F5 Network Security for IoT

Similar documents
DELL: POWERFUL FLEXIBILITY FOR THE IOT EDGE

Alcatel-Lucent 5620 Service Aware Manager. Unified management of IP/MPLS and Carrier Ethernet networks and the services they deliver

ITU-T Y.4552/Y.2078 (02/2016) Application support models of the Internet of things

Securing IoT in the Enterprise

New Technologies: 4G/LTE, IOTs & OTTS WORKSHOP

A Vision of IoT: Applications, Challenges, and Opportunities With China Perspective

What you need to know about IoT platforms. How platforms stack up in IoT

ITU-T Y Functional framework and capabilities of the Internet of things

Internet of things (IoT) Regulatory aspects. Trilok Dabeesing, ICT Authority 28 June 2017

IoT Enabler, from the Things to the Services and Service Platform

ITU-T Y Reference architecture for Internet of things network capability exposure

Recomm I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n

Chapter 2. Analysis of ICT Industrial Trends in the IoT Era. Part 1

PoE: Adding Power to (IoT)

DATA LOSS PREVENTION: A HOLISTIC APPROACH

Architecture of Industrial IoT

Spectrum for the Internet of Things

INTERNET OF THINGS THE GSMA GUIDE TO THE R A G E C A P A B I L C O V E I T Y T Y U R I E C R S B E C Y. gsma.com/iot

The Art of Low-Cost IoT Solutions

IoThings Milano Maggio 2017 Barbara Pareglio GSMA IoT Technical Director. Mobile IoT: 3GPP standard per reti LPWA e IoT security

IoT in Port of the Future

Mobile IoT for Smart Cities: Open for Business. Svetlana Grant Future IoT Networks Director Connected Living Programme 17 November 2016

ITU-T Y Specific requirements and capabilities of the Internet of things for big data

Why Connecting to the Internet of Things Project List

Dr. Tanja Rückert EVP Digital Assets and IoT, SAP SE. MSB Conference Oct 11, 2016 Frankfurt. International Electrotechnical Commission

IERC Standardization Challenges. Standards for an Internet of Things. 3 and 4 July 2014, ETSI HQ (Sophia Antipolis)

Measuring the Internet of Things (IoT)

T : Internet Technologies for Mobile Computing

FOSS PLATFORM FOR CLOUD BASED IOT SOLUTIONS

Building Your DLP Strategy & Process. Whitepaper

Demystifying 5G. RIPE NCC Menog 16. Jad El

IoT beyond platforms. Enabling innovation at scale

Security of the Internet of Things

Network and IT Infrastructure Services for the IoT Store

Alcatel-Lucent 5910 Video Services Appliance. Assured and Optimized IPTV Delivery

Bringing an all-in-one solution to IoT prototype developers

Spectrum Management Aspects Enabling IoT Implementation

The Importance of Connectivity in the IoT Roadmap End-User Sentiment Towards IoT Connectivity. An IDC InfoBrief, Sponsored by February 2018

PoLTE: The GPS Alternative for IoT Location Services

Smart Cities A sua cidade está preparada para um ataque cibernético? Prof. Dr. Fabiano Hessel

SAP Edge Services Edge Services Overview Guide Version 1711

DRIVING REVENUE FROM THE INTERNET OF THINGS

Mirth Solutions. Powering Healthcare Transformation.

DragonWave, Horizon and Avenue are registered trademarks of DragonWave Inc DragonWave Inc. All rights reserved

THE MPI INTERNET OF THINGS STUDY SPONSORED BY BDO

IOT TECHNOLOGY & BUSINESS. Format: Online Academy. Duration: 5 Modules

How to Categorize Risk in IoT

Enduring the IoT storm to unlock new paths to value. How a governance model protects you from a blizzard of IoT risk

Internet of Things Telecommunication operator perspective

The Internet of Things Will You Be Ready to Support a Device-Driven Future? Manish Nathwani SVP, Product Development

RUCKUS IoT SUITE DATA SHEET BENEFITS

Internet of Things (IoT) Training Programs. Catalog of Course Descriptions

Requirements for the Standardization of Hybrid Broadcast/Broadband (HBB) Television Systems and Services

