and small office network now starting to have gigabit internet access speed, significantly impacting the capacity to create powerful attacks 37 CIRA Labs - Secure Home Gateway - 2018-09
High Level Architecture (very ;-) OpenWrt Home Gateway Home Network CIRA SHG Registry Internal DNS/DNSSEC External IPSEC D-Zone firewall 3rdlevel.securehomegateway.ca Home Gateway Provisioning 3rd Level .CA home domain Primary DNS D-Zone IoT Cloud Services & D-Zone Firewall Secure Remote Home Network Access Wifi MiFi Zigbee NFC RFID 38 CIRA Labs - Secure Home Gateway - 2018-09
We are building a Prototype -> Based on Omnia Turris Gateway • Develop a Proof of Concept and prototype – Using .CZ Omnia Home Gateway & openWRT – IoT device provisioning based on MUD – Home Gateway App (Android/iPhone) – Develop some IoT discoverable devices and MUD profiles • Use public GitHub to document the functional specification and repo for prototype software – Functional specification (Work in progress) – Open source software repository – https://github.com/CIRALabs/Secure-IoT-Home-Gateway 39 CIRA Labs - Secure Home Gateway - 2018-09
Specifications we are currently leveraging Specifications we are leveraging: • https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/ • https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model • RFC 7368 • RFC 8375 • https://datatracker.ietf.org/doc/draft-ietf-homenet-simple-naming • https://datatracker.ietf.org/doc/draft-ietf-homenet-front-end- naming-delegation • RFC 4033,4034,4035 (DNSSEC) • https://datatracker.ietf.org/doc/rfc5011/ • RFC 4795 Specifications we are planning/considering: • RFC4301, RFC7296 (IPsec. Considering OpenVPN too) • RFC8366, https://datatracker.ietf.org/doc/draft-ietf-anima- bootstrapping-keyinfra/ • https://datatracker.ietf.org/doc/draft-cheshire-dnssd-roadmap/ • https://datatracker.ietf.org/doc/draft-ietf-dnssd-hybrid/ • https://datatracker.ietf.org/doc/draft-cheshire-dnssd-roadmap/ • https://datatracker.ietf.org/doc/draft-ietf-dnssd-mdns-relay/ Specifications we are writing: • draft-richardson-anima-smarkaklink-00 • draft-richardson-opsawg-securehomegateway-mud-01 • draft-richardson-shg-mud-quarantined-access-00 • draft-richardson-shg-mud-quarantined-access-00 CIRA Labs - Secure Home Gateway - 2018-09 40

Empfohlen

Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Drobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsDrobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsMario Drobics
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
IRJET- Network Monitoring & Network Security
IRJET- Network Monitoring & Network SecurityIRJET- Network Monitoring & Network Security
IRJET- Network Monitoring & Network SecurityIRJET Journal
 

Empfohlen

Mark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsMark Horowitz - Stanford Engineering - Securing the Internet of Things
Mark Horowitz - Stanford Engineering - Securing the Internet of ThingsStanford School of Engineering
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014Brian Knopf
 
Technology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityTechnology & Policy Interaction Panel at Inform[ED] IoT Security
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
 
Drobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsDrobics trustworthy io-t-for-industrial-applications
Drobics trustworthy io-t-for-industrial-applicationsMario Drobics
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...Savvius, Inc
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
IRJET- Network Monitoring & Network Security
IRJET- Network Monitoring & Network SecurityIRJET- Network Monitoring & Network Security
IRJET- Network Monitoring & Network SecurityIRJET Journal
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfssuser57b3e5
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Networkijtsrd
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practiceteam-WIBU
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael FirstenbergTI Safe
 
Rapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wirelessRapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wirelesssierradeveloper
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security Industrial Internet Consortium
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure IntroJohn Breitenbach
 
Sierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open ATSierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open ATThibault Cantegrel
 
Day4
Day4Day4
Day4Jai4uk
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
IoT Security
IoT SecurityIoT Security
IoT SecurityNarudom Roongsiriwong, CISSP
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
 
SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.pptssuserfb92ae
 
11_interface.ppt
11_interface.ppt11_interface.ppt
11_interface.pptssuserfb92ae
 

Weitere ähnliche Inhalte

Ähnlich wie CIRA Labs - Secure Home Gateway Project 2019-03.pptx

IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed Great Bay Software
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfssuser57b3e5
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.AlgoSec
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Networkijtsrd
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...IJCSIS Research Publications
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practiceteam-WIBU
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael FirstenbergTI Safe
 
Rapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wirelessRapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wirelesssierradeveloper
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Sierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open ATSierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open ATThibault Cantegrel
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsJay Nagar
 

Ähnlich wie CIRA Labs - Secure Home Gateway Project 2019-03.pptx (20)

IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdfNXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
NXP'S-PORTFOLIO-FOR-ADDRESSING-IOT-SECURITY.pdf
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.Compliance made easy. Pass your audits stress-free.
Compliance made easy. Pass your audits stress-free.
 
WHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of ThingsWHITE PAPER▶ Insecurity in the Internet of Things
WHITE PAPER▶ Insecurity in the Internet of Things
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
 
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
The Sharp Increase in Unmasking of Obtrusion into Internet of Things (IoT) IP...
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
 
[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg[CLASS 2014] Palestra Técnica - Michael Firstenberg
[CLASS 2014] Palestra Técnica - Michael Firstenberg
 
Rapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wirelessRapid industrial grade IoT prototyping with sierra wireless
Rapid industrial grade IoT prototyping with sierra wireless
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
DDS Secure Intro
DDS Secure IntroDDS Secure Intro
DDS Secure Intro
 
Sierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open ATSierra Wireless Developer Day 2013 - 08 - Open AT
Sierra Wireless Developer Day 2013 - 08 - Open AT
 
Day4
Day4Day4
Day4
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
IoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security ControlsIoT Vulnerability Analysis and IOT In security Controls
IoT Vulnerability Analysis and IOT In security Controls
 

Mehr von ssuserfb92ae

SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.pptssuserfb92ae
 
Data Annotation_Cars.pptx
Data Annotation_Cars.pptxData Annotation_Cars.pptx
Data Annotation_Cars.pptxssuserfb92ae
 
MicrocontrollersIII.ppt
MicrocontrollersIII.pptMicrocontrollersIII.ppt
MicrocontrollersIII.pptssuserfb92ae
 
36_Cryptography.pdf
36_Cryptography.pdf36_Cryptography.pdf
36_Cryptography.pdfssuserfb92ae
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdfssuserfb92ae
 

Mehr von ssuserfb92ae (9)

SoftwareSecurity.ppt
SoftwareSecurity.pptSoftwareSecurity.ppt
SoftwareSecurity.ppt
 
11_interface.ppt
11_interface.ppt11_interface.ppt
11_interface.ppt
 
Data Annotation_Cars.pptx
Data Annotation_Cars.pptxData Annotation_Cars.pptx
Data Annotation_Cars.pptx
 
TRUSTSeminar.ppt
TRUSTSeminar.pptTRUSTSeminar.ppt
TRUSTSeminar.ppt
 
ch13.ppt
ch13.pptch13.ppt
ch13.ppt
 
MicrocontrollersIII.ppt
MicrocontrollersIII.pptMicrocontrollersIII.ppt
MicrocontrollersIII.ppt
 
36_Cryptography.pdf
36_Cryptography.pdf36_Cryptography.pdf
36_Cryptography.pdf
 
2011_esc.pdf
2011_esc.pdf2011_esc.pdf
2011_esc.pdf
 
1_Introduction.pdf
1_Introduction.pdf1_Introduction.pdf
1_Introduction.pdf
 

Kürzlich hochgeladen

5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)861c7ca49a02
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls in Delhi
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作ss846v0c
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland CultureChloeMeadows1
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...ttt fff
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubaikojalkojal131
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Servicesnajka9823
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作f3774p8b
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一diploma 1
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...Amil Baba Dawood bangali
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作rpb5qxou
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degreeyuu sss
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degreeyuu sss
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作f3774p8b
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...Amil Baba Dawood bangali
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Amil baba
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfShahdAbdElsamea2
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...Amil baba
 

Kürzlich hochgeladen (20)

5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
5S - House keeping (Seiri, Seiton, Seiso, Seiketsu, Shitsuke)
 
