secure home gateway project
play

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 - PowerPoint PPT Presentation

Feb 21, 2024 •446 likes •696 views

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca Today's home network and IoT products and solutions lack secure testing and

  1. SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca

  2. Today's home network and IoT products and solutions lack secure testing and design. Home network require active monitoring to mitigate the risks of attack. home network = home and small business network 2 ICANN63 Barcelona 2018-10-22

  3. The home network of the future must be safe, private, secure and most of all easy to use. The IETF HOMENET WG is making progress at making it easy to use 3 ICANN63 Barcelona 2018-10-22

  4. The Home network must be reachable from the internet seamlessly and securely IPv6 makes connectivity to the home seamless and visible We must make it secure 4 ICANN63 Barcelona 2018-10-22

  5. The home network grows to include personal and wearable IoT , inside and outside the home… 5 ICANN63 Barcelona 2018-10-22

  6. Your home network security both internal and external must be protected by using a simple and user friendly model. Typing passwords is a thing of the past. 6 ICANN63 Barcelona 2018-10-22

  7. How did we get here? Our assessment of the home network and IoT • security posture post MIRAI attack clearly identified a need for additional home security measures to protect the internet from compromised IoT devices and a very strong need for an enhanced open source home security framework. Our work so far has identified a significant gaps in • open source projects to implement an enhanced home security framework We embarked on a journey to identify these gaps • and start development of many open source projects to better the internet  7 ICANN63 Barcelona 2018-10-22

  8. Secure Home Gateway (SHG) Primary Project Goal The primary goal of this project is to develop a secure • home gateway that; – protects the internet from IoT devices attacks and – protects home IoT devices from the internet attacks x x 8 ICANN63 Barcelona 2018-10-22

  9. Scope of Work and Goals We are developing an advanced security framework for • small network (home and small business) gateways based on integrating existing and emerging technologies & standards Goals: • – Develop a functional SHG prototype – Develop a simple management interface to provision complex network – Identify new standards requirements and updates – To enhance small network privacy & security with ‘intent based’ network access controls – To have open source running code & standards – Develop a framework to provision SHG domain names 9 ICANN63 Barcelona 2018-10-22

  10. Why are we working on this? -> Risk mitigation For many internet organizations like CIRA the #1 risk • on the risk register is a large scale (Dyn like) DDoS attack. One of the mitigation mechanisms for this risk is to • prevent ‘ weaponization ’ of IoT devices Tightly controlling access ‘to’ and ‘from’ IoT devices • inside the home or small office network is key to preventing ‘ weaponization ’ and causing harm on the internet. The threat that IoT devices bring is the scale of • attacks . The uncontrolled access of million/billions of IoT devices to and from the internet is the threat we need to mitigate. 10 ICANN63 Barcelona 2018-10-22

  11. Overview of the IoT threat landscape -> Scale and capacity IoT device compromises: • – Used in internet attacks i.e. MIRAI/DYN Attack (DDoS) targeting DNS servers (~1.2 Tbs) IoT traffic generation, reflection and amplification • – IoT device used various attacks (DDoS) NTP, DNS, SNMP and new vectors. – IoT device have the capacity to generate large traffic load – Home and small office network now starting to have gigabit internet access speed, significantly impacting the capacity to create powerful attacks 11 ICANN63 Barcelona 2018-10-22

  12. How can we protect IoT devices? -> Common sense “Don’t even think of connecting an IoT device directly • on the internet” Always place IoT device behind a gateway / firewall • Don’t allow remote access to an IoT device • x x IoT Cloud x Services 12 ICANN63 Barcelona 2018-10-22

  13. How can we protect IoT devices? -> Best practice & new standards Rule #1: Identify IoT devices on your home network • Rule #2: Place a policy around the IoT device that restricts • it to a specific function (default is no access) Rule #3: Monitor for behavioural changes in the device and • quarantine at the first sign of change. Home Security PDAP Appliances PDAP IoT Cloud Services Sensors PDAP Management PDAP: Per Device Access Policy Application 13 ICANN63 Barcelona 2018-10-22

  14. How do we provision new IoT devices? -> Application of emerging standards The IETF is working on a Manufacturer Usage • Description (MUD) specification to help with IoT device provisioning and automated network access control configuration. – https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud I’m an ACME water sensor - MUD File at: https://acme.corp/mud/ws1.0.json MUD FILE: - I have WIFI & apply the water sensor access policy - I need to upgrade my firmware at https://acme.corp - Configure me at https://myip/setup - Alerts available at https://myip/alerts 14 ICANN63 Barcelona 2018-10-22