SAP Edge Services, cloud edition Edge Services Overview Guide Version 1802

Internet of Things - IoT Training

IoT Egypt Forum A Catalyst for IoT Ecosystem in Egypt

Business Case for CloudTV

UPDATE ON IOT LANDSCAPING

Growing the Digital Business: Spotlight on the Internet of Things. Accenture Mobility Research 2015

IoT and the Implications for Security Inside and Outside the Enterprise. Richard Boyer CISO & Chief Architect, Security

SWITCHED INFINITY: SUPPORTING AN INFINITE HD LINEUP WITH SDV

Joint submission by BBC, ITV, Channel 4, Channel 5, S4C, Arqiva 1 and SDN to Culture Media and Sport Committee inquiry into Spectrum

EdgeX Foundry. Facilitating IoT Interoperability by Extending Cloud Native Principles to the Edge GLOBAL SPONSORS

Internet of Things (IoT) Vikram Raval GSMA

Abstract WHAT IS NETWORK PVR? PVR technology, also known as Digital Video Recorder (DVR) technology, is a

Broadband Changes Everything

Mobilising the Smart Cities September Barbara Pareglio IoT Technical Director

INTERNET OF THINGS WINNING FORMULA. Rami Avidan Managing Director, Tele2 IoT

IoT trends in the Americas and considerations on the importance of National IoT plans

R&S VENICE On air. 24/7.

Critical C-RAN Technologies Speaker: Lin Wang

Introduction to Internet of Things Prof. Sudip Misra Department of Computer Science & Engineering Indian Institute of Technology, Kharagpur

Machina Research. M2M Communications for Policy Makers

A New Family of Smart ihome Products

THINKING ABOUT IP MIGRATION?

IoT Evidence Acquisition Issues and Challenges

IoT Strategy Roadmap

Internet of Things: Cross-cutting Integration Platforms Across Sectors

ERAdiate lecture series

A SMART, SAFE AND SMOOTH FUTURE TELESTE FOR CITY TRANSPORT. Video security and passenger information solution for city transport

Integrating Device Connectivity in IoT & Embedded devices

INTELLIGENT CONTENT DELIVERY: THE KEY TO UNLOCKING THE FUTURE OF VIDEO SERVICES

SPECIALIST TASK FORCE 505 IOT STANDARDS LANDSCAPING & IOT LSP GAP ANALYSIS

Internet of Things. Decoding the IoT Ecosystem. Jad El Cham October 2017 RIPE75 Tutorial

Internet of Things: A Comprehensive Analysis and Security Implementation through Elliptic Curve Cryptography

MOB501. SAP Omnichannel Banking 8.3 SP01 PL03 Development COURSE OUTLINE. Course Version: 03 Course Duration: 4 Day(s)

IoT Challenges & Testing aspects. Alon Linetzki, Founder & CEO QualityWize

ENGINEERING COMMITTEE Energy Management Subcommittee SCTE STANDARD SCTE

IoT Landscape Challenges and Solution Approaches Standardized platforms and architectures providing interoperability

Document Management Integration. The Document Logistix guide to

PRODUCT BROCHURE. Gemini Matrix Intercom System. Mentor RG + MasterMind Sync and Test Pulse Generator

Accessing Information about Programs and Services through a Voice Site by Underprivileged Students in Education Sector of Sri Lanka

IOT TECHNOLOGY AND ITS IMPACT

ANSI/SCTE

Emerging IoT Technologies for Smart Cities

Convergence of Broadcast and Mobile Broadband. By Zahedeh Farshad December 12-13, 2017

Middleware for the Internet of Things Revision : 536

XRAN-FH.WP.0-v01.00 White Paper

Device Management Requirements

COURSE DESCRIPTION INTERNET OF THINGS- BUSINESS AND TECHNOLOGIES. Format: Classroom. Duration: 2 Days

Transcription:

