This chapter wraps up our content with a focus on some of the more fluid and transient aspects of wireless security.
Up until this point, the guidance and information in the book should persist for several years, with a few slight adjustments and evolutions here and there. Moving forward through this chapter, however, the content is less evergreen by design.
Instead of omitting emerging technologies that prove significant in wireless security, those topics that are more volatile are aggregated here, and presented with the caveat in large, flashing letters that everything you read moving forward is subject to change throughout the life of this book. Consider it a launching point for further investigation to update your knowledge.
This chapter's content is distilled down to two broad topic areas:
This chapter concludes with final thoughts and key takeaways from throughout the book.
With so many connected devices, the explosive growth of IoT, and a cadre of digital transformation initiatives across all industries, just about every trend these days impacts wireless, and therefore security.
We're going to tackle a handful of the most pressing issues and the topics that address the most-asked questions by networking, wireless, and security professionals, including:
Over the last few years, the networking industry has begun its journey toward a converged edge architecture, and that journey is taking most of us to the cloud. Firewalls and gateways, SD-WAN appliances, and switches are being managed alongside Wi-Fi devices—and mostly in the cloud.
The trend is apparent when you look at Aruba Network's Central cloud, Juniper's Mist AI, ExtremeCloud IQ, and Fortinet's FortiLAN Cloud. These enterprise solutions followed suit after products like Meraki paved the way, proving the benefits of the cloud and ease of management in the SMB market.
The converged and converging edge and the move to cloud management brings a few considerations for security architecture and network operations in general, including:
First, as soon as our entire network stack is accessible from the Internet, we have to rethink secure management access. For a refresher, visit Chapter 6, “Hardening the Wireless Infrastructure,” and find the topic of “Addressing Privileged Access.” The first thing I have clients do with cloud-managed platforms is enable 2FA. When the entire Internet becomes your management network, the architecture must change accordingly.
The next seemingly innocent shift is toward API-managed edge networks. With companies like Juniper moving away from SNMP and even CLI in favor of API-based management of APs and switches, tides are turning, and traditional networking tools and processes will likewise shift.
These two trends alone are early warning signs that network architects and administrators will need to retool themselves along with the network.
Lastly, managing devices in and from the cloud does present new security risks. Even if the vendor isn't collecting client traffic, the platform has metadata, user and endpoint location info, personal information including email addresses and usernames, RADIUS shared secrets, entire IP schemas—and all of that is in the cloud. For most organizations, that's okay if the vendor has properly secured their own environment. When you engage with a cloud provider in any way, the organization is effectively extending its trust boundary to include the provider.
Governmental requirements in many countries have driven vendors toward certain security practices and certifications, and the rest of enterprises should follow suit by better vetting vendors and demanding proof of ISO 27001-certified datacenters and SOC-2 compliance at a minimum.
The sudden work-from-anywhere model hit the world without warning in 2020, leaving companies still trying to adjust and address security gaps throughout 2021 and beyond.
In the U.S., several reports show we went from less than 5 percent of employees working from home three days a week or more to over 50 percent in 2021. Gartner reports similar spikes using slightly different criteria in its research. Figure 8.1 shows trending predictions of remote work by country from 2019 through 2025.
From a wireless and security architecture perspective, the impacts on our work have included:
Supporting enterprise products in residential settings is challenging—the IT team has no control over the home user's Internet speed or quality; no visibility into the connectivity and physical location of devices; and APs in the home require power injectors and other accessories, along with cables.
In fact, Microsoft's report “The New Future of Work” (https://www.microsoft.com/en-us/research/project/the-new-future-of-work/
) cites poor Internet performance as the top issue identified by IT professionals when asked about the biggest challenges for employees working from home. And enterprise remote APs or VPNs are only as good as the Internet connection at the remote site.
To add complexity, the use of personal devices for business applications has increased, forcing enterprise IT and help desk teams to support a much larger breadth of devices than before.
Technologically, the first obvious change for many has been the use of remote APs to support subsets of remote workers. Preferred over traditional VPNs by some users, remote APs extend the organization's Wi-Fi (and often, wired) networks to the user's home. Remote APs are described more in Chapter 1, “Introduction to Concepts and Relationships.”
On the other end of the spectrum, work within the organization's traditional campus environments has increased for many professionals as teams take advantage of unoccupied and sparsely populated offices. Backlogged projects are being tackled while structured cabling and IT teams have easy access to workspaces and common areas, with little worry of disrupting employees.
The other side effect of vacant office buildings has been that many enterprises are downsizing, leaving, or remodeling offices to accommodate the new future of work. All of these lead to more workload on the IT and security teams, and there's little to no relief for many while the additional workload coincides with staffing shortages.
“The Great Resignation,” as it's been dubbed, hit critical mass mid-2021, and it hit hardest in the IT sector. While 40 percent of remaining employees surveyed were considering quitting their job, that percentage was a whopping 72 percent for tech employees in a report from TalentLMS (Sources: https://www.microsoft.com/en-us/worklab/work-trend-index
and https://www.talentlms.com/tech-employees-great-resignation-statistics
).
IT and infosec roles were already posting record shortages before the pandemic stay-at-home orders were issued in 2020. The climate of added workloads, lack of social interactions with coworkers, and filling in for missing headcount is taking its toll—on personal well-being as well as enterprise security posture. When you're burning the candle at both ends, some tasks will have to fall off the list; things will get missed, and vulnerabilities will be introduced.
The to-do lists continue growing, as enterprises are forced to restructure applications to support a remote workforce—often moving servers and services to the cloud, some of which impacts the connectivity and security monitoring of networks.
Contributing to the resignation crisis among all employees, frustration with technology—laptops and remote network connections that don't work—are cited as a top reason people are leaving their jobs. The added friction of increased security requirements such as MFA aren't helping either. Confusion about what to do when technology doesn't work is also a leading problem.
Network services traditionally hosted on-prem are moving to hybrid and cloud models to help reduce user friction and ensure services are available without time-consuming access methods that further irritate users. These moves impact authentication and IAM processes, requiring integrations with APIs and a move toward SAML-based logins.
Along with changes in services and applications, the processes for provisioning infrastructure are changing—often moving toward automated and zero touch provisioning technologies, which may require additional upfront work and reconfiguration of existing network devices. The remote model necessitates modifications in how teams support end users and provision their devices as well.
And it's not just the end users that are remote. The IT teams, network architects, and help desk may also be remote, in whole or part and full time or part time. That means yet more changes to processes and architecture to ensure secure remote privileged access, account validation without in-person processes, and finding better ways to collaborate remotely.
When it comes to supporting and securing remote workers, there are a lot of factors that are simply out of our control.
The most meaningful, and perhaps the most unexpected piece of advice I can offer fellow technologists and security professionals is to take care of yourself—physically, emotionally, mentally—whatever that means, and find ways to stay grounded, remain mindful, and build your own personal resilience.
The demands put on IT and infosec teams was overwhelming before the pandemic, and the speed of change in technology is dizzying without having new major projects thrown at us. Things may have to fall through the cracks, and some ends may be left loose. That, along with a few other tips and tricks for navigating the changing workforce include:
We're going to cover technical elements here, but if you take nothing else away from the topic of bring your own device (BYOD), what I hope sticks with you is the complexity of BYOD from the business and legal perspectives, and that BYOD policies are not something that should be left for IT teams to write or enforce single-handedly.
Also, there's only one hard and fast rule for BYOD: Access to any secured or sensitive resources should only be allowed from a device the organization has some level of visibility into or control over. You'll hear this repeated throughout this part of the book in various ways.
Retaining visibility and/or control can be accomplished in a few ways. The following subtopics will break down the models and best practices, but for context the goal can be reached in several ways, including:
Even though around 60 percent of organizations have a BYOD program, more than half of them don't have or enforce a formal BYOD policy. And, regardless of the organization's official BYOD policy, two out of three employees use their devices at work—even if it's forbidden.
Without a policy for BYOD, organizations and employees are both left to be victims of circumstance.
Aside from the legal considerations, mobile devices continue to be the source of many breaches worldwide. At one point, 68 percent of healthcare data breaches were due to the loss or theft of mobile devices or files, as reported by Bitglass, and that number has continued to grow.
Policies and accompanying security controls can enforce meaningful protection of enterprise data on mobile and personal devices, offering mechanisms to encrypt data, enforce strong passwords and lockout timers, along with emergency remote wipe or GPS tracking to locate lost or stolen devices.
Worldwide, 97 percent of companies were affected by mobile threats, including reports that almost half of organizations (46 percent) reported at least one employee having downloaded malicious applications on a smartphone. It's probably no surprise then that nearly every organization surveyed reported at least one smartphone malware attack. (Source: Checkpoint Mobile Security Report 2021, https://pages.checkpoint.com/mobile-security-report-2021.html
.)
BYOD isn't the only way personal devices are used in the organization. There's yet another alphabet soup describing varying ownership, management, and use relationships, including the following:
Challenges with traditional BYOD are that the organization's IT teams may find they need to support a breadth of device types, operating systems, and generations. App incompatibility, restrictions on MDM permissions, and the general overhead of help desk teams can be troublesome with BYOD.