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall AvailableCall Girls In Munirka>༒9599632723 Incall_OutCall Available
Call Girls In Munirka>༒9599632723 Incall_OutCall Available
 
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Serviceyoung call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
young call girls in Gtb Nagar,🔝 9953056974 🔝 escort Service
 
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
美国IUB学位证,印第安纳大学伯明顿分校毕业证书1:1制作
 
existing product research b2 Sunderland Culture
existing product research b2 Sunderland Cultureexisting product research b2 Sunderland Culture
existing product research b2 Sunderland Culture
 
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
毕业文凭制作#回国入职#diploma#degree美国威斯康星大学麦迪逊分校毕业证成绩单pdf电子版制作修改#毕业文凭制作#回国入职#diploma#d...
 
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls DubaiDubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
Dubai Call Girls O525547819 Spring Break Fast Call Girls Dubai
 
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best ServicesVip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
Vip Udupi Call Girls 7001305949 WhatsApp Number 24x7 Best Services
 
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国旧金山艺术学院毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作RBS学位证,鹿特丹商学院毕业证书1:1制作
RBS学位证,鹿特丹商学院毕业证书1:1制作
 
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
办理(CSU毕业证书)澳洲查理斯特大学毕业证成绩单原版一比一
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uk England Northern ...
 
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作澳洲Deakin学位证,迪肯大学毕业证书1:1制作
澳洲Deakin学位证,迪肯大学毕业证书1:1制作
 
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
专业一比一美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实工艺展示#真实防伪#diploma#degree
 
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
1:1原版定制美国加州州立大学东湾分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
 
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
Erfurt FH学位证,埃尔福特应用技术大学毕业证书1:1制作
 
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
NO1 Certified Black Magic Specialist Expert In Bahawalpur, Sargodha, Sialkot,...
 
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
Uae-NO1 Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addres...
 
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdfComputer Organization and Architecture 10th - William Stallings, Ch01.pdf
Computer Organization and Architecture 10th - William Stallings, Ch01.pdf
 
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
NO1 Certified Vashikaran Specialist in Uk Black Magic Specialist in Uk Black ...
 

