National Cybersecurity Center of Excellence Mitigating IoT-Based - - PowerPoint PPT Presentation

National Cybersecurity Center of Excellence

Mitigating IoT-Based DDoS

Build 1 Demonstration Presentation April 10, 2019

2 nccoe.nist.gov National Cybersecurity Center of Excellence

Challenge

• There will be 20.4 billion

connected IoT devices by 2020 (per Gartner)

• As IoT devices become more

common in homes and businesses, security concerns are also increasing

• IoT devices represent one of the

largest attack surfaces – Some have minimal security, are unprotected or are difficult to secure

• DDoS attacks increased by 28%

in 2017 (per Akamai)

• Recently IoT devices have been

exploited to launch DDoS attacks (e.g. Mirai)

3 nccoe.nist.gov National Cybersecurity Center of Excellence

Typical Home/Small Business Network (Without MUD)

Home/Small Business Internet Attacker Manufacturer Server

Internet Attacker Manufacturer Server Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

14 nccoe.nist.gov National Cybersecurity Center of Excellence

Typical Home/Small Business Network (With MUD)

Internet Attacker Manufacturer Server Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

Internet Manufacturer Server Attacker Home/Small Business

20 nccoe.nist.gov National Cybersecurity Center of Excellence

Architecture Overview

21 nccoe.nist.gov National Cybersecurity Center of Excellence

Logical Architecture

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server Update Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction (6) IP Address Update Protocol FreeRadius (2b) MUD URL (5b) Device traffic filters

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file

22 nccoe.nist.gov National Cybersecurity Center of Excellence

Demonstration

23 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 1: Connect Device

Devices Router or Switch Home or Small Business Network (1) MUD URL in DHCP transaction

24 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 1: Connect Device

• 1. No session on interface

Router or Switch

• 3. Interface state changed to up

Router or Switch

• 2. Connect MUD enabled IoT Device

Devices Devices

25 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 2a/2b: Send MUD URL to MUD Manager

MUD Manager Devices Router or Switch Home or Small Business Network (2a) MUD URL (1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

26 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 2a/2b: Send MUD URL to MUD Manager

• 1. FreeRadius service receives and passes MUD URL

FreeRadius

27 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 2b: Send MUD URL to MUD Manager

• 2. MUD Manager receives MUD enabled IoT Device

information from FreeRadius Service

MUD Manager

28 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 3/4: Get MUD and Signature File

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL (1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file

29 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 3/4: Send MUD URL to MUD Manager

• 1. MUD Manager receives message
• 2. Get MUD and Signature file

MUD Manager MUD Manager

• 3. Verify MUD file

MUD Manager

30 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 5a: Send Device Traffic Filters

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file

31 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 5a: Send Device Traffic Filters

• 1. MUD File parsed and translated to ACL (rules)
• 2. MUD Manager sends ACL

MUD Manager MUD Manager

32 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 5a: Send Device Traffic Filters

• 3. FreeRadius receives ACL from MUD Manager

FreeRadius

33 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 5b: Send Device Traffic Filters

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file (5b) Device traffic filters

34 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 5b: Send Device Traffic Filters

• 1. FreeRadius sends ACL to switch
• 2. ACL received and configurations applied

FreeRadius Router or Switch

35 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 6: IP Address Assigned

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file (5b) Device traffic filters (6) IP Address

36 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 6: IP address assigned

• 1. IoT Device receives IP address

Devices

37 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 6: IP address assigned

• 1. Show access-session
• 2. Show access-lists

Router or Switch Router or Switch

38 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 7: Test communication

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file (5b) Device traffic filters (6) IP Address Update Server Update Protocol

39 nccoe.nist.gov National Cybersecurity Center of Excellence

Step 7: Test communication

• 1. Test browsing to “Update Server”
• 2. Test browsing to unapproved server

Devices Devices

40 nccoe.nist.gov National Cybersecurity Center of Excellence

Next Steps

MUD Manager Devices Router or Switch Home or Small Business Network MUD File Server (2a) MUD URL

(5a) Device traffic filters

(1) MUD URL in DHCP transaction FreeRadius (2b) MUD URL

One Device

(3a) HTTPS get URL (MUD file) (3b) MUD file (4a) HTTPS get URL (Signature file) (4b) Signature file (5b) Device traffic filters (6) IP Address Threat Signaling Threat Signaling Server (w/ Intel Provided data) Update Server Update Protocol

Questions