OVERVIEW F5 Network Security for IoT Introduction As networked communications continue to expand and grow in complexity, the network has increasingly moved to include more forms of communication. This has ushered in the era of the Internet of Things (IoT). No longer dependent upon person-to-person interaction, communications are made directly between simple devices, or between simple devices and complex systems. These connections between millions of IoT devices create demand for new services, unlocking new business opportunities to improve efficiency and quality of service. IoT technology is expected to spread exponentially across many industries, with growth estimated to surpass 20 billion connected devices by 2021. 1 Within the Internet of Things, Communication Service Providers play an important role. This role can vary widely from, for example, a focus on offering IoT centric connectivity, like LoRA (long range) and LTE-M (Long Term Evolution (4G), category M1), to more advanced IoT services, including hosting IoT applications and offering IoT security services. For those Service Providers working within the IoT domain, the massive volume of newly connected Things introduces new challenges for security. While humans were historically considered the weakest link for security, IoT devices are providing stiff competition! IoT devices are now the number one attack target on the internet. 2 Without adequate safeguards, these connected devices are easily compromised for nefarious purposes. The Mirai botnet is a great example; at its peak, Mirai had more than a half billion compromised IoT devices, allowing the execution of attacks at an unprecedented scale. Whether consumer or industrial IoT, security is perhaps the biggest challenge and barrier to more rapid global adoption. While security repercussions can be just costly lessons learned in the consumer IoT sector, the safety and legal implications can be colossal for industrial IoT. Hence, the critical requirements of safety, security, reliability, scalability, latency, performance, visibility, and adaptability become mandatory. F5 Networks can play a key role in the Service Provider network architecture, helping to enable advanced, IoT-specific security services. 1 Gartner 2017: https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billionconnected-things-will-be-in-use-in-2017-up-31-percent-from-2016 2 F5 Labs 2018, The Hunt for IoT: Multi-Purpose Attack Thingbots Threaten Internet Stability and Human Life https://www.f5.com/labs/articles/threat-intelligence/the-hunt-for-iot--multi-purpose-attack-thingbots-threaten-intern

OVERVIEW F5 Network Security for IoT 2 F5 IoT security overview Interconnected networks of IoT devices include multiple points of vulnerability, each of which requires its own security solution. Most IoT security solutions focus on providing security within the device itself. Data centers create an additional point of vulnerability. Virtually all IoT devices communicate to applications via centralized or distributed data centers, creating a wellrecognized need to protect these servers against attacks and data breaches. Additionally, F5 recognizes the need to provide network-centric security, allowing end-to-end protection of interconnected networks of IoT devices. Limitations on computing power and low frequency of software updates mean that security on the end device is often limited. A networkbased solution can address some of these limitations, as well as mitigate additional threats which target the IoT network infrastructure. Network-centric security is, therefore, a critical addition to the IoT ecosystem. For many years F5 technology has provided cost-effective advanced services by means of deployment within Service Provider infrastructures. The same technology can be used by Service Providers to offer advanced security services for IoT-centric use cases, such as traffic management, RAN level security, and DDoS protection for cellular IoT. The F5 IoT Firewall is a key element of any effective IoT security solution, and, perhaps, the most important IoT security service that F5 can provide. The IoT Firewall is a User-Plane firewall, deployed in the Service Provider s core network, that features key differences from traditional network firewalls to allow better efficacy when deployed within the IoT domain. The IoT Firewall provides device-aware, application-centric firewall policies. This allows Service Providers to offer IoT security services without the need to host the IoT application in their data centers, or directly manage the IoT application. The primary security threats mitigated by the IoT Firewall are: Network threats: The F5 IoT Firewall prevents DDoS (Distributed Denial of Service) and application-layer attacks which may disrupt the integrity and availability of the Service Provider s network. Device threats: IoT Firewall ensures that devices are only connecting to safe locations and prevents devices from connecting to unknown services. This reduces the chances of devices being compromised through malware and blocks malicious ThingBot C&C (command and control) communication to stop devices from being exploited remotely. Service abuse: This capability prevents IoT devices from being used unexpectedly, which can result in revenue leakage for the Service Provider or the application owner (for example, stopping a connected car SIM from being used in another device to stream Netflix). F5 IoT Firewall The relationship between a Service Provider and their IoT customers can take a variety of different forms. In some cases, the Service Provider may act as a simple pipe provider offering managed connectivity to IoT customers who choose to keep their IoT application in their own data centers (or in a Public Cloud). One strategic alternative to this model is for Service Providers to offer their IoT customers an enhanced network-centric security service that can be customized on demand directly by the customer and/or application owner.

