Securing Internet-Enabled Devices
Imagine your supervisor calls you to his office. You are informed that the supervisor has just received a call from the head of the supermarket chain you outfitted with the very latest supermarket electronics all joined by a network. Apparently, one of the store managers, on opening the store this morning walked into a blast of hot air and the smell of rotting food.
On investigation, you discover that the freezers were turned off at 2 a.m. and the heat was turned on full blast at 2:30 a.m. The security cameras show that nobody was in the store or had even been near the store at that time.
Congratulations. Your customer has been hacked. Now they want to know how to keep it from happening again.
If you did not design security into the system from the start, you may find it hard to put in after the fact. Your network topology, the firmware you used, the systems you have chosen, may all be working against you. You may need to ask the supermarket staff to change the way they workin ways that they find awkward and inconvenient.
None of this would be happening if you had designed security in from the start.
Now, before you begin the design for an Internet connected system, is the time to learn about the importance of network security and how to reduce the risk of attack. You should also consider involving a security expert in your design and review process.
An increasing number of manufacturers are heading towards Internet-enabled appliances and devices. The reasons for doing this are many and include lower cost of manufacture, lower cost of service (by remote access), and coordinated management with other devices. In the example of the supermarket chain, that is monitoring the health of all of its refrigerator units and controlling energy usage over the Internet.
There are active projects to make the products in a supermarket Internet-aware. The MIT Auto-ID center is working on a system to replace the UPC barcode on products with a code that contains reference to Internet-resident information. These barcodes will help the store manager to manage inventory and target marketing to consumers.
In addition, these bar codes can provide a great deal of information to both the retailer and the consumer. Imagine waving a package of chicken in front of a home refrigerator and having a series of recipes from the manufacturer's Web site appear on the screen in front of you. This means that the store, appliance manufacturer, as well as the product vendor must be Web-enabled.
The future is Internet-enabled and with great promises come risks. It is important to understand those risks and manage them using network security techniques.
Depending on whose numbers you use, somewhere between 45 and 55 percent of all attacks come from people inside the organization. Internal attacks are generally not sophisticated; they usually boil down to exploitation of bad practices, such as sharing of passwords, or use of publicly known passwords. This means it is important to think about good internal network security, so that most internal attacks can only affect small areas of the network, or a limited number of devices. It is important to design security to make it easy to follow good practices.
This leaves the other 55 to 45 percent of all attacks in the hands of much more sophisticated attackers. For the most part, the challenge is keeping the more sophisticated attacker off your network in the first place. Pay attention to and secure all entry points to the network. This means paying attention to physical security on the local network hardware as well as electronic entry points such as other network connections and the firewall.
The case of a competitor's agent is probably more the stuff of tabloid newspapers than reality, but not enough so that you can ignore the possibility. When dealing with a professional attacker, the main goal is to discourage them from attacking, instead of forcing them to try a different andone hopesa more visible route. The tools available are: VPNs, encryption, firewall, and strong authentication. These are sufficient to discourage the professional attacker.
When discouraged, an attacker will most likely turn to social engineering to gain information and a foothold on the network. Social engineering is a polite term for fooling someone inside the organization to reveal information about the network. It can be as simple as a phone call claiming to be the vendor trying to repair the system, but unable to access the system. "The password I have is 'Magic beans', is that the right one?" All too often, a person inside the organization reveals the real password without a second thought. Cultural consciousness of security is also important when protecting a system.
There are a number of Web sites with information to assist network designers. Some are commercial but most are sites where the information is given freely by the network community. Click here for a brief overview of some of these resources, complete with links.
Security helps defend against attackers by providing a series of obstacles between the attacker and their goal. Various defenses will work in most situations to protect against attacks. These defense mechanisms keep the attacker from doing harm by keeping the attacker off the network, protecting network traffic from being read, and by preventing the attacker from masquerading as an authorized user.
Keeping an attacker off your network is quite important. If an attacker cannot get on the network, they cannot do anything. If an attacker does get on the network, tools such as end-to-end encryption can keep them from being able to read the network traffic. In addition, there are tools that allow only authorized users access to services on the network.
When security measures are put in place, they make it more difficult to intrude on a network. The better the security measures, the more expert an intruder needs to be. Make the measures tough enough and intruders will try to attack a different part of the system to get around the security measures.
Put a simple padlock and hasp on a door and anyone with a crowbar can get in. Put a dead bolt lock on the door and anyone with a battering ram can break down the door. Put in a metal reinforced door with multiple dead bolt locks and it is time to start looking at the windows for in easier way in.
