With the growing number of embedded devices connected to the Internet, cellular networks and other networks via both wired and wireless protocols, hackers have a new target. A virtual closed network (VCN) can provide protection when a truly closed network is not an option.
To create a VCN, the designer needs to define the communications requirements for the device to restrict communication to only what is required and block any communication that is not required.
The defined communications policies need to be encoded as firewall rules, and the firewall needs to be integrated into the embedded device’s communications stack. If the device is running TCP/IP, then the firewall needs to be in the lower layers of the TCP/IP stack. If the device is using cell-phone text messages to communicate, as some vehicle antitheft systems use, the firewall needs to part of the cell-phone communication protocol.
In each case, the firewall filters messages before the device processes them.
The syntax of the firewall rules depends on the type of firewall. The rules define each user group in terms of the group’s Internet Protocol (IP) address as well as define the protocols and ports that are allowed for each group. Once the policies are configured into a set of rules, the firewall can enforce them.
All packets received by the device are passed to the firewall for filtering and compared with the firewall rules. The device drops all packets that do not match the firewall rules. As a result, the device blocks attempts to hack into it before a connection is even established.
Engineers can build a firewall from scratch or purchase a commercial embedded firewall. Some hardware products, such as ZGate from Zilog, include an integrated firewall, providing a low-cost solution.
As a result of the growing acceptance of IPv6 and the Internet of Things, the number of embedded devices is growing rapidly and, in turn, expanding opportunities for hacking and serious Internet attacks. A VCN, enforced by an embedded firewall, provides a critical layer of protection for embedded devices.
Alan Grau is president and co-founder of Icon Labs and architect of the company’s Floodgate Firewall. Before founding Icon Labs, he worked for AT&T Bell Labs and Motorola. Grau has an MS in computer science from Northwestern University.