OVERVIEW F5 Network Security for IoT 3 Enterprise Service Provider Administrator Manages policy for group of IoT devices Manages firewall rules Manages devices (i.e. IMSI range) Web Portal Created by Service Provider Real-time access to policy database using APIs Policy Database 3GPP PCRF (Policy Control Resource Function) One M2M AE (Application Entity) Other databases 3GPP: Gx (Diameter) Other: Rest API, SSH IoT Device Gateway IoT Firewall Internet Owns mapping of device identifier to IP address Signals to other systems Learns device-id to IP address mapping Applies policy based on device-id Figure 1: Typical Service Provider and Enterprise (customer) roles. The diagram above details Service Provider and Enterprise (customer) roles. These roles are typically very well defined. In particular: The Service Provider provides the infrastructure, based on access termination (for example, a PGW), IoT network Firewall, Policy Control System, and, most importantly, an enterprisefacing Front-End Portal or REST API Interface. The Net/SecOps on the customer side uses this portal or API to define security policies that interact with the Gateway Service offered by the Service Provider. One of the biggest challenges for Service Providers is finding cost-effective ways to deliver these services. Without the right technology, it is challenging to tailor services for all customers requiring customized, IoT-centric implementations. Many providers choose to address this challenge by deploying a per-customer chain with a dedicated gateway node (for example, LTE P-GW) or a dedicated access point name (APN), a dedicated firewall instance, and a dedicated policy provisioning system. This approach is expensive and inflexible, and, therefore, not suited to supporting a mass roll-out of inexpensive IoT services. The F5 IoT Firewall provides a flexible approach using a single instance that can be costeffectively shared between different IoT customers. The single instance provides granular policy provisions for each customer and significantly simplifies deployment, lowering operational costs.

OVERVIEW F5 Network Security for IoT 4 Service Provider IoT service Service Provider Policy Web Portal Customer 1 Radius DNS Public Service Public App 1 Public App 2 Customer 2 Packet Core IoT PGW Control Plane F5 IoT Firewall Private Service Customer App 1 Customer App 2 Customer 3 Compromised Device Internet Website Malware C&C Figure 2: The IoT Firewall data plane serves as the enforcer of the security policy implemented by the customer, allowing the passage of explicitly permitted traffic, and blocking all other traffic. Customer 3 is passing infected traffic from an infected device. Green lines represent traffic that is allowed to pass, while the red line represents traffic that is blocked. To achieve the required performance and scale, the F5 IoT Firewall efficiently provisions deviceaware policies for millions of different devices using a common F5 appliance. This appliance may be physical or virtualized, which makes it particularly suited for Cloud/NFV deployments, as well as distributed architectures such as MEC (Multi-access Edge Computing). This enables the Service Provider to: Support thousands of IoT customers, each with different security policy implementations Scale to millions of devices, increasing cost-effectiveness and business capacity How it works Positive security model The F5 IoT Firewall security solution is based on a positive security concept. When an IoT service is provided by the Service Provider, only a pre-determined set of application servers can be contacted by the IoT devices connected to the SP network. All the rest of the traffic will be blocked, unless explicitly permitted by the IoT customer using the Web Portal, or the REST API interface, exposed by the Service Provider towards the customer. The IoT customer can define security policies in two possible ways: Defining a list of destination IP address or IP Networks, destination ports, and destination protocols (UDP/TCP/other) which are permitted Defining a list of host names or domain names which are permitted