In CYOD, the organization offers the employee their choice of a selection of supported devices. The ownership model can be corporate-owned or personally owned, but regardless, the organization will only allow and support use of the approved devices for business purposes.
COPE is emerging as a great option for security-conscious organizations that want to allow some workforce flexibility and, most notably, not force employees to carry two devices. COPE models should take advantage of built-in secure containerization or add-on software to separate personal and business data as much as possible.
Like CYOD, the COPE program may include a short list of devices for the employee to choose from, but unlike CYOD, the organization maintains ownership and control of the device, and pays for it.
Table 8.1 captures the various ownership-management models and the relative risk level associated with each.
Further defining BYOD in the organization can be completed now that you're familiar with the options for ownership and management of devices.
Table 8.1: Management and ownership models for devices
MODEL | DEVICE OWNERSHIP | DEVICE MANAGEMENT | USE | RISK LEVEL |
---|---|---|---|---|
BYOD (Unmanaged) | Employee | Employee | Personal + business | High |
BYOD (Managed) | Employee | Employee, with company MDM | Personal + business | Medium-high |
CYOD | Employee or Company | Company | Personal + business | Medium |
COPE | Company | Company, allowing personal use | Business + personal | Medium-Low |
COBO | Company | Company | Business only | Low |
Chapter 5, “Planning and Design for Secure Wireless,” outlined two basic starting points for defining BYOD in the organization:
Our goal at that time was to gather enough information for a general planning table. Now diving deeper into BYOD, the objective is to further refine the definitions to begin drafting appropriate controls for securing BYOD (or one of the other management models). Considerations are summarized in Table 8.2 and include:
Privacy and data protections vary in different parts of the world, as to approved encryption technologies. In addition, some industry segments will have additional restrictions for business conducted (and data transferred) to and from foreign countries.
Table 8.2: Table of BYOD access planning
FORM FACTOR | OWNERSHIP/MANAGEMENT | ACCESS REQUIREMENTS | ACCESS SOURCE |
---|---|---|---|
|
|
|
|
The following sections will offer guidance through the decision-making processes, but the one combination to always avoid is any unmanaged device accessing anything other than Internet-based resources. And, in organizations beginning a zero-trust strategy, even that access should be metered and controlled in some way.
The most critical input into any BYOD policy will be those of legal considerations. Organizations have a responsibility as stewards of their data, and they have a responsibility to ensure employee privacy is maintained—it's all a delicate balancing act. Legal obligations and options related to BYOD policies vary by region, and even by state within the U.S.
In a tragic 1977 plane crash, two members of the rock band Lynyrd Skynyrd were killed. The survivors and families made a blood oath that no one should ever again perform as “Lynyrd Skynyrd,” and that oath was legally memorialized in a 1988 Consent Order.
What can Lynyrd Skynyrd possibly have to do with BYOD? Well, almost thirty years later, one of the few survivors, drummer Artimus Pyle, began consulting with a production company (Cleopatra Films) for a biopic about the band's 1977 plane crash. Other members from the original blood oath took legal action against Cleopatra Films, and won, blocking production of the movie. One large body of evidence was related to text messages exchanged between Pyle and the main writer (a contractor of Cleopatra Films)—the text messages (evidence in the case) were lost when the writer changed phones.
Shortening the story; the court found Cleopatra Films was guilty of “spoilation of evidence” by not having control over their contractor's text message as critical evidence in the case. The writer wasn't an employee of the film company, nor was he using a company-provided device. But there was also no policy in place outlining expectations of the use of personal devices, or ownership of data (including texts) on that device. The court awarded an adverse inference against Cleopatra Films, saying it was “common sense” the contactor's texts were in Cleopatra's control. There is a happy ending though; in 2018, the judgment was overturned and in 2020 Street Survivors: The True Story of the Lynyrd Skynyrd Plane Crash was finally released.
It's a fun story that brilliantly demonstrates the twisty legal issues organizations must navigate through BYOD policies.
And it's just one example in a long list of BYOD gone bad. In another case, audio manufacturer Klipsch won a case when it moved for e-discovery sanctions against a defendant accused of selling counterfeit product. The appeals court faulted the other company for “failing to have a software usage policy in place requiring its employees to segregate personal and business accounts or to otherwise ensure that professional communications sent through personal accounts could be preserved.” The findings (and lack of policy and enforcement) cost the defendant $5M USD.
These are just a few of the many legal considerations that go into planning a BYOD policy:
Legal considerations don't stop at data protection. In 2021, Coca-Cola was slapped with a $21M USD judgment after one of its truck drivers hit a woman, reportedly distracted while chatting on the phone. Even though the company's policy prescribed the use of a hands-free device while driving, the plaintiff's lawyers convinced the jury that the policy was “vague and ambiguous.”
Just to recap, we don't expect (or want) technologists or architects to be legal professionals. The point of this content is merely to demonstrate how bizarre and complex the laws can be, and the risk posed to an organization by ineffective or insufficient policies or controls.
Even if you stayed at a Holiday Inn Express last night, let the lawyers figure this part out.
Chapter 5 lightly touched on BYOD in the section “Planning Processes and Templates.” In that content, the first exercise was to define what BYOD means in the organization. Picking up where that left off, the steps that follow are to work with executive leadership to define a BYOD policy and specify parameters around who can access what, from what device, when, and how. The technical planning for this was covered also in Chapter 5's “Sample Access Rights Planning Templates.”
With any luck, BYOD policies will stipulate that the organization only allows access to secure resources from devices that are under some form of management by the organization. In that case, depending on the ownership and management model, solutions like MDM products may be in order.
MDM solutions don't stop at personal smartphones—they're the cure for all that ails us when we need control over otherwise unmanaged devices. For our purposes, I'm going to place anything that's remotely MDM into the “MDM” category as described with the following features. MDM products offer one or more of these technical controls:
MDM-type products aren't just for phones; depending on the product and vendor, they may be used on any of the following:
One of the most challenging technical hurdles is that most MDM tools will work on (for example) iOS, Android, and Windows (along with virtual desktops) but the controls available per device OS will vary from one another and will vary over time. And the options and behavior vary depending on the MDM product used and the device's native containerization—for example, an Android device with Samsung Knox has security options beyond a standard Android device. Like so many of our other tools, MDM solutions may be integrated into our existing infrastructure (such as subsets of Microsoft Intune) or installed as a third-party solution.
Choosing an MDM tool is another choice very personal to each organization—the types of devices, operating systems, and the granularity of control varies by product, as does the integration with other tools.
At this point, I hope you're appropriately apprehensive of creating BYOD policies. It is also my hope you're able to motivate the organization to create or update BYOD policies if needed, but in the absence of that, there are a few best practices around BYOD that are generally safe for most environments.
Also, since the recommendations are dependent on the BYOD model (Internet-only access versus internal access), that's how they're organized All of these factors should be evaluated when considering an MDM platform.
In Chapter 5 it was noted that planning for Internet-only BYOD is fairly straightforward. The one request that makes it more complicated than standard guest portals is that many organizations want their employees to be able to use the Internet-only connection without the friction and frustration of a daily captive portal experience.
This is a completely legitimate desire—however, to meet this objective, decision-makers will often instruct wireless architects to allow personal devices on the secured network—either by allowing users to join 802.1X-secured networks with their domain usernames and passwords, or by having personal devices on an internal passphrase-secured network (WPA2- or WPA3-Personal). Neither of these are advised because they introduce several security risks.
Instead, for personal devices requiring Internet-only access, with the goal of not repeating a daily captive portal, one of these methods should be used. These are presented in order of most to least secure, but all are valid options.
With some products, the users can manage their list of approved personal devices, and a maximum number of devices per user can be specified. These features are most often available with a NAC product, but some Wi-Fi products are adding built-in support for this as well.
Notably, this option links the otherwise unknown personal device to a known user, but it does so safely, without exposing the user credential on the unmanaged device.
This can be accomplished with separate SSIDs, or through dynamic VLANs (or roles, policies, etc.). If at all possible, use WPA3-Personal for this purpose—remember that WPA3-Personal networks are far superior in security to legacy WPA2-Personal networks.
Circling back to the opening paragraph—the one hard-and-fast rule for secure BYOD is that access to any secured or sensitive resources should only be allowed from a device the organization has some level of visibility into or control over.
From a technical perspective, I'd encourage you to advocate for this model and/or to start with this access until better direction is offered by the organization.
Organizations should not allow personal devices on secure production Wi-Fi networks unless all of the following criteria are met:
In addition to the preceding requirements, there are a few additional recommended items that would offer additional security:
The reasons for the recommendations here are covered throughout the book, and especially in Chapter 3, “Understanding Authentication and Authorization,” and Chapter 6.
Zero trust is one of today's (and tomorrow's) super-hyped topics and while I'm certainly not here to toss buzzwords around, zero trust is a timely and relevant topic for network and security architects. I don't plan to go deeply into the topic, but I work a lot in this space and feel there's value in clearing up a few misconceptions and points of confusion related to network security and zero trust.