CIRA Labs - Secure Home Gateway Project 2019-03.pptx

  • 1. 1 SECURE HOME GATEWAY PROJECT CIRA Labs Secure Home Gateway Project Update Jacques Latour March 2019
  • 2. Project Evolution – From Idea in late 2016 2 Need security access controls Need a new framework to prevent lightbulbs from killing the internet! Has to be easy to use In the home Gateway x x ? MIRAI Dyn Attack October 2016
  • 3. No Standard Home Network Security Framework The many problems of today’s Home Gateway 3 No standard onboarding process No outbound traffic security controls Not globally reachable (no domain name) No unique WIFI keys per home device No device quarantining processes No visibility on network activities Home Gateway
  • 4. IoT Device Security Landscape 4 Many are Vulnerable Software is out of date Time to market - Not to build correctly Contribute to DDoS attacks Cloud architecture dependencies Compromise your network Steal private information Record video and voice Steal WIFI credentials Distribute malware Send spam Some are Unsupported Many standards being developed Full access to the ENTIRE Internet • Lack of secure testing and design Require active monitoring
  • 5. IoT vendors are creating dependency on cloud architecture 5 At home IoT Cloud Services On the road Direct is better Personal information is of great value to vendors IPv6 with CIRA delegated names for the home makes this possible
  • 6. We put a team together to work on the idea 6 CIRA Labs Sandelman Software TwelveDot Viagénie TELUS / Algonquin College SIDN Labs Canadian Multistakeholder Process: Enhancing IoT security iotsecurity2018.ca Secure Home Gateway Project
  • 7. Project Evolution – To a Secure Home Gateway (SHG) Prototype 7 MUD Server Repository / Curation Secure Home Gateway openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor SHG App “Ease of Use” SIDN (.NL) SPIN prpl Foundation (prplWrt) Mozilla IoT - Web Thing API SHG Security Access Controls CIRA DNS & SHG Provisioning Standards Development IETF, CSA/UL, ISO/IEC Enhanced WIFI security In progress: DOTS, DNSSEC, Domain aware NFtable Secure Home Gateway Framework Running Code Proposed Standards
  • 8. 8 Let’s look at the solution we have so far
  • 9. 9 x x Secure Home Gateway (SHG) Goals Protect the internet from IoT devices attacks Protect IoT devices from the internet attacks
  • 10. Current state of Home Gateways 10 Users don’t know who to contact when there is a security issue either with their devices or network. Devices and current home gateways are not secure by default Users typically lack the technical know-how to configure the devices. These technologies and their configurations are typically technically complex which results in many using default configurations or users making mistakes when configuring them.
  • 11. Scope of work 11 Develop functional prototype Open source code Simple management interface Framework to provision SHG domain names New standards requirements Enhance small network privacy & security
  • 12. Best practices – Apply enterprise security framework to home networks 12 Home Security PDAP Appliances PDAP Sensors PDAP Management Application IoT Cloud Services PDAP: Per Device Access Policy Scale Enterprise solutions to fit the home network
  • 13. New standards – MUD - Manufacturer Usage Description – RFC8520 13 I’m an ACME water sensor - MUD File at: https://acme.corp/mud/ws1.0.json MUD FILE: - I have WIFI & apply the water sensor access policy - I need to upgrade my firmware at https://acme.corp - Configure me at https://myip/setup - Alerts available at https://myip/alerts It would be nice if the IoT device could advertise it’s current firmware version and/or current MUD file URL via WIFI or network connection (DPP, DHCP, LLDP…) on order to setup correct security profile
  • 14. 14 MUD Controller (1) Scan MUD QR code & send to MUD Controller (DHCP in future) CIRA SHG MUD Repository SHG App (2) Send to CIRA (2) Get vendor MUD file ACME.CORP MUD Repository SHG ACME.CORP IoT Water Sensor (1) (3) User accepts provisioning instructions MUD QR Code (1) (4) IoT device added to network with specific network access controls Network Access control: Allow access to ACME.CORP Allow to send alerts internally Allow to be configured by app Deny all other internet access (4) (IP Tables) MUD Supervisor
  • 15. Work in progress architecture 15
  • 16. That’s why we need a simple provisioning interface – this stuff is complex!! 16
  • 17. Removing end-user complexity 17 A simple user interface
  • 18. Quarantine of compromised devices -> Behavioural analysis • A standard process to quarantine and restore IoT Devices • https://datatracker.ietf.org/doc/draft-richardson-shg-un-quarantine • Manufacturer Usuage Description for quarantined access to firmware • https://datatracker.ietf.org/doc/draft-richardson-shg-mud-quarantined-access/ 18 Appliances Management Application x The refrigerator is quarantined - Bad lettuce 
  • 19. Secure remote access: Trusted authentication & accessible 19 Mobile n3CE618.router.securehomegateway.ca The prototype will use securehomegateway.ca 3rd level domains 22
  • 21. Step 1 – bundle with a DNSSEC signed 3rd or 4th level .CA domain 21 + QR Code to activate provisioning and domain 3rd level domain domain.securehomegateway.ca 4th level domain domain.router.securehomegateway.ca +