OVERVIEW F5 Network Security for IoT 5 Functional components In order to ensure the right policies are provisioned and implemented, the F5 IoT Firewall solution leverages two fundamental elements, both of which are needed to deliver the service: IoT Firewall data plane: The IoT Firewall data plane functions as the security policy enforcer, forwarding explicitly permitted traffic and blocking other traffic. Any traffic that is not explicitly permitted by a policy for the specific IoT customer will be dropped by the IoT Firewall data plane, as shown in Figure 2. IoT Firewall control plane: The control plane contains the security policies that will be applied to IoT devices when those devices are connected to the internet. These policies are defined on a per-customer basis. The control plane exposes an interface (typically xml, but any language can be used) which is accessed by the service portal. The service portal is typically developed and customized by the Service Provider. The IoT Firewall control plane typically contains two types of information: A table listing IoT devices and the corresponding IoT Customer. This table may contain a very large number of devices. These device-to-iot vendor mappings may take several forms, including: A list of MSISDNs or IMSI devices An IMSI range mapped to an IoT Vendor A device connected to a specific APN belonging to a specific IoT service Any distinctive element of the device which can be used to identify that device when it connects to the network A table listing IoT customers customized security policies, so that the IoT FW Control Plane can provision the correct policies to the data plane. IoT Customer 1 IoT Customer 2 IoT Customer n Permit 192.168.5.0/24, Permit *.example.com Permit 10.100.0.0/23, Permit *.examplecar.com, www.carupgrade.com Permit *.lightbulbupgradecustom.com Table 1: Example of a table containing IoT Customer Policy

OVERVIEW F5 Network Security for IoT 6 Workflow As described in the previous sections, the two elements (Control Plane and Data Plane/ Enforcer) represent the key components of the solution. Working together, they provide flexibility to allow customization on a per-customer level, while eliminating the need for customer-specific appliances, thereby reducing operational costs. When a new IoT customer is acquired by a Service Provider, all policy and provisioning information, as well as IoT device to customer mapping, is filed and stored in the Control Plane. This information may need to be updated over time as policies become more or less restrictive, IoT devices are added to or removed from the network, or as a result of changes to the application. A typical workflow might proceed as follows: When a new IoT device connects to the network, the Edge Device where the connection is terminated (which can be a vpgw in case of traditional mobile network) will send out an accounting message. This message will be intercepted by the IoT Firewall Control Plane as described in the picture below. This message is typically a Radius message, but, theoretically, any protocol can be used. The control plane extracts subscriber information from that message, including the IP address. Next, the control plane runs a lookup on the local information database to retrieve IoT customer information and corresponding policies. The IoT Firewall control plane sends the security policy to the IoT Firewall data plane. IoT devices are then provisioned by the IoT Firewall Data Plane as appropriate. The IoT Firewall data plane now has all the information needed to apply the right policies to the IoT device according to the definitions provided by the IoT Firewall control plane. 1 2 1 IoT device connected Packet Core IoT PGW F5 IoT Firewall 3 2 3 IoT device: IoT customer 1 IoT customer: IoT Policy List 1 IoT device info provisioned IoT policy provisioned Device entry: IoT device x IP address: 10.0.123.234 Reference Policy: Policy 1 Traff Statistics (exportable) Other info (if needed) Policy 1: - Permit IP 192.0.2.4 Permit net: 203.0.113.0/24 - Permit domain: example.com Figure 3: Typical workflow through the F5 IoT Firewall, including passage of information between the Control Plane and the Data Plane.

OVERVIEW F5 Network Security for IoT 7 Conclusions The F5 IoT Firewall is a critical component in any IoT network. It provides integrated, networkbased security and traffic management capabilities, in combination with IoT device awareness. The IoT Firewall creates the ideal platform to provision new IoT security services, enabling Service Providers to cost-effectively introduce sophisticated IoT solutions within the existing infrastructure. The rise of the era of the Internet of Things creates many opportunities; in order to take advantage of these opportunities, Service Providers must address the security risks created by network-based, device-to-device communications. F5 s IoT Firewall allows Service Providers to ensure the security and resilience of their network, allowing them to provide ongoing, high-quality service in the face of new threats. By moving beyond basic connectivity services, Service Providers are also able to reduce operational costs and identify new opportunities to monetize new services demanded by IoT customers. Learn more about F5 solutions for Service Providers at f5.com/solutions/ service-providers. 2019 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. DC0219 OV-SP-306118756

2024 © artsdocbox.com Privacy Policy | Terms of Service | Feedback