Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
,
Faculty of computer science
Transparent Microsegmentation in Smart Home IoTNetworks
Amr Osman1 Armin Wasicek2 Stefan Köpsell1 Thorsten Strufe1
1Chair of Privacy and Data SecurityTU Dresden
�[email protected] Inc.
HotEdge’20
Introduction Problem Microsegmentation Evaluation Conclusion
Outline
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 1 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 2 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Smart home IoT networks
[1]HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 3 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 4 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Problem statement
Communication setting:
• Mixed wired + wireless connectivity
• TCP/IP Protocol suite
• Ethernet as a L2 protocol (802.11 MACaddresses)
Threat model:
• Internal attacker
• Active
• Laterally moving
• Seeks: Reconnaissance, Data ex�itration,Unauthorized access, DoS, .. etc)
Internet
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 5 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Problem statement
Communication setting:
• Mixed wired + wireless connectivity
• TCP/IP Protocol suite
• Ethernet as a L2 protocol (802.11 MACaddresses)
Threat model:
• Internal attacker
• Active
• Laterally moving
• Seeks: Reconnaissance, Data ex�itration,Unauthorized access, DoS, .. etc)
Internet
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 5 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 6 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Requirements
• Isolation: controlling communication between devices within each microsegment, between microsegments,and external endpoints in the cloud or internet.
• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identi�edand appropriately put into a microsegment.
• Adaptability: dynamically changing the current set of microsegments con�guration at runtime as newdevices are added to the smart home.
• 0-conf: require no manual con�gurations for the residential gateway and the IoT end devices.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 8 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Existing solutionsCategories: Firewalls, VLANs, Overlays, Multiple APs, NAC-Servers, IP Subnets
Solution Isolation Scalability Edge-ready? Auto-alloc. Adaptability 0-conf
Firewall Can No No No Can No
VLAN Yes 4096 No No Can No
VxLAN Yes 224 No No Can No
Multi-AP Yes ~10 No No No No
RADIUS Can No No No Yes No
Subnetsv4 Can ~230 − 2 No No No No
MUD Can No No Yes Can No
Ours Yes 264 Yes Yes Yes Yes
Notes:• VLANs are not well-suited for WLANs• All existing solutions require complex manual con�guration on the residential gateway, prior knowledge
about the topology and are not transparent to the end user• Some of the existing solutions require complex con�gurations for the IoT end devices and the infrastructure
(e.g. RADIUS, Multi-AP, MUD)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 9 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Existing solutionsCategories: Firewalls, VLANs, Overlays, Multiple APs, NAC-Servers, IP Subnets
Solution Isolation Scalability Edge-ready? Auto-alloc. Adaptability 0-conf
Firewall Can No No No Can No
VLAN Yes 4096 No No Can No
VxLAN Yes 224 No No Can No
Multi-AP Yes ~10 No No No No
RADIUS Can No No No Yes No
Subnetsv4 Can ~230 − 2 No No No No
MUD Can No No Yes Can No
Ours Yes 264 Yes Yes Yes Yes
Notes:• VLANs are not well-suited for WLANs• All existing solutions require complex manual con�guration on the residential gateway, prior knowledge
about the topology and are not transparent to the end user• Some of the existing solutions require complex con�gurations for the IoT end devices and the infrastructure
(e.g. RADIUS, Multi-AP, MUD)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 9 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 10 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
MicrosegmentationTwo edge cloud VNFs are implemented: Network Inventory & Microsegmenter
• Network Inventory: Automatically �ngerprints, scans and classi�es devices based on functionality andsecurity vulnerabilities
• Microsegmenter: Allocates devices to microsegments based on Network Inventory results
Strategy: Classify and isolate devices based on functionalities, i.e. Printers, Mobile Devices, Laptop/PCs, Cameras,... etc)
Network InventoryMicrosegmenter
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 11 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 12 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
System design
vIoT1
MQTT broker
IoT Analytics
IoT honeypot
REST/HTTPS
Microsegmenter
OFlow/SSL
Network InventoryInstance
L2/SecureVPN
REST/HTTPS
Network Inventory
Virtual Private Edge CloudSmart Home NetworkEdge Cloud
Control traffic
Internet
Microsegment
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 13 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 14 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Transparent microsegmentation
SHG Micro-segmenter
Networkinventory
NetworkInventoryInstance
NewIoTDevice
connectnew device
HTTP 200 OKnew device
HTTP 200 OK
scan results
scan new device
updated net. inventory
assign device to segment
HTTP 200 OK
ACK
Automatic microsegment allocation
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 15 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Transparent microsegmentation
vIoT1
MQTT broker
IoT Analytics
IoT honeypot
Microsegmenter
Network InventoryInstance
L2/SecureVPN
Network Inventory
Virtual Private Edge CloudSmart Home Network
Edge Cloud
Control traffic
Internet
Microsegment
Automatic microsegment allocation
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 16 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Transparent microsegmentation
Internet
Network �ows isolation inter- and intra- segments
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 17 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 18 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Evaluation
• Used 3 di�erent smart home network topologies with more than 28 di�erent IoT devices from di�erentvendors [1, 2, 3].
• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, E�ectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Evaluation
• Used 3 di�erent smart home network topologies with more than 28 di�erent IoT devices from di�erentvendors [1, 2, 3].
• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, E�ectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Evaluation
• Used 3 di�erent smart home network topologies with more than 28 di�erent IoT devices from di�erentvendors [1, 2, 3].
• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, E�ectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Evaluation
• Used 3 di�erent smart home network topologies with more than 28 di�erent IoT devices from di�erentvendors [1, 2, 3].
• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, E�ectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Evaluation
• Used 3 di�erent smart home network topologies with more than 28 di�erent IoT devices from di�erentvendors [1, 2, 3].
• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, E�ectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Scalability
Number of... Count
Smart homes 264
Segments per home 264
Devices per segment 248 − 2OF rules required s[n(n+ 1)− 2] + 8
Where:
• s is the total number of segments
• n is the number of devices in a microsegment
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 20 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
E�ectiveness
Without segmentation
Segment HP Inkjet
Segment Ring
Segment Google Home
Full isolation0.70
0.80
0.90(a)
Exploitability score
Without segmentation
Chinese Webcam
Amazon Echo
Belkin WeMo Switch
Full isolation0.00
0.25
0.50(b)
Network exposure
19% and 43% reduction in exploitability score[2] and network exposure[3].
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 21 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Case study: Mirai
Baseline
Belkin Camera
HP Envy Printer
Amazon Echo Full0.0
0.2
0.4
0.6
0.8
1.0
1.2Ratio of devices infected
65.85% attack surface reduction against an infected Belkin Camera
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 22 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Transparency
From To
HP Envy Printer LaptopSamsung Smart Cam Belkin Motion SensorSamsung Smart Cam Samsung Galaxy TabBelkin Motion Sensor Samsung Smart Cam
Insteon Camera Samsung Galaxy TabSamsung Galaxy Tab Samsung Smart Cam
Only 2.16% of the network �ows were blocked due to functional microsegmentation
We also identi�ed some �ows in dataset that are likely malicious:
• HP Envy Printer→ Laptop
• Insteon Camera→ Samsung Galaxy Tab
• Belkin Motion Sensor↔ Samsung Smart Cam (?)
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 23 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
1 Introduction
2 ProblemRequirementsExisting solutions
3 MicrosegmentationSystem designTransparent microsegmentation
4 Evaluation
5 Conclusion
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 24 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Conclusion
• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internaladversary via microsegmentation.
• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 di�erent topologies using di�erent network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcamat the cost of blocking 2.16% of the otherwise-accepted �ows in the network.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Conclusion
• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internaladversary via microsegmentation.
• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 di�erent topologies using di�erent network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcamat the cost of blocking 2.16% of the otherwise-accepted �ows in the network.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Conclusion
• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internaladversary via microsegmentation.
• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 di�erent topologies using di�erent network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcamat the cost of blocking 2.16% of the otherwise-accepted �ows in the network.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Conclusion
• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internaladversary via microsegmentation.
• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 di�erent topologies using di�erent network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcamat the cost of blocking 2.16% of the otherwise-accepted �ows in the network.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27
Introduction Problem Microsegmentation Evaluation Conclusion
Conclusion
• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internaladversary via microsegmentation.
• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 di�erent topologies using di�erent network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcamat the cost of blocking 2.16% of the otherwise-accepted �ows in the network.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27
References
References I
A. Sivanathan, H. H. Gharakheili, F. Loi, A. Radford, C. Wijenayake, A. Vishwanath, and V. Sivaraman, “Classifying IoT devices in smart
environments using network tra�c characteristics,” IEEE Trans. Mobile Comput., vol. 18, no. 8, 2019.
J. Payne, K. Budhraja, and A. Kundu, “How secure is your IoT network?” in IEEE ICIOT, jul 2019.
O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, “SoK: Security evaluation of home-based IoT deployments,” in IEEE S&P, 2019.
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 26 of 27
. . . . . . . . . . . . . . . . Thanks! . . . . . . . . . . . . . . . .
HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 27 of 27