Think of zero trust as a mindset, and not a product set. It's just like saying “layered defense.” While the models and frameworks floating around seem to indicate zero trust is an all-or-nothing, super-granular architecture, the reality is that applying one-to-one access rules for every endpoint and user, to and from every service, server, and resource is impossible with current tools. It's neither practical nor desirable at this stage.
With today's zero trust strategies, the goal is to incrementally remove inherent trust and apply specific, context-based access rights. Moving away from traditional remote access VPN solutions is a perfect example of removing inherent trust—many VPN implementations today are an “all or nothing” access model; a remote user is either allowed on the network, or not. Believe it or not, relatively few VPN deployments apply granular access policies; instead, it's just as though the user were inside the office with the normal layer 2/3 access that accompanies it.
Instead, a zero trust strategy would direct us toward evaluating both the endpoint device and the user—perhaps performing a security posture scan and ensuring the user is requesting access from an approved region—and then the user is granted only the access needed, such as the ability to connect to a subset of servers or services in the organization.
Similarly, zero trust strategies will begin to inform stricter control for management access of systems, adding contextual information and enforcing greater security such as two-factor authentication (2FA). Zero trust isn't some imaginary mystical creature—it's really just the next evolution of network access control (NAC); one that incorporates cloud-routed technologies and Internet-based resources instead of (or in addition to) traditional on-prem models.
Moving toward a zero trust architecture is incremental and organizations will start identifying use cases and subsets of data or resources that are flagged as more sensitive than others, and that's where zero trust begins.
Further proving the point that zero trust is just the next evolution of NAC, the terminology from the formal zero trust frameworks (such as NIST's) uses the same language from NAC and authentication models, such as:
For example, a condition could be that the subject is making the access request from within a list of allowed geographies. The condition might also stipulate that the subject device has been scanned for security posture and passed. Or certain variables may be factored and require the user to elevate their privilege using 2FA to gain access to a secured resource.
Figure 8.2 shows a simplified diagram of a zero trust ecosystem with the labels for PDP, PEP, subject, and target. In the figure, a central policy engine is making decisions about access to the on-prem resources (in an enclave model) and to cloud-hosted resources, which may be granular per-service policies or also a group of resources. Although depicted with a user/device as subject, in zero trust models the subject could be a server or microservice.
Common features of products that support a zero trust strategy may focus on one or more of the following attributes:
I group the product sets into two main categories—cloud-routed and direct-routed. Currently, most direct-routed solutions are designed for on-prem use cases but that will evolve over time. The details of these are covered next.
At time of writing, these products are rarely converged, meaning there are virtually no products that are designed to (efficiently) enforce access control over the Internet and on-prem.
Segueing to the next topic, Figure 8.3 offers a simplified view of cloud-routed versus direct-routed models common in today's zero trust products. With cloud-routed solutions, not only is the policy engine typically in the cloud, but the cloud is also in the data path, and essentially “stitches” together access between two resources. Conversely, direct-routed models enforce connections directly between the user and the PEP, which may be a switch, firewall, or any of the aforementioned devices.
This model is simplified in that it's possible to use cloud-routed products even for localized on-prem campus deployments, and it's also possible to use direct-routed products for resources that are remote or cloud hosted.
Cloud-routed and cloud native products are primarily focused on securing access to and from users that are not co-located with the resource because the data path involves the Internet. For example, if a user is working from home and accessing a resource on-prem or in the cloud, a cloud-routed product is well suited for the model.
Conversely, if the user is co-located on-prem with the resources, routing traffic out to and back from the Internet is not ideal. Depending on the network, data, and implementation, this hairpin routing out and back in from the Internet may be acceptable, but it's not how these products were envisioned.
These classifications of products, their features, and vendors change almost daily. These are all highly volatile markets, but for context, today's most common cloud-routed products include the following solutions:
ZTNA is an actual product and is not to be confused with zero trust as a strategy or architecture. Someone out there just wanted to further complicate and confuse us all with that name. SASE offerings are most often a ZTNA solution with additional services. The lines between the products listed here are blurry, at best.
The types of products designed to support zero trust strategies within a campus environment include:
There are some crossover products and features between cloud-routed and on-prem products. There's also some re-use of language such as “microsegmentation,” however that word means two different things. Originally a datacenter concept for controlling authorization between servers, services, and microservices—the term microsegmentation was then borrowed by the network security vendors to describe more granular access controls from their products.
The result is that a microsegmentation product for datacenter and cloud applications is not the same as a microsegmentation product for network security on-prem. They're completely different technologies, operate with different enforcement mechanisms (covered next), and therefore have no overlap nor any relationship to one another.
Diving into the enforcement mechanisms for zero trust products could be its own book, so I'll try to distill this down to a few salient points.
Software-based PEPs use agents on the requestor (subject) and/or the resource being accessed (target), and will most often use one or more of the following enforcement mechanisms to enforce an access policy:
The level of enforcement granularity may include one or more of the following, and the access policy may be unidirectional or bidirectional, meaning it may be initiated from the requestor (aka the subject), the resource (aka the target), or either. Some cloud-routed solutions offer limited granularity and may only be built to establish connections unidirectionally.
Although software-based PEPs are viable on campus infrastructures with on-prem resources, they're more often used for access enforcement to and from Internet-based resources.
For this reason, most current products that are controlling access with campus environments are using on-prem products and the appliance-based PEPs described next.
Appliance-based PEPs may be physical hardware or virtual appliances and include many of our traditional networking technologies such as firewalls, switches, routers, SD-WAN gateway, Wi-Fi controller or AP, or a purpose-built vendor device.
Just as with other access control technologies, the enforcement mechanisms in appliances most often include:
The granularity of appliance-based PEP enforcement varies slightly from software PEPs, and includes the following:
Most of the appliance enforcement mechanisms will look familiar—they were covered as filtering and segmentation methods in Chapter 2, “Understanding Technical Elements.”
The purpose of this content is to demonstrate that zero trust is not a mythical beast—it's built on principles (and even products) familiar to network and security architects. There's a lot of confusion in the market due to poor communication from vendors as to how their products work—specifically what enforcement mechanisms they're using, what level of granularity can be applied, and in which directions.
For now, the cloud-routed products are most appropriate for applying granular controls to and from users and resources that are not co-located. By inference then, for most readers of this book, you're interested in the on-prem infrastructure solutions for zero trust and the appliance-based PEPs. There will likely come a time in the future that the two may converge, but the overlap is so minimal currently it's negligible.
As it relates to this book's contents, zero trust initiatives may impact wireless architecture and security in one or more of the following ways:
Managing the Internet of Things (IoT) is certainly a pain point for network architects everywhere, and it's a force to be reckoned with. The following section, “Enterprise IoT Technologies and Non-802.11 Wireless,” takes a deeper look at the models and wireless technologies prevalent in enterprise IoT, including (and especially) non-802.11-based wireless.
First, I want to present a high-level view of IoT models to serve as context because the term “IoT” tends to get thrown around, describing anything from a network printer to a structural strain gauge sensor the size of your pinky finger.
IoT models are based on connectivity, topology, and whether the protocol is natively locally routed, translated to IP, or routed to IP. These different models are grouped in the following way:
Figure 8.4 shows the three models side-by-side. LAN-based IoT models use standard IPv4 and/or IPv6 at the edge for LAN connectivity. Protocol-translated IoT has no IP protocol at the edge (instead uses Bluetooth, BLE, Zigbee, etc.) and requires a protocol gateway to translate the non-IP data to IP-based data to be then routed through networks to the Internet. Protocol-routed IoT seems similar to protocol-translated at first glance, with the important differentiator being the use of an adapted IPv6 protocol at the edge devices, which is then converted and routed.
LAN-based IoT devices can be considered non-traditional endpoints that are connected to standard networks, wired, or Wi-Fi (802.11 WLAN). While it's common to throw non-traditional endpoints into the IoT bucket, strictly speaking (in the IoT communities) these don't quite qualify for an IoT designation.
However, since it's so commonly addressed along with IoT in networking, I'm including it as a model. It's certainly valid in that non-traditional endpoints take a bit more time and attention to identify and secure on any network.
Non-traditional endpoints on the LAN may include:
These endpoints have locally routed IP addresses (IPv4 or IPv6) and connectivity and data paths the same as other traditional LAN- or WLAN-connected devices such as laptops.
The list here is provided only as an example; many IoT device manufacturers offer multiple connection models. For example, many kinds of sensors could be Wi-Fi connected but may also support deployment on RF in the sub 1 GHz range, and/or via direct cellular connection.
Also, remember that just because an endpoint is network connected doesn't mean it's Internet connected. Many devices described as LAN-based IoT are just local network-connected endpoints, not IoT.
Protocol-translated IoT devices aren't IP-addressed at the edge. Instead, there's a non-IP-based protocol in use along with a protocol gateway or protocol translator.
For context, common protocol-translated IoT technologies include Bluetooth and BLE and Zigbee. This IoT model isn't just for localized and personal LANs, though—it's also common in private WAN technologies (such as Sigfox and LoRaWAN) as well as some industrial automation technologies like WirelessHART. These other non-802.11-based IoT technologies are covered next in “Enterprise IoT Technologies and Non-802.11 Wireless.”
