SECURITY AND THE INTERNET OF THINGS: EVOLUTION NOT REVOLUTION

croutonsgruesomeRéseaux et Communications

16 févr. 2014 (il y a 3 années et 1 mois)

67 vue(s)

SECURITY AND THE INTERNET OF THINGS:
EVOLUTION NOT REVOLUTION
AJ Shipley • Senior Director, Security Solutions • Wind River
| © 2013 Wind River. All Rights Reserved. 1
HERITAGE LEADERSHIP
 1981: Founded
 1993: IPO
 2009: Acquired
SCALE INVESTMENT
 1,900 Employees
 42,000 Developers
 45% Commercial
Market Share
 Broadest Portfolio
 1.6 Billion devices
deployed
 $90m annual
spend in R&D
 Rich History of M&A
Wind River At-a-Glance
| © 2013 Wind River. All Rights Reserved. 2
5 Billion
People touched by connectivity


15 Billion
Intelligent Connected Devices by 2015


35 Trillion
Gigabytes of Data By 2020
Source: Intel
Medical
Industrial
Mobile
Network Equipment
Automotive
Aerospace & Defense
Connected Home
| © 2012 Wind River. All Rights Reserved. 4
Private
Cloud(s)
GATEWAY
INTERNET
The
Cloud
| © 2013 Wind River. All Rights Reserved. 5
Network
Transformation
NFV
SDN
The Drive to
31 Billion Devices
Data
Center
LAN
WAN
2G/3G/4G
Cost Reductive
Revenue Generative
(Data Monetization)
Brown Field Green Field
Communications
Big Data
| © 2013 Wind River. All Rights Reserved. 6
| © 2013 Wind River. All Rights Reserved. 7
Embedded Security Landscape
| © 2012 Wind River. All Rights Reserved. 7
313,000*
Connected devices
31 Billion
Connected devices
5 Billion
Connected devices
93 Million
Connected devices
1990 2000 2010
2020

CRITICAL INFRASTRUCTURE:
EMBEDDED & FIXED FUNCTION DEVICES
TRADITIONAL IT INFRASTRUCTURE:
SERVERS, PCs
MOBILITY:
& CONSUMER ELECTRONICS
*Src: http://newsroom.intel.com/docs/DOC-2297
Growing threat to critical
infrastructure driven by
ubiquitous connectivity
Private
Cloud(s)
GATEWAY
INTERNET
The
Cloud
| © 2013 Wind River. All Rights Reserved. 8
Big Data
LAN
Generic Network
Topology for
Connected
Devices
Brown Field Green Field
Cost Reductive
Revenue Generative
IT
Embedded
APPLICATION PROXIES
STATEFUL FIREWALLS
1987-
1989
Network
Security
Gateways
1
9
9
6-
1
9
9
9
2
0
0
5
2
0
09
25 Years of IT Security at a Glance
• Deeper visibility
into the packet
• Filtering based on
specific
application
protocols
• Limited
performance
• Filtering
based on
current state
• Protection
against
various
attacks (SYN
flood, etc)
• 5 tuple based
filtering
• Performance
optimized; less
traversal
up/down network
stack
PACKET FILTER
2
0
0
0
-
2
0
0
3
Source: http://www.cs.unm.edu/~treport/tr/02-12/firewall.pdf

25 Years of IT Security at a Glance
1993 -
1999
• Developed by
Netscape
• Flaws in early
implementations led
to compromised
security (SSLv1/2)
• IETF defined TLSv1
1
9
8
7-
1
9
8
9
2
0
0
0 –
2
0
0
3
2
0
0
5
2
0
0
9
• Openly
published in
1993
• Operates at
Layer 3 of
the OSI stack
• WiFi Alliance established
in 1999
• Operates at Layer 2 of
the OSI stack
• Early WEP proved
insecure
• 802.11i (WPA/WPA2)
Secure
Secure
Communication
Protocols
SSL/TLS
IPsec
WiFi Alliance
25 Years of IT Security at a Glance
2000 –
2008
• AuthC and AuthZ
service for
Windows Domain
Networks
• First released with
Windows 2000
Server
1
9
9
3-
1
9
9
9
2
0
0
5
2
0
0
9
MS NAP
• MS Security hot patch
program
• Second tuesday of
every month
• Bandwidth congestion
have caused network
outages in the past
• MS version of network
access control
• Endpoint posture information
delivered via embedded NAP
agent
• Several competing solutoins
(UAC, Cisco, etc)

Microsoft
Security
1
9
8
7
-
1
9
8
9
«PATCH TUESDAY»
ACTIVE DIRECTORY
25 Years of IT Security at a Glance
2005
• SIEM term first
used by Gartner
in 2005
• Combination of
SIM and SEM
• Several products
on the market as
of 2012*
2
0
0
0 -
2
0
0
8
Security Event Management
• Real time
monitoring
• Correlation
• Notificaiton
• Visibility
• Long term
storage of
events
• Analysis of log
data
• Reporting of
anomalies
Security
Information &
Event
Management
1
9
9
3
-
1
9
9
9
Security Information Management
2005
19
8
7 -
19
8
9
2
0
0
9
http://mosaicsecurity.com/categories/85-log-management-security-information-and-event-management

25 Years of IT Security at a Glance
2009 –
“A wire-speed
integrated network
platform that performs
deep inspection of
traffic and blocking of
attacks.”*
2
0
0
5
FUTURE
• Application aware when
running over the same port
(80/443)
• Optimized, single pass
inspection
• Web proxy capability for
inspecting encrypted traffic
• Integration with network
correlation engines and
cloud bases analytics.
• Real time, dynamic
policy decision making
and distributed
enforcement
Next
Generation
Firewalls
(NGFW)
2
0
0
0
-
2
0
0
8
BENEFITS
DEFINITION
19
9
3 -
19
9
9
1987 –
1989
http://www.networkcomputing.com/security/next-generation-firewalls-101/240149730