  • 22. Step 2 – Secure Home Gateway setup 22 SHG application https://datatracker.ietf.org/doc/draft-richardson-anima-smarkaklink/ BRSKI enrollment of with disconnected Registrars – smarkaklink This document details the mechanism used for initial enrollment using a smartphone of a BRSKI Registrar system. …where the registrar device is new out of the box and is the intended gateway to the Internet (such as a home gateway), but has not yet been configured… kaklink 
  • 23. Step 3 – External DNS/DNSSEC Provisioning 23 SHG External Domain Provisioning & Primary DNS External DNS view Hidden Primary Internal DNS view Secondary DNS D-Zone SHG External IP Address
  • 24. Step 4 – Automated Wi-Fi setup 24 Scan MUD profile Wi-Fi credentials Device access policy
  • 25. Simple user interface is key to this project 25 Swipe UP, DOWN, LEFT and RIGHT
  • 27. IoT service / action type – Generic IoT home controller 27
  • 28. 28 Adding remote VPN access to trusted mobile and computers Mobile (1) Discovery services (2) Grant permission and credentials to mobile for remote home access 31
  • 29. 29 Should the inside of your car be part of your home network as well?
  • 30. 30 Adding your car Car (1) Discovery services Control car feature View car alerts View car status/location (2) Assign roles 32
  • 31. There are many more IoT scenarios to be assessed! 31
  • 32. This slide deck is a vision it’s what we’ll be seeing in five years. 32
  • 33. Want more info? 33 Visit the CIRA Labs page and as well as GitHub https://cira.ca/cira-secure-home-gateway https://github.com/CIRALabs Don’t forget to share your feedback and input!
  • 35. • Our assessment of the home network and IoT security posture post MIRAI attack clearly identified a need for additional home security measures to protect the internet from compromised IoT devices and a very strong need for an enhanced open source home security framework. • Our work so far has identified a significant gaps in open source projects to implement an enhanced home security framework • We embarked on a journey to identify these gaps and start development of many open source projects to better the internet  35
  • 36. Why are we working on this? -> Risk mitigation • For many internet organizations like CIRA the #1 risk on the risk register is a large scale (Dyn like) DDoS attack. • One of the mitigation mechanisms for this risk is to prevent ‘weaponization’ of IoT devices • Tightly controlling access ‘to’ and ‘from’ IoT devices inside the home or small office network is key to preventing ‘weaponization’ and causing harm on the internet. • The threat that IoT devices bring is the scale of attacks. The uncontrolled access of million/billions of IoT devices to and from the internet is the threat we need to mitigate. 36 CIRA Labs - Secure Home Gateway - 2018-09
  • 37. Overview of the IoT threat landscape -> Scale and capacity • IoT device compromises: – Used in internet attacks i.e. MIRAI/DYN Attack (DDoS) targeting DNS servers (~1.2 Tbs) • IoT traffic generation, reflection and amplification – IoT device used various attacks (DDoS) NTP, DNS, SNMP and new vectors. – IoT device have the capacity to generate large traffic load – Home and small office network now starting to have gigabit internet access speed, significantly impacting the capacity to create powerful attacks 37 CIRA Labs - Secure Home Gateway - 2018-09
  • 38. High Level Architecture (very ;-) OpenWrt Home Gateway Home Network CIRA SHG Registry Internal DNS/DNSSEC External IPSEC D-Zone firewall 3rdlevel.securehomegateway.ca Home Gateway Provisioning 3rd Level .CA home domain Primary DNS D-Zone IoT Cloud Services & D-Zone Firewall Secure Remote Home Network Access Wifi MiFi Zigbee NFC RFID 38 CIRA Labs - Secure Home Gateway - 2018-09
  • 39. We are building a Prototype -> Based on Omnia Turris Gateway • Develop a Proof of Concept and prototype – Using .CZ Omnia Home Gateway & openWRT – IoT device provisioning based on MUD – Home Gateway App (Android/iPhone) – Develop some IoT discoverable devices and MUD profiles • Use public GitHub to document the functional specification and repo for prototype software – Functional specification (Work in progress) – Open source software repository – https://github.com/CIRALabs/Secure-IoT-Home-Gateway 39 CIRA Labs - Secure Home Gateway - 2018-09
  • 40. Specifications we are currently leveraging Specifications we are leveraging: • https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/ • https://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model • RFC 7368 • RFC 8375 • https://datatracker.ietf.org/doc/draft-ietf-homenet-simple-naming • https://datatracker.ietf.org/doc/draft-ietf-homenet-front-end- naming-delegation • RFC 4033,4034,4035 (DNSSEC) • https://datatracker.ietf.org/doc/rfc5011/ • RFC 4795 Specifications we are planning/considering: • RFC4301, RFC7296 (IPsec. Considering OpenVPN too) • RFC8366, https://datatracker.ietf.org/doc/draft-ietf-anima- bootstrapping-keyinfra/ • https://datatracker.ietf.org/doc/draft-cheshire-dnssd-roadmap/ • https://datatracker.ietf.org/doc/draft-ietf-dnssd-hybrid/ • https://datatracker.ietf.org/doc/draft-cheshire-dnssd-roadmap/ • https://datatracker.ietf.org/doc/draft-ietf-dnssd-mdns-relay/ Specifications we are writing: • draft-richardson-anima-smarkaklink-00 • draft-richardson-opsawg-securehomegateway-mud-01 • draft-richardson-shg-mud-quarantined-access-00 • draft-richardson-shg-mud-quarantined-access-00 CIRA Labs - Secure Home Gateway - 2018-09 40