In these models, the edge endpoints (which may or may not be in a mesh topology) communicate to a protocol gateway, which converts the data to IP for forwarding and routing to the LAN or Internet.
What's not included in protocol translated IoT are protocol-routed technologies such as Thread and others based on 6loWPAN.
These use IP addressing at the edge similar to LAN-based IoT but are not based on common Wi-Fi connectivity and may use an IP adaptation layer. This is explained more in depth in this chapter's next section.
Other protocol-routed IoT technologies include cellular IoT and private cellular.
For some technologies, an adaptation layer is used to compress (for example) IPv6 to a format that can be transferred over wireless technologies with tiny frame sizes such as 802.15.4 (the layer 1/2 RF standard that Zigbee and Thread use). This is exactly what 6loWPAN offers.
A book on enterprise wireless wouldn't be complete without all the latest non-802.11 technologies. Those presented here are in varying states of flux and evolution, and so I've chosen to organize this in a non-traditional way and hit the highlights.
Security considerations covered here, instead of being protocol-specific (which change regularly) focus on less mutable characteristics such as the physical layer, topologies, connectivity models, and coverage areas. As these technologies grow over time, the guidance here should persist even through significant flux.
First is a high-level introduction of the various technologies to get familiar with the context, followed by characteristics that factor into connectivity and security architectures:
Among the countless connectivity and security considerations, IoT devices collectively are heavily influenced by a few IoT-specific characteristics, including the following features.
For the rest of the world's IoT devices, power is a precious commodity, and connectivity protocols for IoT are modified to preserve battery life. This means less frequent transmissions, shorter transmissions, antennas that use less power. and at times an inability to communicate with the IoT device between scheduled transmissions.
There are a multitude IoT protocols, many of which are used primarily for home automation and hobbyist projects. The technologies here are of a scope limited to those appropriate for use in an enterprise environment. Other technologies and protocols not specified here follow similar models to the smart building and home automation suite.
We're going to take a brief tour of the following classes of IoT technologies:
You can see the mapping of IoT technologies to edge IP protocol, connectivity model, coverage, physical layer, and whether it's mesh or not in Figure 8.6. Lighter connectivity lines indicate partial or limited applicability.
LAN-based IoT are the pseudo-IoT devices that don't quite earn the “IoT” title but are nevertheless connected devices we're forced to deal with and secure.
A large portion of this book has been dedicated to 802.11-based Wi-Fi security, and I'm not going to repeat all of those concepts here. There are, however, some unique considerations when dealing with the non-traditional endpoints on Wi-Fi networks, and those considerations are addressed here.
Securing LAN-based IoT includes the following challenges and considerations.
Most often, we have three ways to identify an endpoint on the LAN: it was manually provisioned, and the MAC address and other identifiers were documented; it has a logged-on user that identifies the device; or it has a device certificate that identifies the device.
In the absence of one of those three more deterministic methods, processes for identifying a device is more of a guess. Profiling methods (common in NAC, UEBA, and Wi-Fi products) gain some context by looking at the NIC OUI to determine the manufacturer and by watching aspects of traffic passing through such as DHCP requests. Other profiling methods may layer additional criteria such as mapping open ports or parsing an HTTP header. In total there are about twenty common active profiling mechanisms.
Newer profiling methods incorporate data from watching mirrored traffic on the network to get even more context about the endpoint and what it's doing on the network. Each of these methods offers an increasing level of confidence about the identity of the device, but none guarantee 100 percent accuracy.
When it comes to device identify with non-traditional endpoints, this is by far the most time-consuming task in any project (including and especially NAC projects).
Device authentication becomes another challenge with many LAN-based IoT devices. Even though connected with familiar Wi-Fi technology, the endpoint may not support authentication (remembering that passphrases aren't considered true authentication).
Most of the more standard network devices including printers and VoIP phones do support 802.1X, and therefore can be authenticated with either a device certificate or device domain credentials. Other endpoints support no authentication but could use MAC Authentication Bypass (MAB, which again isn't really authentication in the infosec sense.)
Maintaining basic security hygiene with software updates and security patches is also challenging with many IoT devices (LAN-based and otherwise). It seems in many environments even printers and other readily accessible devices don't receive regular patches.
IoT endpoints without standard interfaces are even more cumbersome to update, often requiring additional management platforms.
In a perfect world, each grouping of IoT devices would have granular access policies restricting traffic to and from only the requisite resources. In practice, many organizations have a single IoT-designated passphrase-secured network and throw everything there together, with little to no additional segmentation.
Wi-Fi, NAC, and authentication server products all support varying approaches to label and further segment IoT devices. Some offer integrations with external devices such as firewalls (which model traffic and apply labels to the endpoints); others rely on authentication policies with basic dynamic VLAN assignments.
Even when properly segmented, many IoT devices don't have robust support for secure Wi-Fi connectivity, making them vulnerable to over-the-air attacks. For example, Figure 8.7 shows a table from current product documentation for a vendor's industrial environmental monitoring systems. The wireless products referenced include sensors for temperature, pressure, humidity, sound, and cryogenic systems, among others, and are marketed to customers in healthcare, pharmaceutical, and food safety.
In the network requirements, the table shows only WPA2-Personal is supported, and communication is by default HTTP over port 80. The port is not editable by the customer. This vendor also claims their system can “effectively reduce the potential for any type of network attack to zero” which is, of course, misleading.
I'm a big fan of IEEE and standards, so I'm going to lead off with this. The Bluetooth specifications are no longer based on IEEE standards. Originally, they were part of IEEE 802.15.1 Working Group, but later spun off to the Bluetooth Special Interest Group (SIG, at www.bluetooth.com
).
In addition, the bulk of Bluetooth devices have been created for personal and residential use—not commercial applications. The use cases have been changing in recent years with the growth of IoT in the enterprise, but there's a lot of legacy technology and the goal of most Bluetooth products is to simplify connectivity, reduce user friction, and reduce support calls.
As you'll see throughout the overview of Bluetooth and BLE, the default mode of operation is the least secure. To make these products appropriate for commercial use requires the product manufacturers to select secure implementations, incorporate those modules into the product, and to regulate allowing backward compatibility that may lead to less secure operating modes.
Classic Bluetooth and Bluetooth Low Energy (BLE) have been fixtures within most enterprise environments for some time. Classic Bluetooth has been well-suited for wireless accessories that require constant data transmission, such as wireless headsets and speakers.
But all that constant connection puts a drain on batteries, and battery life is of particular concern when it comes to IoT devices. The low energy (LE) specification of Bluetooth came along to help alleviate issues related to battery life and offer an alternate model with less power consumption (as well as some additional features).
Whereas Classic Bluetooth is still primarily used for connecting wireless peripherals, BLE expands on that connectivity and supports additional use cases including indoor location services. Just a few of the BLE applications include:
Bluetooth up through version 5.3 also supports a mechanism to switch to Wi-Fi-based connections. A museum with BLE-enabled points of interest and a mobile app may make use of this; the museum visitors can move throughout the museum and receive exhibit-specific information based on their location. The app might then push a document or video down to the app and could use Wi-Fi for that transfer to make use of higher bandwidths than what's available through Bluetooth (a feature referred to as alternative MAC/PHY, or AMP).
Devices may support both classic Bluetooth and BLE operations simultaneously. Due to the differing battery requirements and use cases, whereas Bluetooth is always connection-based, BLE can be connection-less, meaning devices can interact with one another through listening to beacons instead of formally connecting through pairing.
From a layer 1 perspective, both Bluetooth and BLE use the industrial, scientific, and medical (ISM) portion of the 2.4 GHz spectrum (also used by 802.11 Wi-Fi), but Bluetooth and BLE both use different spectrum hopping methods and channel selection algorithms to avoid interference with other devices in the same airspace, including Wi-Fi.
Considering network topology and connectivity, Bluetooth does not use IP addressing. Instead, it relies on 48-bit addresses (like a MAC address), the first half of which specify the organizationally unique identifier (OUI), just as in Wi-Fi devices.
Bluetooth creates small piconets (up to 8 devices due to 3-bit addressing) and multiple piconets can then connect to form what's called a scatternet. On the other hand, BLE uses 24-bit device addressing and could (theoretically) support piconets with millions of devices—although in practice they're much smaller—but this speaks to the expanded use cases of mesh IoT devices such as many sensors.
Bluetooth and BLE both use similar provisioning processes, which include:
By far, the least secure mechanism is Just Works, yet it's the default mode of operation in Bluetooth devices. Other modes can be susceptible to eavesdropping and man-in-the-middle attacks, depending on the version and implementation. For more on why Just Works doesn't work, read the IEEE whitepaper on BLE Just Works security vulnerabilities, “Bluetooth Low Energy Makes ‘Just Works' Not Work,” at https://ieeexplore.ieee.org/document/9108931
.
BLE got a major bump in provisioning security with the BLE Secure Connections, introduced in version 4.2. With that, the devices use Elliptic Curve Diffie-Hellman (ECDH) key exchange, similar to many Wi-Fi operations. This addressed the problem of possible eavesdropping and man-in-the-middle attacks during the pairing process. The idea in legacy implementations was that the connection was only vulnerable during the pairing process, but the reality was that it introduced too great a risk for many of today's commercial and medical BLE applications.