  15. Manufacturer Usage Description (MUD) -> A unique device identifier (label) The MUD file content would be available on the • vendor’s web site (model type and firmware version) – https://acme.corp/mud/water-sensor-1.0.json The MUD file URL would be available on the IoT • device as a QR code or as a network parameter It would be nice if the IoT device could advertise • it’s current firmware version and/or current MUD file URL via WIFI or network connection (DPP, DHCP, LLDP…) on order to setup correct security profile 15 ICANN63 Barcelona 2018-10-22

  16. High Level MUD & IoT Device Provisioning Workflow SHG ACME.CORP (1) CIRA SHG MUD MUD Repository MUD Supervisor Repository (2) (3) (2) SHG Send to Get vendor User accepts CIRA MUD file provisioning App instructions MUD Controller (IP Tables) (4) (4) (1) IoT device added to network with (1) specific network access controls Scan MUD Network Access control: QR code & Allow access to ACME.CORP send to MUD Allow to send alerts internally controller MUD QR Code Allow to be configured by app Deny all other internet access ACME.CORP IoT Water Sensor 16 ICANN63 Barcelona 2018-10-22

  17. DEMO https://www.youtube.com/watch?v=LauvEBa4Z4s&feature=youtu.be You guess it! That’s why we need a simple provisioning interface this stuff is complex! 17 ICANN63 Barcelona 2018-10-22

  18. Removing End User Complexity -> Simple user interface The previous slides have outlined the high level • workflow. The actual workflow and automation can be very complex. One key goal of this project is to present the users with • very simple choices to provision and administer a potential complex network. Ideally, the user can only swipe up, down, left and right. • 18 ICANN63 Barcelona 2018-10-22

  19. Quarantine of compromised devices -> Behavioural analysis The policy part of the MUD profile is created to • provide an additional level of protection for the network. This ensures the device will function only as intended and once behavioural changes are noted then the device is logically segregated from the network (quarantine) x Appliances Management The refrigerator is quarantined - Bad lettuce  Application 19 ICANN63 Barcelona 2018-10-22

  20. Secure Remote Access -> Trusted authentication & accessible Removing the complication surrounding enabling • trusted secure remote access to home network is a key goal of this project (not for the initial prototype) Need an internet resolvable domain name for the • SHG to remotely connect. i.e. “myhome.ca” Mobile myhome.ca The prototype will use securehomegateway.ca 3 rd level domains 20 ICANN63 Barcelona 2018-10-22

  21. Simple user interface is key to this project: Swipe UP, DOWN, LEFT and RIGHT Gateway provisioning, device discovery, device provisioning • must be as simple as possible, intuitive for non experienced users, available as framework for default open source app. 21 ICANN63 Barcelona 2018-10-22

  22. We are building a Prototype -> Based on Omnia Turris Gateway Develop a Proof of Concept and prototype • – Using .CZ Omnia Home Gateway & openWRT – IoT device provisioning based on MUD – Home Gateway App (Android/iPhone) – Develop some IoT discoverable devices and MUD profiles Use public GitHub to document the functional • specification and repo for prototype software – Functional specification (Work in progress) – Open source software repository https://github.com/CIRALabs/Secure-IoT-Home-Gateway – 22 ICANN63 Barcelona 2018-10-22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

for STB and Home Gateway How could STB and Home Gateway manufacturers add value to their products

for STB and Home Gateway How could STB and Home Gateway manufacturers add value to their products

Media Network Solutions for STB and Home Gateway How could STB and Home Gateway manufacturers add value to their products and services? Companies aspire to provide services that meet their client`s needs. They try to offer a smart solution to

331 views • 17 slides
Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019 <https://fosdem.org/2019/schedule/event/project_things> Speakers Dipesh Monga @ Mozilla Techspeakers Philippe Coval @ Samsung OpenSource 2 The hidden

558 views • 28 slides
A true game-changer of smart home market! Explore the most advanced gateway Home Center 3 is the

A true game-changer of smart home market! Explore the most advanced gateway Home Center 3 is the

A true game-changer of smart home market! Explore the most advanced gateway Home Center 3 is the worlds most advanced smart home gateway enabling intuitive home management. It is a result of our 10 years of experience and numerous comments

190 views • 17 slides
The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving people and freight Home to critical transportation infrastructure Railroads, Airport, Inland Port, Interstates Four Mississippi River Bridge

405 views • 19 slides
Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway Sites Impact Threshold Likelihood of remaining a gateway VCU Campus IDENTITY Gateway Project Implement gateway elements that expand the

725 views • 44 slides
The Residential Gateway Agenda What is a Residential gateway (RG)? Phased deployment of

The Residential Gateway Agenda What is a Residential gateway (RG)? Phased deployment of

The Residential Gateway Agenda What is a Residential gateway (RG)? Phased deployment of RGs Types of RGs and their evolution Middleware Summary Home Networking - Four Aspects Distribution of information (audio, video, data)