Constraints of Embedded Devices
 Low Power
 Intermittent
Connectivity
 No UI/Headless
Devices
 Lack of processing
power/memory
| © 2013 Wind River. All Rights Reserved. 14
Security Evolution:
“Trusted & Measured” Boot
| © 2013 Wind River. All Rights Reserved. 15
IT
Internet of Things
1.Windows 8
• MS Signed Drivers
2.Intel PC’s
• UEFI/BIOS
• TXT Extensions
• Trusted Platform
Modules (TPM)

1.BOM Costs / HW Disparity
• HW RoT, Sec Engines,
OTP’s
2.Disparate Boot Loaders
• Trusted GRUB, tboot,
RYO
3.System Uptime / Reboots
• Years between
verification

Security Evolution:
“Access Control”
| © 2013 Wind River. All Rights Reserved. 16
IT
Internet of Things
1.Network Access Control
• Microsoft Active
Directory
• 802.1X
• EAPoL
2.Physical Access
• “Why can’t I get in the
lab?”
3.Network FW/IPS/IDS
1.Machine AuthC vs. User
AuthC
• EoU vs. EAPoL
2.MAC, RBAC, Least
Privilege
• OS Level Reference
Monitor
3.HIPS / Host FW
• IoT Protocol Specific
Security Evolution:
“Malicious Application Protection”
| © 2013 Wind River. All Rights Reserved. 17
IT
Internet of Things
1.Multi Purpose Computing
• Need to support wide
variety of applications
• Poly & Metamorphic
malware outpacing AV
2.Mobile / BYOD
• “Sandboxing” of
applications
3.User as the Last Line of
Defense

1.Whitelisting, Not Blacklisting
• Purpose built, single
function devices
• Deterministic
Requirements
• “Separation” instead of
sandboxing
• McAfee Embedded &
Application Control

Security Evolution:
“Software Updates & Security Patches”
| © 2013 Wind River. All Rights Reserved. 18
IT
Internet of Things
1.Non-mission critical
• BSOD fixed by
corporate IT
• User intervention to
accept/rollback updates
• Bandwidth/latency is
not an issue
2.Patch Early / Patch Often
• Frequent reboots

1.No UX to AuthC / AuthZ
• Images must be signed
2.Security patches cannot
impact functional safety
• Bandwidth limitations
• Device reboots
• CPU resources
3.Verification tied to HW RoT
• Limited physical security

Security Evolution:
“Attestation” & “Situational Awareness”
| © 2013 Wind River. All Rights Reserved. 19
IT
Internet of Things
1.Security Information &
Event Management
• Correlation of Netflow
information and user
context
2.Cloud based web proxies
(towers) for global
coverage
• McAfee GTI &
Cisco SIO
3.NAC VSA Posture Info

1.Proprietary or Open Event
Format
• Common Event Format
• “Lightweight” Agents
2.Runtime Attestation
• Reboots are rare
• Only Read-Only areas
can be measured reliably
3.Pub/Sub - MQTT

| © 2013 Wind River. All Rights Reserved. 20
Intelligence where
you need it
Security & Privacy
Privileged access to data
requires a considered
approach to security

Seemingly mundane data,
whether or not your television
is consuming energy for
instance, can be a good
indicator of whether or not a
home is occupied.

Ensuring such data is secure
will be vital to individual
security and privacy as IoT is
implemented more broadly.

Benefits of
Wind River Intelligent Device Platform
| © 2013 Wind River. All Rights Reserved. Confidential Information. 21
 Situatio)
Connectivity
Manageability
Security
 Pre-integrated smart and
connected capabilities
enable rich network options
to save development time
and costs.
 Validated and flexible
firmware provide an
extensive network of
connectivity choices,
including broad modem
support and PAN, LAN, and
WAN network access.
 Platform customization
significantly reduces time-to-
product while increasing the
productive life of M2M
devices.
 Intuitive web-based tool
reduces configuration and
support costs and allows for
anytime provisioning and
management of devices.
 Built in gateway security
features designed to secure the
communication channel, the
data and the end device.
 Customizable secure remote
management ensures end
device integrity via secure boot,
provides encrypted
communication between device
and cloud-based management
console, and limits exposure of
untrusted applications through
device resource management.
Intelligent Device Platform
A a complete software development environment used for building machine-to-machine
(M2M) applications and devices that communicate with the cloud
 Contains customizable security features, smart and connected capabilities that enable
rich network options, and validated and flexible device management software
 Provides a scalable, sustainable, and secure software solution to simplify the
development, integration, and deployment of IoT gateways
 Includes pre-validated components built exclusively for M2M applications
 Offers the potential to make data more efficient, cut operational costs, reduce impact on
the environment, improve customer satisfaction, and create new revenue streams

| © 2013 Wind
River
. All Rights Reserved. 22
Next Generation Secure Internet of
Things (IoT) Architecture
Extending the enterprise security
footprint to the Embedded Edge!
| © 2012 Wind River. All Rights Reserved. 23 Wind River Confidential
• Type 1 Virtualization
o Separation of safety critical
workloads
o Co-located Unified Threat
Management
• Real Time Deterministic
Behavior
• Seamless instrumenting of
legacy applications
• Integration with enterprise IT
infrastructure
• Cloud based visibility,
control, and analytics
• Small footprint, low power,
high security
• IoT optimized reporting,
policy enforcement, & data
analytics
| © 2013 Wind River. All Rights Reserved. 24