An important note is that BLE 4.2 devices are compatible with older 4.0 and 4.1 versions, however the BLE Secure Connections operation is not—meaning if a more capable BLE 4.2 device is paired with a legacy device, it will not benefit from the increased security.
Speaking of encryption, the following modes are supported and in all cases AES-CCM mode is used after the devices are paired (through the secure ECDH or other mechanisms):
An Internet search will yield countless results for Bluetooth vulnerabilities. Here are a few that made recent headlines.
The result? Everything from nagging denial-of-service attacks to full code execution on the Bluetooth-connected endpoints. Many of the devices tested included boards used in commercial products and industrial automation and monitoring, in addition to LED light controls and gaming systems.
Other devices impacted by the vulnerabilities include smartphones, tablets, and laptops, as Intel, Qualcomm, and others used affected chips. The attacks were executed with equipment totaling less than $20 USD.
The same researchers also released SweynTooth in 2020, discovering 17 new vulnerabilities. In those attacks, researchers were able to trigger crashes, buffer overflows, device locks, and even completely bypass security on BLE devices. These attacks, like BrakTooth, were tested on several chips including those used in smart locks, Fitbits, TSA-compliant luggage locks, smart plugs, and other smart home products. They were also found to be successful against other wearables and medical devices including a blood glucose meter and a Bluetooth-enabled pacemaker shown in Figure 8.8.
The group's research including BrakTooth and SweynTooth can be found at https://asset-group.github.io/
.
You can read a recap of the research and accompanying video “Xiaomi Electric Scooters Vulnerable to Life-Threatening Remote Hacks” at https://thehackernews.com/2019/02/xiaomi-electric-scooter-hack.html
.
Bluetooth and BLE attacks could go on for pages. My only reason for including these few examples is to demonstrate three points. First, even the newer versions of the BLE products are susceptible to attacks, and those attacks are non-trivial and can be life threatening in certain products. Second, the vulnerabilities are being disclosed almost daily. This proves the point that any specific guidance for Bluetooth and BLE specifically will be out of date quickly. Last, but not least, these attacks have been successful on popular wearables and smartphones (including Apple and Android), which further calls into question the use of peer-enabled protocols in a secure enterprise environment (a soapbox topic in Chapter 6).
I'm not suggesting organizations impose a moratorium on consumer devices, but they should be carefully considered, and the enterprise environment should be secured from these devices as best they can.
Aside from the ever-pervasive Bluetooth and BLE products, smart building and home automation products have evolved to use technologies based on the 802.15.4 physical layer such as 6loWPAN, Thread, and Zigbee—all of which differ from Bluetooth not only in the physical connectivity standard but also in coverage models.
Zigbee is the outlier here, being a non-IP-based protocol. Although a step up from Bluetooth, Zigbee has not gained the traction in large-scale deployments due to limitations of its mesh architecture and lack of IP stack. Because Zigbee (along with Bluetooth) doesn't use edge IP addressing, a translator is required to convert Zigbee protocol into IP protocol for forwarding or routing to and from IP-based networks.
Despite a few alliance agreements here and there, Zigbee has been fizzling out in recent years, replaced by newer, faster, and more scalable stacks like those based on 6loWPAN. Zigbee has been rebranded as part of the Connectivity Standards Alliance (www.csa-iot.org
), along with Matter and other technologies.
Thread is one such communication stack based on 6loWPAN and therefore IPv6. All of these (Thread, 6loWPAN, and Zigbee) work on top of the 802.15.4 physical layer, which specifies tiny packet sizes of 127 bytes. The challenge is, IPv6 frames are about ten times that size at 1280 bytes. I'm about to switch from bytes to bits; one byte is eight bits. Also contributing to the length crisis, IPv6 addresses are long at 128-bits (for context, an IPv4 address is 32-bits).
6loWPAN is simply an adaptation layer that allows sending IPv6 over 802.15.4; it does this by compressing the IPv6 address and headers and handling fragmentation. Figure 8.9 offers a visual of the difference in ratios of IPv4 to IPv6 addressing and of the frame sizes of 802.15.4 versus IPv6. Effectively, 6loWPAN's task is to shrink IPv6 to about one-tenth its original size, in order to transfer it over 802.15.4.
Figure 8.10 shows the Thread communication stack and the placement of 6loWPAN as the adaptation between layers 2 and 3 of the traditional OSI stack. Layers 1 and 2 of Thread (and 6loWPAN) use 802.15.4. Unlike Zigbee, Thread stops short of the application layer, allowing for extensible uses
The result of this stack and the IPv6 compression is that Thread (like many of its IoT cousins) requires a Thread-capable router to convert the local (compressed IPv6) addresses to something routable with full addressing.
I mention this because the language on the Thread Group site and documentation can be a little misleading and confusing, as it repeatedly notes there's “no need for a proprietary hub, gateway, or translator.” That's true but it (and any 6loWPAN communication) does require a border router to convert the addressing and shortened headers.
The best way I've heard it described is like network address translation (NAT). If you contrast the private IP address space with publicly routable IP address spaces, the private address (such as 192.168.1.12) wouldn't be able to communicate directly with 4.2.2.2. Instead, it would go through a router or firewall that would convert the source and destination addresses so the publicly routed data can find its way back to the private IP address.
There is a major difference between 6loWPAN and non-IP technologies like Bluetooth and Zigbee. The border router is just that—it's routing the packets to and from the local (compressed) IPv6 addressed endpoints. Bluetooth and Zigbee aren't speaking IP at all, and their traffic must fully be translated to IP to interact with IP networks.
As with everything else IoT-related, cellular connections needed a rework to be IoT-friendly. Standard cellular communication protocols are designed for high-bandwidth and low-latency data applications like video and voice, but IoT devices require much smaller bandwidth, and many want shorter communication time to preserve battery life.
Cellular IoT protocols address needs of:
Public cellular (as opposed to private cellular, covered next) operates in licensed RF spectrums by mobile network operators (MNOs, or carriers). All current cellular technology is packet-switched, and IP-based for voice, data, and messaging.
Table 8.3 summarizes the recent generations of cellular technologies. Technically 4G-LTE is the marketing term for an enhanced version of 3G, and not full 4G. 4G-LTE, while much better than 3G, never met the specifications for 4G by the ITU Radiocommunication Sector (ITU-R), but it allowed older phone technologies to take advantage of faster speeds. The use of 4G LTE has become mainstream now since consumers tend to associate it with something better than just “4G.” The standards are a little fuzzy in cellular all around. Today's 5G deployments are non-standalone (NSA) deployments that rely on a 4G network core, meaning just like 4G, our 5G isn't really 5G quite yet.
Table 8.3: Cellular generations and technologies
GENERATION | TECHNOLOGIES |
---|---|
3G (~2000) | UMTS, CDMA2000 |
4G (~2010) | LTE- Long Term Evolution |
5G (~2020) | NR - New Radio |
Cellular standards are managed by the 3GPP group (www.3gpp.org
), which has a similar relationship to cellular standards as the IEEE does to 802.11. We hear about entire generations of cellular such as 3G, 4G (and 4G LTE), and 5G (NR), but in between these major families are smaller revisions and updates. In these releases, starting in 2008, 3GPP has introduced options to support IoT needs with direct cellular connectivity.
For context, the 5G in the wild now is release 15, which is considered phase 1. Phase 2 is attached to release 16, where the 5G benefits are to be fully realized based on the specifications. Release 17 will expand on 5G with industry-specific features; it was due for release late 2021 but 3GPP put the work on hold hoping to resume in-person meetings, and the new dates were mid-2022.
The technologies described here are all based on 4G/LTE, with the exception of Category NB1, which is 5G-ready as well. Within the realm of IoT-friendly cellular are those shown in Table 8.4.
Table 8.4: Excerpt of 3GPP releases and IoT-friendly classes
RELEASE | CATEGORY | MAXIMUM DOWN/UP | BANDWIDTH | FEATURES AND USE CASES |
---|---|---|---|---|
8 | 1 | 10 / 5 Mbps | 1.4 - 20 MHz | Higher bandwidth, lower latency: use cases digital signage, audio/video |
12 | 0 | 1 / 1 Mbps | 1.4 - 20 MHz | First major IoT enhancement with power saving and reduced throughput |
13 | NB1 (NB-IoT) | 0.68 / 1 Mbps | 180 KHz | Support endpoints that don't roam; half duplex; very low bandwidth; low energy; use cases smart metering |
13 | M1 (eMTC) | 1 / 1 Mbps | 1.4 MHz | Supports endpoints that roam/move; enhanced power save modes; use cases outpatient monitoring, asset tracking |
Cat-1 supports higher bandwidths and lower latency (great for IoT with voice or video) than the other IoT protocols but is based on standard LTE protocols and therefore doesn't offer the power and range benefits introduced later.
Among other issues, the challenges with cellular technologies for IoT is that they're designed for a certain level of interaction with the endpoints, which is not conducive to IoT devices that need long sleep times to preserve battery.
The remaining categories from the table (Cat-0, NB-1, and M1) all include significant changes to accommodate IoT, especially in the realm of power saving, with NB-1 supporting deployments with 10-year battery life.