However, all the security measures in the world do absolutely no good if somebody leaves the door open or unlocked.
In considering consequences of attack, you need to look at the value of what you are protectingare you protecting diamonds or rhinestones? If you are protecting a big vault of gem-quality diamonds, you want to apply strong security measures. If you are protecting a little box of rhinestones, then security measures do not need to be as strict.
You, as a device manufacturer, need to think through the consequences of an attack. For example, a supermarket's vendor price listwhat it pays for its producemight not seem too valuable on first consideration. Nevertheless, a competing supermarket that has access to that price list month after month knows exactly how to manipulate prices to put your customer out of business.
A secure network generally has several different levels of security, described as red, green, and orange. A red network is exposed entirely to the Internet, an orange network accesses the Internet only by means of a firewall with carefully designed access rules, and a green network has access only to the orange networkagain only by means of a firewall with carefully designed access rules.
Figure 1: Only devices that require access from the Internetsuch as a mail servershould be on the orange network. All other devices should be on the green network or on a separate, unconnected network with no Internet exposure at all.
When joining networks, it is important remember that the network with the weakest security sets the security standard for the entire network. If employees at their home offices need access to the green network, this connection is frequently made using a virtual private network (VPN). Therefore, if the home office has poor or no security, it reduces the security of your green network.
Never think that a device or system is safe and secure from attack just because it is behind a firewall. Firewall rules can be badly written. A firewall may be using an old version of software that has well-known security holes. Adding a VPN to an insecure system can put your Internet devices at an orange or red level. A classic security mistake is to use a VPN to connect a secure network to an unprotected telecommuters' home system that is completely exposed to the Internet.
You should decide the level of security or hardening that a device or system needs based on the value of the data on it and the consequences of a successful attackand not on your assumptions about the level of security on the surrounding network.
You've considered the various items in your system, their value, and consequences if they are attackedcorrupted, fooled with, modified, stolen, or spied on. You know you do not want the settings on the refrigerators changed, you know you want to protect the computer with the accounting data, and so forth.
Figure 2: Network protocol layers showing position of the encryption layer (SSL/TLS).
The SSL/TLS protocols provide for the negotiation of a secure session between an arbitrary Web client and Web server by using public key techniques and digital certificates. Digital certificates associated with a server can be used by the client to verify or authenticate the server's identity.
The negotiation for the secure session begins by negotiating a certificate exchange and cipher suite between the server and the client. A cipher suite is a combination of a key exchange protocol, a bulk encryption algorithm and key size, and a hash algorithm that is used to ensure data integrity. While many different cipher suites can be negotiated, the most widely used suite by standard Web browsers is a suite that uses the RSA Key Exchange and RC4 algorithms.
During the negotiation process, asymmetric encryption is used and a session-specific symmetric key is created and exchanged between the server and the client. Once the negotiations are complete, symmetric encryption (which is faster) is used for the rest of the session. Within a single secure SSL/TLS session, multiple Web pages, forms, and other data can be transmitted so that the negotiation overhead is encountered only once at the beginning of a secure transaction.
Allegro Software Development also provides a Web client version based on its embedded RomWebClient product. The RomWebClient Secure product includes SSL/TLS protocol and certificate capabilities so a secure HTTP-client session can be conducted with any standard Web server.
Too often security is an afterthought or thought of as an impediment to product development. As a result, security is tacked on at the end without sufficient thought to usability, utility, and functionality. By planning upfront to build a secure system, you will spend less money for more results. If you do not have in-house security experts, it is far better to bring in outside security experts early in the design process, than to wait and bring them in after disaster has struck.
Eric Johansson has over 20 years of high-level system and software design experience with particular emphasis on Internet system and security design. For the past five years, Eric has headed Internet Guide Services, specializing in the design, configuration, and remediation of complex Internet-based systems. Among others, his clients have included EG&G, BBN, AllMedia Solutions, ZipLink, and Harvard Pilgrim Health Care. Prior to founding Internet Guide Service, Eric held senior-level engineering positions with Polaroid, Wang Laboratories, Ziff-Davis, and Computervision.
Edward Steinfeld has more than 25 years experience in real-time and embedded computing. He began as a programmer writing code and designing hardware to test hybrid circuit boards for Picker X-ray. He has marketed embedded and real-time products to OEMs and resellers for Digital Equipment, VenturCom, and Phar Lap Software. His international experience includes a stint in Hong Kong as a Far East Channels Manager and responsibility for international OEM sales in Europe and the Pacific Rim. Ed is now providing market research, business planning, and marketing services to the embedded computing industry.