Hinweis der Redaktion

  1. Consider starting with a story of your vision – how did this come to be?
  2. The primary goal of this project is to develop a secure home gateway that; protects the internet from IoT devices attacks and protects home IoT devices from the internet attacks
  3. We are developing an advanced security framework for small network (home and small business) gateways based on integrating existing and emerging technologies & standards Goals: Develop a functional SHG prototype Develop a simple management interface to provision complex network Identify new standards requirements and updates To enhance small network privacy & security with ‘intent based’ network access controls To have open source running code & standards Develop a framework to provision SHG domain names
  4. -> best practices and new standards (note to Jacques – please explain Per Device Access Policy (PDAP) for those who may not understand what it means) Rule #1: Identify IoT devices on your home network Rule #2: Place a policy around the IoT device that restricts it to a specific function (default is no access) Rule #3: Monitor for behavioural changes in the device and quarantine at the first sign of change.
  5. High Level MUD & IoT Device Provisioning Workflow
  6. Simple user interface The previous slides have outlined the high level workflow. The actual workflow and automation can be very complex. One key goal of this project is to present the users with very simple choices to provision and administer a potential complex network. Ideally, the user can only swipe up, down, left and right.
  7. Removing the complication surrounding enabling trusted secure remote access to home network is a key goal of this project (not for the initial prototype) Need an internet resolvable domain name for the SHG to remotely connect. i.e. “myhome.ca”
  8. The focus is on automation
  9. When you buy a CIRA secure home gateway, it comes bundled with a DNSSEC signed 3rd level .CA domain.
  10. Follow the configuration instructions Install & open the CIRA SHG App Power on the SHG Scan the SHG QR code for initial setup System Assigned 3rd level domain name Setup split view Internet/External DNS for SHG domain Home Gateway ready for configuration
  11. Automated DNS Backend Provisioning @ CIRA CIRA creates the 3rd level .CA SHG domain w/DNSSEC SHG and CIRA sync on external view propagation, internal SHG DS record synced in external DNS view. (full chain of trust internally and external on SHG domain) Need synchronisation between external SHG DNS record and SHG external IP address
  12. Current focus is on automated Wi-Fi setup – that’s challenging! Setup secure home network infrastructure Using your SHG App, scan the QR code of each new device to: Discover the MUD profile Transfer the unique WIFI credentials (per MAC address) Assign the appropriate Device Access Policy
  13. Gateway provisioning, device discovery, device provisioning must be as simple as possible, intuitive for non experienced users, available as framework for default open source app.
  14. Next slides include things we identified for potential future work or functionality Includes ideas, comments & feedback
  15. Status: Up/down, on/off, ok/bad, status variable Audio/Video: Camera, video feed Media: Audio/Video media feed, TV, music Storage: Data storage, NAS (pictures, files, data) Alerts: Up/down, on/off, ok/bad, “Water detected” Control: Turn up/down, on/off, change device value Cloud Service: IoT vendor, Google, MS, DropBox VPN (VPN inside vpn.myhouse.ca) Remote house access Quarantine, New MUD profile available Other Sensors/ Actuator functions?
  16. Adding your Car to remotely access your home network
  17. List of IoT scenarios to be assessed Example of pushing WIFI to the device Show that the fridge is exposing service No web interface on IoT device Focus on cloud / vendor, show they integrate into this solution, can be multi vendor multi cloud provides IoT Classification: based on device type, air play could see all camera in the house, the TV could see all camera (security controls) Door bell sends to audio device, you car Fire alert send to audio receiving device SmartGRID company allow access to home gateway allow SmartGRID to access hot water tank allow SmartGRID to adjust thermostats
  18. Is work in progress, presented as a story Story how a home gateway can be user and IoT friendly Is meant to define a security framework and associated standards IETF, ISO/IEC, others.. Is tuned around implementation at .CA / CIRA, but not specific just for CIRA Is to solicit feedback Is another layer of defence (in depth) to protect the internet against nasty (IoT) devices
  19. For an informational version of this deck that includes: High level architecture graphic More details on the proof of concept and prototype Specifications we are currently leveraging