Each of the standards come with pros and cons, and therefore are appropriate for different use cases.
As the world transitions to 5G technology, network function virtualization (NFV) and software-defined networking (SDN) allow for much more flexibility for use case support. Combined, these support technologies such as network slicing, which allows 5G radios to service multiple devices with unique needs, simultaneously. If one device is a tiny IoT sensor that communicates infrequently and in short, small bursts and another device is using high bandwidth to support virtual reality (VR), 5G will be able to manage those needs independently with proper power, range, and bandwidth that's device-specific.
That brings a marked change to how IoT has been handled in 3G and 4G, and it opens up Pandora's box of IoT use cases. Figure 8.11 shows conceptual 5G network slices serving both a low-bandwidth IoT device and a high-bandwidth streaming media device. The cellular radio can adjust to meet the disparate power, bandwidth, and range demands of both at the same time.
We're switching gears here from IoT technologies supported by public cellular network carriers to the use of private cellular technology including the use of cellular within the enterprise LAN.
Private cellular solutions are designed for private use—meaning an enterprise organization has local infrastructure for its own connectivity. It's not shared with public users, and not meant for Random Randi Person walking through the building with their Vodaphone or Verizon device. Technically, there's one exception to this: an organization with a private cellular infrastructure could choose to deploy a neutral host network, but that's purely optional and outside the scope of this book.
Use cases for private cellular and cellular LANs include:
Private cellular LAN is the new kid on the wireless block, but it's growing quickly. Private cellular networks take cellular connectivity features and bring them into the organization for use as a local network, hence the term cellular LAN.
In some regions, a full private cellular deployment doesn't have to involve a mobile network operator (MNO), or carrier, at all. Instead, the organization may own and manage its own cellular LAN infrastructure, and the data isn't required to be passed over a carrier network. Effectively, it can be used just like an 802.11 WLAN but using cellular technology.
I'll spend a bit more time on the topic of cellular LANs than other technologies since it's very likely network and wireless architects across many industries will be involved in planning and/or deploying private cellular in the coming years. Figure 8.12 offers a simplified view of a cellular LAN. Not pictured is the cellular packet core (a bit like a souped-up Wi-Fi controller), which may be located on-prem, or in a public or private cloud.
This overview of private cellular technology covers the following:
If you haven't heard of private cellular networks yet, it's probably because spectrum for this use case is just now being opened up around the globe.
The following is the current state as of early 2022, with the expectation that by the time you're reading this, the status for some countries will have changed.
In the U.S., the designated RF for private cellular is the Citizens Broadband Radio Service (CBRS) spectrum—in the 3.5 GHz band nestled neatly between 2.4 GHz and 5 GHz without interfering. On that spectrum, we can use both 4G and 5G technology.
Outside of the U.S.—Japan, Norway, Germany, the Netherlands, Poland, and Sweden—have all identified spectrum for private cellular use. Following a slightly different model, Australia, China, France, the Czech Republic, along with Hungary, Portugal, South Africa, and Spain offer leased spectrum for private cellular use. As of writing, spectrum allocations in Canada, Mexico, Brazil, and Turkey are to be determined.
Throughout Europe, many EU member countries have specified or are considering use of frequency bands n77 and n78 for 5G private networks. These operate in the 3.4-3.8GHz and 3.8-4.2GHz spectrums for n78 and n77, respectively. The UK has settled on n77 as well as band 40 and is exploring additional spectrum.
Cellular technologies have their own vernacular and architecture that doesn't correlate directly to Wi-Fi, aside from the concepts of radios in a cellular Radio Access Network providing connectivity conceptually as a Wi-Fi AP would. Behind the radios are a packet core in cellular, which offers a breadth of authentication and coordination functions. The packet core could be likened to a Wi-Fi controller but that's a grossly overly simplified correlation.
The two areas I want to cover are the deployment architectures and models that describe how private cellular is used, and how it may be integrated into the existing enterprise LAN:
Endpoints connecting directly to a cellular LAN require either a physical SIM card, a software-based eSIM, or an adapter/dongle.
The upcoming section “Comparison of Cellular to Wi-Fi” will offer more details about how cellular LAN compares to Wi-Fi.
One deployment option is to use private cellular over a distance to connect to remote gateways that can convert cellular to Wi-Fi. The use case of this architecture would be a municipality or school that may want to extend Internet access to employees or students in rural areas without reliable broadband access. Municipalities and various commercial organizations also use remote gateways to service endpoints in hard-to-reach locations where wired cabling is not possible or is cost prohibitive. Endpoints in this use case include video cameras, IoT sensors, and remote payment kiosks such as parking meters.
Private cellular LAN integration is vendor-dependent, as some offer only overlay solutions that are fully managed, others offer enterprise-managed LAN-integrated solutions, as well as everything in between.
The architecture and management model will also influence cost. For fully managed services there's obviously an ongoing subscription fee. With consumption-based models (like Amazon Web Services), customers pay based on the level of capacity and throughput.
Regardless of the pricing models, current solutions can be loosely categorized into parallel, overlay or integrated LAN solutions.
In this deployment model, there is no direct connection or integration between the private cellular network and the existing enterprise LAN. Traffic between the two networks would have to be routed externally. In this model, the cellular packet core is hosted and managed by the provider and is not located within the enterprise environment.
Within the realm of parallel solutions, the features and requirements may vary greatly. Some offerings are designed only for vendor-specific traffic (such as one offering from Motorola currently that prioritizes its voice and push-to-talk traffic only).
Considerations and variations in requirements for solutions deployed in parallel to the LAN include:
Depending on the solution, the packet core may be located within the enterprise environment, or it may be offsite and managed by the provider. Most overlay solutions will provide the RAN but rely on the enterprise's existing switching, routing, and Internet connections.
Considerations for overlay solutions include many of those covered previously in “Parallel to LAN,” and some items from the upcoming section on “Integrated to LAN” also apply.
In broad terms, with a cellular LAN solution, it may be integrated to the LAN in a few ways. And, more specifically, a fully featured solution will offer use of all integration options on a per-use case basis—similar in concept to how we're able to tunnel or bridge Wi-Fi traffic, except we're talking about the handoff between the cellular packet core and the LAN.
Currently available options to integrate the cellular LAN to the enterprise LAN include core handoffs that can:
One or more of these handoff techniques can be used based on the needs. Aside from the data paths, other integrations to the LAN and network services may include the following:
For solutions that are integrated, the level of integration will vary by vendor. Some may offer basic local handoffs, while others offer deeper integrations with network and domain services including RADIUS.
Figure 8.13 shows how cellular LANs can be integrated into the enterprise LAN including support for routing to/from the LAN, bridging to VLANs, and NAT.
As with all topics in this chapter, the status of private cellular is in flux almost daily and varies by region. The statements about service delivery models are generalizations based on what's in the market today:
Managed deployments may be fixed-fee models or based on consumption. Check the billing structure carefully, as some services include billing for data that stays within the enterprise.
Fully managed deployments are vendor-specific, and some may impact the options for integration into the enterprise LAN, offering only an overlay option. At least today, backhaul and fixed wireless solutions are most often provided as managed services.
Managed solutions range in level of touch and control. Some providers may not allow enterprise IT teams to manage or co-manage the cellular LAN or endpoints at all, while others offer more flexibility.
For enterprises that wish to manage their own infrastructure, the requirements vary by region. Some require license and certification for specific use cases. For example, deploying CBRS in the U.S. requires involvement from a CBRS Certified Professional Installer (CPI). The level of touch depends on whether the solution is deployed indoor or outdoor.
Private cellular technologies can run in licensed spectrum, unlicensed spectrum, and shared spectrum with different models:
As a comparison, public cellular (like your mobile phone) operates in licensed RF spectrums. Depending on the geographic region, private cellular may operate in licensed, unlicensed, or lightly licensed (shared) spectrum.
Specifically for CBRS, there are three tiers of access prioritization: incumbents, priority, and general. Incumbents are afforded the highest priority and include fixed satellite services, radar, and defense. Priority access licenses (PALs) are available for a portion of the dedicated spectrum. PALs are bid on regionally and those entities are given higher priority than general access (for that spectrum). General access is the level most used for localized cellular LANs and is everything else that isn't formally registered as incumbent or priority.
Since it's coordinated spectrum, to enforce the three access tiers CBRS includes a central coordination system called Spectrum Access System (SAS).
In many cases, cellular technology can offer specific advantages over other wireless. If you reflect for a minute on the different experiences you've had with mobile phones versus Wi-Fi, you'll begin to understand some of the advantages cellular connectivity might bring.
From an RF perspective, private cellular can offer more resilience and coverage than Wi-Fi. It can also operate at higher density, longer distances, and in harsher (RF) noise environments, making it ideal for certain applications. Plus, cellular has guaranteed QoS and SLA due to scheduling versus Wi-Fi's contention-based operation. This feature alone has a significant impact on the reliability of the connection and support for latency-sensitive applications.
