Transparent Microsegmentation in Smart Home IoT Networks Amr Osman 1 - - PowerPoint PPT Presentation

, Faculty of computer science

Transparent Microsegmentation in Smart Home IoT Networks

Amr Osman1 Armin Wasicek2 Stefan Köpsell1 Thorsten Strufe1

1Chair of Privacy and Data Security

TU Dresden firstname.lastname@tu-dresden.de

2Avast Inc.

HotEdge’20

Introduction Problem Microsegmentation Evaluation Conclusion

Outline

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 1 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 2 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Smart home IoT networks

[1]

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 3 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 4 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Problem statement

Communication setting:

• Mixed wired + wireless connectivity
• TCP/IP Protocol suite
• Ethernet as a L2 protocol (802.11 MAC

addresses) Threat model:

• Internal attacker
• Active
• Laterally moving
• Seeks: Reconnaissance, Data exflitration,

Unauthorized access, DoS, .. etc)

Internet

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 5 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Problem statement

Communication setting:

• Mixed wired + wireless connectivity
• TCP/IP Protocol suite
• Ethernet as a L2 protocol (802.11 MAC

addresses) Threat model:

• Internal attacker
• Active
• Laterally moving
• Seeks: Reconnaissance, Data exflitration,

Unauthorized access, DoS, .. etc)

Internet

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 5 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 6 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Requirements

• Isolation: controlling communication between devices within each microsegment, between microsegments,

and external endpoints in the cloud or internet.

• Scalability: sustaining a large number of microsegments, IoT devices and home networks.
• Edge-readiness: virtual network functions in the edge cloud must seamlessly augment the home network.
• Automatic segment allocation: newly connected devices should be automatically recognized, identified

and appropriately put into a microsegment.

• Adaptability: dynamically changing the current set of microsegments configuration at runtime as new

devices are added to the smart home.

• 0-conf: require no manual configurations for the residential gateway and the IoT end devices.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 7 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 8 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Existing solutions

Categories: Firewalls, VLANs, Overlays, Multiple APs, NAC-Servers, IP Subnets

Solution Isolation Scalability Edge-ready? Auto-alloc. Adaptability 0-conf Firewall Can No No No Can No VLAN Yes 4096 No No Can No VxLAN Yes 224 No No Can No Multi-AP Yes ~10 No No No No RADIUS Can No No No Yes No Subnetsv4 Can ~230 − 2 No No No No MUD Can No No Yes Can No Ours Yes 264 Yes Yes Yes Yes

Notes:

• VLANs are not well-suited for WLANs
• All existing solutions require complex manual configuration on the residential gateway, prior knowledge

about the topology and are not transparent to the end user

• Some of the existing solutions require complex configurations for the IoT end devices and the infrastructure

(e.g. RADIUS, Multi-AP, MUD)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 9 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Existing solutions

Categories: Firewalls, VLANs, Overlays, Multiple APs, NAC-Servers, IP Subnets

Solution Isolation Scalability Edge-ready? Auto-alloc. Adaptability 0-conf Firewall Can No No No Can No VLAN Yes 4096 No No Can No VxLAN Yes 224 No No Can No Multi-AP Yes ~10 No No No No RADIUS Can No No No Yes No Subnetsv4 Can ~230 − 2 No No No No MUD Can No No Yes Can No Ours Yes 264 Yes Yes Yes Yes

Notes:

• VLANs are not well-suited for WLANs
• All existing solutions require complex manual configuration on the residential gateway, prior knowledge

about the topology and are not transparent to the end user

• Some of the existing solutions require complex configurations for the IoT end devices and the infrastructure

(e.g. RADIUS, Multi-AP, MUD)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 9 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 10 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Microsegmentation

Two edge cloud VNFs are implemented: Network Inventory & Microsegmenter

• Network Inventory: Automatically fingerprints, scans and classifies devices based on functionality and

security vulnerabilities

• Microsegmenter: Allocates devices to microsegments based on Network Inventory results

Strategy: Classify and isolate devices based on functionalities, i.e. Printers, Mobile Devices, Laptop/PCs, Cameras, ... etc)

Network Inventory Microsegmenter

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 11 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 12 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

System design

vIoT1 MQTT broker IoT Analytics IoT honeypot REST/HTTPS Microsegmenter OFlow/SSL Network Inventory Instance L2/Secure VPN REST/HTTPS Network Inventory Virtual Private Edge Cloud Smart Home Network Edge Cloud Control traffic Internet Microsegment

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 13 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 14 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Transparent microsegmentation

SHG Micro- segmenter Network inventory Network Inventory Instance New IoT Device connect new device HTTP 200 OK new device HTTP 200 OK scan results scan new device updated net. inventory assign device to segment HTTP 200 OK ACK

Automatic microsegment allocation

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 15 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Transparent microsegmentation

vIoT1 MQTT broker IoT Analytics IoT honeypot Microsegmenter Network Inventory Instance L2/Secure VPN Network Inventory Virtual Private Edge Cloud Smart Home Network Edge Cloud Control traffic Internet Microsegment

Automatic microsegment allocation

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 16 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Transparent microsegmentation

Internet

Network flows isolation inter- and intra- segments

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 17 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 18 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Evaluation

• Used 3 different smart home network topologies with more than 28 different IoT devices from different

vendors [1, 2, 3].

• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, Effectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Evaluation

• Used 3 different smart home network topologies with more than 28 different IoT devices from different

vendors [1, 2, 3].

• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, Effectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Evaluation

• Used 3 different smart home network topologies with more than 28 different IoT devices from different

vendors [1, 2, 3].

• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, Effectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Evaluation

• Used 3 different smart home network topologies with more than 28 different IoT devices from different

vendors [1, 2, 3].

• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, Effectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Evaluation

• Used 3 different smart home network topologies with more than 28 different IoT devices from different

vendors [1, 2, 3].

• Used well-known packet traces and IoT network vulnerability metrics from past literature.
• Measured: Scalability, Effectiveness, Impact on functionality
• Case study: Mirai infected webcam (65.85% attack surface reduction)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 19 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Scalability

Number of... Count Smart homes 264 Segments per home 264 Devices per segment 248 − 2 OF rules required s[n(n + 1) − 2] + 8 Where:

• s is the total number of segments
• n is the number of devices in a microsegment

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 20 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Effectiveness

Without segmentation Segment HP Inkjet Segment Ring Segment Google Home Full isolation 0.70 0.80 0.90 (a) Exploitability score Without segmentation Chinese Webcam Amazon Echo Belkin WeMo Switch Full isolation 0.00 0.25 0.50 (b) Network exposure

19% and 43% reduction in exploitability score[2] and network exposure[3].

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 21 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Case study: Mirai

Baseline Belkin Camera HP Envy Printer Amazon Echo Full 0.0 0.2 0.4 0.6 0.8 1.0 1.2 Ratio of devices infected

65.85% attack surface reduction against an infected Belkin Camera

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 22 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Transparency

From To HP Envy Printer Laptop Samsung Smart Cam Belkin Motion Sensor Samsung Smart Cam Samsung Galaxy Tab Belkin Motion Sensor Samsung Smart Cam Insteon Camera Samsung Galaxy Tab Samsung Galaxy Tab Samsung Smart Cam Only 2.16% of the network flows were blocked due to functional microsegmentation We also identified some flows in dataset that are likely malicious:

• HP Envy Printer → Laptop
• Insteon Camera → Samsung Galaxy Tab
• Belkin Motion Sensor ↔ Samsung Smart Cam (?)

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 23 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

1 Introduction 2 Problem Requirements Existing solutions 3 Microsegmentation System design Transparent microsegmentation 4 Evaluation 5 Conclusion

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 24 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Conclusion

• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internal

adversary via microsegmentation.

• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 different topologies using different network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcam

at the cost of blocking 2.16% of the otherwise-accepted flows in the network.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Conclusion

• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internal

adversary via microsegmentation.

• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 different topologies using different network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcam

at the cost of blocking 2.16% of the otherwise-accepted flows in the network.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Conclusion

• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internal

adversary via microsegmentation.

• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 different topologies using different network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcam

at the cost of blocking 2.16% of the otherwise-accepted flows in the network.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Conclusion

• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internal

adversary via microsegmentation.

• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 different topologies using different network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcam

at the cost of blocking 2.16% of the otherwise-accepted flows in the network.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27

Introduction Problem Microsegmentation Evaluation Conclusion

Conclusion

• Introduced a novel edge cloud architecture to secure smarthome IoT networks against an internal

adversary via microsegmentation.

• Implemented one transparent microsegmentation strategy according to functional groups.
• Evaluated our approach on 3 different topologies using different network exploitability metrics.
• In the best case, we acheived a 65.85% attack surface reduction against a Mirai-infected webcam

at the cost of blocking 2.16% of the otherwise-accepted flows in the network.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 25 of 27

References

References I

• A. Sivanathan, H. H. Gharakheili, F. Loi, A. Radford, C. Wijenayake, A. Vishwanath, and V. Sivaraman, “Classifying IoT devices in smart

environments using network traffic characteristics,” IEEE Trans. Mobile Comput., vol. 18, no. 8, 2019.

• J. Payne, K. Budhraja, and A. Kundu, “How secure is your IoT network?” in IEEE ICIOT, jul 2019.
• O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, “SoK: Security evaluation of home-based IoT deployments,” in IEEE S&P, 2019.

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 26 of 27

. . . . . . . . . . . . . . . . Thanks! . . . . . . . . . . . . . . . .

HotEdge’20 Transparent Microsegmentation in Smart Home IoT Networks slide 27 of 27