Enterprise networks are becoming inundated with "smart" things and industrial sensors. But with no antimalware available, and little centralized configuration management, endpoint security is difficult -- if not impossible. Many devices, such as smart meters or the digital video recorders used in surveillance systems, don't connect to enterprise access controls or inventory and patching mechanisms. As a result, it's important to find methods for securing the Internet of things (IoT) and bring your own devices, using network-based controls that can scale and be centrally managed with existing tools.
Policies and technologies to enforce inventory controls are critical for data security and risk management. Most Internet-connected devices can only be managed efficiently via Dynamic Host Configuration Protocol, a network protocol used for automating IP parameters. DHCP can do a lot more than just hand out IP addresses and DNS settings. Its support for additional features is spotty, however. In some cases, firmware updates and configurations can be sent to devices -- DHCP is critical to advertise the location of these files.
DHCP logs and lease files can also provide reasonably good inventories. Restricting DHCP to known devices, or using it to segregate new devices into subnets, is a commonly used technique to enforce inventory control policies. DHCP server configurations should always tie back to an IP address management and inventory control system. Figure 1 shows a small sample of DHCP logs that include the name of the device asking for an address.
DHCPREQUEST for 192.0.2.1 from 00:24:e4:dd:ee:ff (WSD-5CA8) via re1
Figure 1: Devices identifying themselves as part of a DHCP request.
In addition to DHCP logging, devices need DNS for IP address management just like any other computer system using IP. While DNS was developed, in part, to save humans from having to remember IP addresses; for devices, DNS allows manufacturers to retain static host names for APIs that resolve to varying or multiple IP addresses. DNS requests can be used to assist in inventorying devices -- the queries can indicate the type of device and how it is used, as shown in Figure 2.
query: netcom.netatmo.net IN A + (10.5.0.86)
query: api.parse.com IN A + (fd14:5d44:4428:1::35)
query: scalews.withings.net IN A + (10.5.0.86)
Figure 2: DNS queries sent by a weather station, an iPhone and a scale.
Luckily, most devices do not have to accept unsolicited connections from outside the perimeter. But many systems still need to establish outbound connections.
Restricting these connections is tricky, especially if a device wants to connect to cloud services or content delivery networks. It's hard, if not impossible, to establish sensible firewall rules in these cases. With HTTP connections, it may be possible to proxy the connections and inspect the data that's sent and received, in an attempt to eliminate data leaks and detect malicious code retrieved by the device.
Often overlooked as a sensor, the Network Time Protocol (NTP) is still used by many devices to synchronize computer clock times on packet-based networks. In some cases, devices use a pre-set NTP server, which may indicate which device is sending the NTP request. Some systems may attempt to connect to a NTP server assigned via DHCP.
Most security teams have access to these types of network-based controls. To develop better security processes for the Internet of things, all it takes is use of these existing tools to start looking for potential events associated with devices, and enforcement of inventory control policies.
When it comes to securing the Internet of things, will history repeat itself?