Table 8.5 touches on a few technology comparisons of private cellular to 802.11 Wi-Fi technology. As always, there are many other factors to consider when deciding what wireless connectivity is best for a given use case. This information is selected to demonstrate the drivers behind moving some enterprise applications from Wi-Fi to private cellular or cellular LAN connectivity.
The details following Table 8.5 focus on comparisons of:
Table 8.5: Private cellular vs. Wi-Fi
FEATURE | PRIVATE CELLULAR | TRADITIONAL WI-FI |
---|---|---|
Coverage distance | Long, Kms (~25k sq ft / 2k sq m indoors; 1M sq ft outdoor) | Short, meters (~2k sq ft /180 sq m indoors and varies outdoor) |
Resiliency on RF | High resiliency | Medium-low resiliency, depends on network design |
Device identity and authentication | Inherent and mutual / SIM-based | Configured with services, profiling, authentication server, user login, passphrases, or certificates |
Device density | High | Low |
RF spectrum | Varies by region (dedicated 3.5 GHz CBRS band in U S ; shared/coordinated); some countries use public cellular licensed RF | 2.4 GHz, 5 GHz, 6 GHz |
RF interference impact | Low/limited, depends on spectrum | Medium-high; all Wi-Fi devices and others on spectrum above, including microwaves, Bluetooth |
Transmission scheduling | Coordinated and guaranteed | Contention-based using CSMA/CA |
Security | Native and integrated | Overlay, varies |
QoS | Integrated and configurable | Configurable, varies by Wi-Fi vendor and deployment |
Roaming & latency | Seamless, very low latency | Varies greatly by deployment and endpoint capability |
Access hardware | NodeB cellular AP | 802.11 Wi-Fi AP |
Supporting clients | Most phones, tablets, many laptops, growing number of handhelds and IoT devices, all tested for conformance and interoperability | All 802.11 endpoints (ideally Wi-Fi Alliance certified but remains optional) |
Traffic/data path | Depends on deployment and region but can be LAN -> WAN and/or ISP | LAN -> WAN and/or ISP |
There's a lot to unravel here, so let's look at a few of these comparisons and offer additional context. For readability, some topics in Table 8.5 will be consolidated and detailed together, and others are omitted from further explanation. The highlights are as follows:
We describe how well a wireless signal can be heard over the ambient noise floor in terms of decibels (dB), as a relative signal strength. The absolute power is defined in units of dBm (decibels relative to a milliwatt), which is a logarithmic (not linear) scale. Without boring you to death with RF math, in Wi-Fi we usually design for something in the neighborhood of –65 to –75 dBm, which gives us a net positive of around 15 dB signal above the noise floor.
Cellular technologies use small subcarriers, which means the endpoint can still receive and decode data with much weaker signals. By comparison, 4G/LTE coverage may be designed in the –95 to –110 dBm range. Both Wi-Fi 6 and LTE are using orthogonal frequency-division multiple access (OFDMA) modulation but applied differently. In addition, cellular clients can transmit at a higher power than Wi-Fi, meaning they can communicate farther distances from the radio.
The result is that a single 4G/LTE eNodeB (cellular AP) can cover three to four times the area as Wi-Fi indoors, and ten times the area outdoors. That's significant.
As an example, Figure 8.14 shows a vendor's budgetary network planner for a 500,000 sq ft convention center. This tool offers a rough estimate and doesn't take the place of a proper design, but the output estimates just 22 cellular APs, versus what would easily require over 125 Wi-Fi APs (and that's being very generous to Wi-Fi).
The combination of the spectrum interference, contention mechanisms (endpoints having to fight for airtime), and the often unpredictable behavior of endpoints render the resilience of Wi-Fi over the air quite volatile.
Conversely, private cellular technologies work in a less cluttered (at least for now) and a more strictly managed spectrum, include guaranteed scheduling of transmissions, enforce system-coordinated roaming, and (as described in the prior section) can operate effectively with much weaker signal strength. The system coordination extends to spectral efficiency as well; in cellular, the coordination by the cellular APs allows for spectrum re-use and very granular scheduling. This brings the added benefit of allowing for much denser endpoint populations in the same airspace and even on the same radio.
In Wi-Fi, if an endpoint doesn't have a user attached, we don't always know what it is—an especially daunting task with the insurgence of IoT in the enterprise. Simply identifying a device becomes a complex dance of profiling mechanisms and parsing network traffic from DHCP requests and/or mirrored ports. The level of assurance varies, and at best the IoT endpoints have an assertion of identity (most often based on MAC address), and rarely, if ever, true authentication. IoT endpoints that support device certificates are the rare exception.
Cellular technologies, public and private, use unique identifiers coded into the hardware and linked to a physical SIM or software-based eSIM. The identity is immutable, and private cellular endpoints are known and provisioned, meaning the enterprise knows exactly what something is without guessing. In addition, the unique device IDs along with cryptographic keys are used for mutual authentication between the cellular endpoint and the network.
Cellular technologies operate the other way around; the infrastructure is in control of when and how the endpoint connects, when it transmits, as well as when, how, and to where it roams.
That coordination is made possible by the mandatory RF feedback loop in cellular technology using channel quality indicator (CQI). These metrics let the cellular infrastructure know the RF conditions as experienced by the endpoint. That data allows the infrastructure to direct the endpoint to use the best client modulation through adaptive modulation and coding (AMC). The process can be compared conceptually to 802.11k and 802.11v in Wi-Fi with the understanding that client support of Wi-Fi protocols is optional and the experience inconsistent.
As you've probably learned through your journey with this book, Wi-Fi can get pretty dang complicated. Even on its best days, Wi-Fi networks will have collisions, congestion, and large variations in performance due to 802.11 contention mechanisms. Clients do what they want and often operate off-standard. Toss in the occasional monkey wrench of poor RF design, hidden node, and misbehaving clients, and it's a mess.
When it comes to roaming, the variability with Wi-Fi endpoints is just as troublesome. There are numerous standards and variations in endpoint support for Wi-Fi. Certifying devices (infrastructure and endpoints) with the Wi-Fi Alliance is purely optional, and even for vendors that pursue it, they may opt for the lowest requirements and not test and certify critical features such as Fast BSS Transition for secure roaming and WPA-Enterprise operation to support 802.1X.
In Chapter 4, in “Understanding Wi-Fi Design Impacts on Security,” we took a deep look at the roaming technologies in Wi-Fi and the supplemental protocols required to facilitate fast and secure roaming between APs on encrypted networks. That same section discussed at length the challenges with supporting both security and speed and the resulting common use of less secure networks to support low-latency applications.
Cellular has been designed to support voice and has inherent mechanisms for ensuring both QoS and seamless, low-latency roaming.
You'll also see references in cellular terminology to a packet core or mobile core. In private cellular LANs, this is a virtual or physical appliance that acts much like a Wi-Fi controller. It handles many functions like managing the cellular APs, authentication, routing, and applying QoS policies and access control policies.
Figure 8.16 offers a view of both an indoor and outdoor cellular AP. Very similar to Wi-Fi APs, most cellular nodes (or cellular APs) run on PoE and standard cabling. Unlike Wi-Fi the reach of private cellular is much greater, especially outdoors.
Endpoint adoption of the CBRS (band 48) in the U.S. has jumped significantly, and other regions of the world are following suit. To date, just some of the devices that support CBRS include Apple iPads; Dell, HP, and Lenovo laptops; Microsoft Surface devices; Panasonic rugged laptops; Zebra and other handheld scanners, and chipsets from Qualcomm.
For devices that don't natively support SIM, eSIM, or have private cellular radios, there are adapters that can be used with most IP devices to convert them to cellular endpoints.
Cellular brings several advantages in terms of security. Its inherent device identity offers the foundation required for data confidentiality and integrity. Looking back to the IAC (integrity, availability, and confidentiality) triad of infosec, cellular can help in all three aspects, and can do it natively, without requiring external products or services.
In the prior topics I've shared several bullets and explanations of the possible security benefits of cellular technologies. There are a few additional points and overarching themes to call out for private cellular LANs specifically.
Cellular LAN products can come pre-hardened, and most can offer added integrity through authentication of the system components to one another, natively—meaning the endpoints authenticate to the cellular APs (or NodeBs), which in turn authenticate to the core, which authenticates to a central management platform, if applicable.
Most private cellular deployments support the same AES-128 bit encryption comparable to WPA3-secured networks, with AES-256 on the near horizon—encryption comparable to the WPA3-Enterprise 192-bit, CNSA suite. In the Wi-Fi ecosystem, to get the same level of integrity and confidentiality requires the addition of NAC-type products, and/or a PKI infrastructure with device certificates.
Segmentation can be extended to or through the enterprise LAN, depending on the product and implementation. With integrated solutions, the cellular slice or segment can be carried through to the wired side and handed off to the LAN just like any other wired or Wi-Fi traffic, and segmentation can be preserved, changed, or modified at that point, based on policy.
The privacy statements are vendor- and deployment-dependent. Solutions offered by MNOs and/or as a fully managed service by a third party may have visibility into certain aspects of the data or metadata.
As with all hosted services, read and vet the provider's privacy statement that details how your organization's data privacy will be maintained, and whether the provider may be giving or selling data to third parties.