549 views • 52 slides
Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO

Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO

Home Gateway Initiative Vision A Service Providers perspective Roger Clark BT Group CTO January 2006 Drivers for home networking WiFi enablement of the home More than one PC in use Music and Video going on line Future two way

162 views • 15 slides
LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead,

LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead,

LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software Setting the Stage This presentation will Applications focus on developing Secure Gateways (Edge Computing &

520 views • 23 slides
Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department

Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department

Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department Technical Support Revision 2.0 Distribution Public Table of Contents About this document

1.11k views • 34 slides
Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies A Part of Outline BGP Model BGP security concerns & requirements

528 views • 20 slides
Being Visible on ICN Gateway 4 February 2020 Agenda Today 1. Learn about ICN Gateway the

Being Visible on ICN Gateway 4 February 2020 Agenda Today 1. Learn about ICN Gateway the

Being Visible on ICN Gateway 4 February 2020 Agenda Today 1. Learn about ICN Gateway the portal for Inland Rail expressions of interest (EOI) and a wide range of other project opportunities in NSW 2. Understand the EOI process and how to

461 views • 28 slides
Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

T he Dog Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design principles and going deep into the gateway architecture and modules, with some application sample http://dog-gateway.github.io/ WIRELESS

576 views • 30 slides
The Reliable Bridge Q-Gate is a cost-efgective and very powerful Ethernet gateway which provides a

The Reliable Bridge Q-Gate is a cost-efgective and very powerful Ethernet gateway which provides a

The Reliable Bridge Q-Gate is a cost-efgective and very powerful Ethernet gateway which provides a fast and reliable connection between your home/offjce and your mobile phone, tablet or computer . 3 How It Works Q-Plug HOME MANAGER Your Device

381 views • 8 slides
API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API gateways is achingly immature and so while defining applications with API gateways is possible its most definitely not for the

416 views • 22 slides
R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE CONSUMER The storefront is the gateway to the consumer with commercial real estate serving as an ideal medium for connecting with established shoppers and

447 views • 18 slides
Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks

Challenges in Access Right Assignment for Secure Home Networks Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig (CMU) Jesse Walker

484 views • 17 slides
The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan

The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan

The Future of the In-Car Experience Abdelrahman Mahmoud Product Manager Ashutosh Sanan Computer Vision Scientist @affectiva Affectiva Emotion AI Emotion recognition from face and voice powers several industries Social Robots Mood

292 views • 25 slides
PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI BAPTIST CHURCH, IBADAN MARCH 10, 2013 Ibidunni Alonge Olumide Dada WHY LOW BACK PAIN? 2 Knee Back Neck WHAT IS LOW BACK PAIN? 3 Low back

1.56k views • 61 slides
ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to

ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to

ACTIVE Studio ABOUT US The Active Studio, located at the center of our resort, was a need due to the growing demand and continuous success of our fitness activities. This way, a wide range of activities will be available to our guests, meeting

188 views • 18 slides
NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and

353 views • 31 slides
IIS - PROJECT 3 Group 8 Qian Sun Louis Janse van Rensburg Abdulghani Zubeir Previous

IIS - PROJECT 3 Group 8 Qian Sun Louis Janse van Rensburg Abdulghani Zubeir Previous

IIS - PROJECT 3 Group 8 Qian Sun Louis Janse van Rensburg Abdulghani Zubeir Previous Literature Virtual vs Physical Embodiment Costa et al. (2016) found Users are more attentive to physically embodied emotional storytelling (Robot with

438 views • 21 slides
Bienvenue Welcome Sandy Poir, CFA Responsable Services aux candidats CFA Montral Sameer

Bienvenue Welcome Sandy Poir, CFA Responsable Services aux candidats CFA Montral Sameer

Bienvenue Welcome Sandy Poir, CFA Responsable Services aux candidats CFA Montral Sameer Somal, CFA Chief Financial Officer Blue Ocean Global Technology Bobby Henebry, CFA Founder and CEO Henebry Blockchain & Cryptocurrency

1.19k views • 62 slides
The leader The leader in Active in Active Sit Sitting ting Kore Wobble Chairs KORE is

The leader The leader in Active in Active Sit Sitting ting Kore Wobble Chairs KORE is

The leader The leader in Active in Active Sit Sitting ting Kore Wobble Chairs KORE is the leading innovator in ACTIVE SITTING which enables and increases SECONDARY FOCUS. Improve attention and promote better thinking and learning!

339 views • 10 slides
Advanced Presentation Skills One Day Workshop Why Attend? Having attended the two-day

Advanced Presentation Skills One Day Workshop Why Attend? Having attended the two-day

Advanced Presentation Skills One Day Workshop Why Attend? Having attended the two-day Presentation Skills workshop, this day will take your skills to another level. It is an opportunity for you to refresh and consolidate your learning as well

461 views • 17 slides

More recommend