Recent cyber attacks using Internet of Things (IoT) devices have highlighted the value of SDN/NFV in fighting cyber crime.
IoT devices have been leveraged in at least two large distributed denial-of-service (DDoS) attacks in the last couple of months, commonly referred to as the Marai botnet. Boiled down to basics, software is used to scan specific ports, looking for a way to get to the SSH or Telnet command on a device. There are user names and passwords hardcoded on a device used to access these systems. The device can be used as a control bot to launch an attack.
The much talked-about network functions virtualization (NFV) and software defined networking (SDN) could play a vital role in solving security issues as the industry moves forward, wrote Steve Goeringer, principal security architect, CableLabs, in a recent blog post.
The IoT devices exist as part of a device chain in an ecosystem that delivers feature rich and dramatic services to users, so the security solution needs to be holistic, Goeringer explained to BTR. "With NFV and SDN, we can use an open distributed architecture that leverages these new virtualization technologies to provide more dynamic, flexible security solutions that are easier to patch and upgrade."
NFV and SDN offer standardized features, processes and protocols so that security tools can be deployed more quickly and applications can be patched more easily. NFV introduces DevOps best practices for testing software patches and updates, while SDN enables physical and virtual routers and network appliances to be updated programmatically, Goeringer said.
In general, CableLabs is working on three different goals in securing IoT devices: protect privacy, enable trust in technology, and protect network infrastructure, wrote Brian Scriber, CableLabs' principal architect, security, in a recent blog.
Privacy is an ongoing concern, particularly as consumers are wearing more devices. However, operators do need to be able to trace attacks to the maliciously used device. Scriber suggests that devices need an "immutable, attestable, and unique identifier" to enable this. Confidentiality should be protected with encryption. Problem is that some IoT devices do not have the processing power traditionally needed for PKI. However, Elliptical Curve Cryptography requires smaller keys, Scriber said.
Network protection against attacks like the one described above requires security in all IoT devices down to the lightbulb and thermostat. Both have computational power, a processor, storage, memory, an operating system, etc., and use credentials the homeowner has provided to operate on the local network. While a PC uses antivirus software and is frequently scanned, this does not happen on an IoT device like a lightbulb.
"What we are trying to do in CableLabs and the consortiums, is to help drive security into these smallest and most constrained devices, which are legitimate targets," Scriber said.
One of the consortiums he was speaking about is the Open Connectivity Foundation, comprising more than 250 manufacturing companies, network operators, device aggregators, chip manufacturers, and others. Work is being done on many different security angles, including device communication, cryptography, onboarding and offboarding, and how control to these devices is accessed.
"That is how we are defining an infrastructure for IoT: (Looking for a mechanism) that can be used for very small devices on up. When we talk about devices too small or constrained to do this, we limit their capabilities on the network," Scriber said. The smallest of devices also might have a trusted partner that goes with it for network operations.
In the meantime, vendors are working on fixes like making sure products are not shipped with support maintenance portals open and ensuring the same default passwords and user names are not used on every device of the same type that is shipped, for example.
All of these things come together to enhance CableLabs third point - the need to form trust. If an individual reads about an attack on personal security cameras, he or she will be less likely to purchase and subscribe to a service. "The overall goal is to improve experiences for consumers both in future devices and to limit not only how many devices are compromised, but also limit the scope and impact of any individual vulnerability through leveraging multiple layers of defense," Scriber said.