There are many types of IoT WAN technologies, and most fall into the low power WAN (LP-WAN) category. Cellular IoT technologies also fall in this bucket, but the private WAN technologies differ in their use of proprietary, non-standard, or unlicensed connectivity over long distances.
Private WAN technologies, like other LP-WANs, offer connectivity over coverage areas ranging from municipal- to nation-wide. I'm omitting the spectrums for these since they vary per region.
These and other LP-WANs are used to connect IoT devices including over longer distances, and specific use cases include:
Two private WAN technologies are Sigfox and LoRaWAN. I'm only providing a brief overview of these technologies because they (and the next topic of industrial automation) are a bit more of a niche than the other technologies here.
Sigfox enjoys a much larger client base in Europe than the U.S. and other parts of the world (see Figure 8.17). Among other challenges, in the U.S., the designated 900 MHz frequency is a bit crowded, and the FCC limits the time-on-air. Also, only one Sigfox network can be deployed in any area, which is limiting. Originally designed for unidirectional sensor communication, it has limited bidirectional support.
More information on Sigfox can be found at www.sigfox.com
.
https://lora-alliance.org
.Recapping, Sigfox is a service offering and a platform that's wholly owned, and the radio hardware is open source. Sigfox manages the network as a service (just like a carrier) and charges based on an OpEx model. LoRaWAN, on the other hand, offers a fully open ecosystem but only one hardware vendor, and unlike Sigfox, enterprises can build and operate their own LoRa network.
There are many other technical differentiators such as the modulation, bandwidth, encryption, and uni- versus bi-directional communication models.
LoRaWAN specifies encryption using AES-128 and offers some enhancements such as separation of authentication and encryption keys. On the other hand, Sigfox doesn't encrypt messages anywhere in its stack—something left to the customer to address.
Ready for more acronyms? Industrial automation technologies covered here fall into the low-rate wireless personal area networks (LR-WPAN) category—not to be confused with the LP-WANs just covered. And these are also based on the 802.15.4 layers 1 and 2, along with 6loWPAN, Thread, and Zigbee covered earlier in the chapter.
While all of these collectively fall into the industrial-IoT (IIoT) heading, the two mentioned here—WirelessHART and ISA100.11a—are particularly well-suited for industrial automation, the convergence of operational technology (OT) with wireless IT.
Industrial automation technologies are used for many industry 4.0 applications in a few primary categories, including:
WirelessHART is the protocol of choice for vendors such as Emerson, Siemens, and ABB, among others. ISA100.11a is mostly supported by Honeywell and Yakogawa.
Because of that, it's unlikely the wireless or network architect will be in the position to specify the protocol, but here are a few key differentiators to consider when securing these networks.
ISA100.11a doesn't define the full application stack and can therefore be extended to support Fieldbus, Profibus, HART, and other legacy protocols.
Another key differentiator is the use of IP protocols, with WirelessHART not using IP at edge devices, and ISA100.11a (like Thread) built on 6loWPAN and therefore IPv6 at the edge. And, although based on 802.15.4, both WirelessHART and ISA100.11a modified the layer 2 operations, meaning they're not strictly implementing the 802.15.4 standard.
Provisioning options are similar between WirelessHART and ISA100.11a, and both support a suite of security keys including join keys, network keys, and session keys. WirelessHART requires all keys, but ISA100.11a specifies join and session keys as optional.
The systems will ship with default keys to get started, but best practices entail creating new keys and exchanging them out-of-band to prevent eavesdropping and exposure of the keying information.
See Figure 8.18 and Figure 8.19 for WirelessHART and ISA100.11a architectures, respectively.
All of the IoT technologies mentioned so far have varying (but often overlapping) features and characteristics, such as the RF spectrum in use, the topology, whether they're IP-based or not, etc.
While the protocols, security features, and implementations of those technologies may evolve over time, their more static characteristics offer some long-standing guidance on considerations for securing these networks.
Following is a brief overview of the considerations for IoT and non-802.11 wireless as it relates to:
The rainbow of wireless connectivity standards ranges from sub-1 GHz up through 50 GHz and beyond. Most of the technologies covered here operate in the 800–900 MHz (~400 MHz in some parts of Asia) to 2.4 GHz (802.11, 802.15.4, and Bluetooth), 3.5 GHz (CBRS and other private cellular), 5 and 6 GHz (802.11), and other cellular spectrums with 5G.
And of course, these spectrums range from licensed to unlicensed (such as 802.11 and 802.15), and everything in between with the shared spectrum (lightly licensed) CBRS space in the U.S.
The same principles covered in Chapter 7 in the section “Security Monitoring and Tools for Wireless” apply here. For security monitoring over the air, the tools must have visibility into that spectrum. Whether a narrow or wide band sensor is used, it needs to cover the spectrum(s) in scope, and of course, multiple sensors can be used as appropriate for varying location and radio needs.
Connectivity models here range from very localized personal area networks (PANs) to local area networks (LANs), and metropolitan and wide area networks (MANs and WANs). Coverage models for IoT devices include:
PANs and LANs are easily monitored and managed due to their localized nature, while MANs and WANs present a bit more of a challenge.
Security considerations for coverage models include the impact on:
As always, over-the-air monitoring means security sensors must be in proximity to the assets to be monitored (in addition to requiring appropriate radios). For PANs and LANs in the enterprise environment, it's easy because if you have Wi-Fi APs, you have a tool for at least some basic monitoring. For those longer-range MAN and WAN deployments, depending on the nature and criticality of the network, security monitoring may be desirable; in those cases, the tools in Chapter 7's topic of “Spectrum Analyzers and Special-Purpose Monitoring” offer a few options.
For provisioning, updates, and general manageability of the endpoints, the accessibility of those devices is also a factor. Again, PANs and LANs are going to be easier than, for example, a sensor that's buried a meter under soil 10Km away, or a pressure sensor embedded in a bridge. Consider the accessibility in planning ongoing maintenance, and if endpoints aren't accessible after deployment, plan for contingencies up front.
Aside from your ability to access an endpoint for maintenance, consider accessibility of the device by an adversary. If someone were to get his or her hands on one or more endpoints, consider what risk that poses, and plan for mitigations prior to deployment.
Across the half dozen or so groups of technologies presented, some use IPv4 addressing at the edge, others IPv6, and still others use none at all:
Whether endpoints are IP-capable or not usually speaks to their other capabilities in terms of memory and processing—features that impact their ability to perform computations for encryption and decryption, and to store multiple keys. The result is that, while a specification may define options for multiple levels of keys, the implementation may reduce or eliminate keys, or downgrade to a lesser protocol during provisioning/pairing or encrypting. Thus, the IP stack (or lack of) will often influence security decisions related to:
Technologies that don't have IP addressing at the endpoints will require a translator gateway device to convert data to IP-routable packets for connection beyond the local network. By virtue of them being the Internet of Things, IoT devices will at some point require IP connectivity. Translator gateways can introduce both a point of failure and a point of vulnerability.
The protocol(s) in use will, of course, impact the specific vulnerabilities and threats for the devices as well. While many translate, IPv4 attacks vary from IPv6, and non-IP-based attacks use different tools and tactics. Conversely, for security monitoring tools, visibility into IoT devices is usually easier with IP-based communications.
The network topology is another security consideration. Networks described here are sometimes IP local connected, directly connected to the Internet, connected via a translator gateway, and/or mesh—with the note that mesh is not mutually inclusive or exclusive of the other three. And some technologies support more than one topology.
The data path of any communication will, by necessity, impact the security architecture. As with prior bullets, security monitoring and policies are well equipped to monitor and control local IP-based traffic. It's a trickier task for endpoints that directly connect to the Internet, and for technologies that communicate on non-IP protocols and require translation. The provisioning processes and security of the devices is also influenced by the connectivity method.
Non-IP networks that require a translator gateway, as mentioned earlier, present both a point of failure and point of vulnerability. Additional monitoring may be required for these infrastructures.
In addition, mesh topologies introduce additional considerations for both system resiliency and availability and security. Mesh uses the endpoint devices as routing hops, and the exact functions vary by protocol and implementation. Where, how, and when data is pushed through the mesh is a factor in securing mesh—how the data is encrypted, by what keys, and when is a critical piece of information. The time-to-live or hop maximums also factor into the equation for availability and throughput. How trust and peering in a mesh is established is another consideration.
Topology impacts security considerations primarily related to:
The four preceding topics have captured most of the factors impacting decisions around securing IoT devices, and specifically non-802.11 devices.
Those are summarized here in brief:
In addition, there are just a few additional observations of current IoT security operations not included in the preceding bullets:
Well, we made it! Here we are at the very end of the last chapter of the book.
There's been a lot of content delivered in these eight chapters, and I truly hope you've found at least a few nuggets of useful information. Realizing this book has delivered an entire tour of information security concepts, roles, risk and compliance, technical controls, planning guidance, and a journey through IoT and other emergent trends, I'm taking this opportunity to recap the most significant points I hope you'll take away:
And as for the recommendations for designing and maintaining secure wireless networks, here are takeaways by chapter.
As always you can find me online at www.securityuncorked.com
and www.viszensecurity.com
.
Until the next book—so long, and thanks for all the fish.
18.222.177.10