Security functions

An edge router or gateway fulfills another important role by providing a layer of security between the WAN, internet, and the underlying PAN/IoT devices. Many devices will lack the necessary resources, memory, and computational power to provide robust security and provisioning. Whether the architect is building their own gateway service or purchasing one, the following list of features should be considered to secure IoT components.

Firewall protection is the most basic form of security. There are two basic forms of firewalls for telecommunications. The first is a network firewall which filters and controls information flow from one network to another. The second is a host-based firewall that protects applications and services local to that machine. In the case of IoT edge routers, we focus on network firewalls. By default, a firewall will prevent certain types of network traffic from flowing into a firewall-protected zone, but any traffic originating within that zone is allowed to flow outward. A firewall will find and isolate information based on packets, states, or applications depending on the sophistication of the firewall. Typically, zones will be created around network interfaces with rules designed to control traffic flow between zones. An example would be an edge-router with a guest Wi-Fi zone and a corporate private zone.

A packet firewall can isolate and contain certain traffic based on the source or destination IP, ports, MAC addresses, IP protocols, and other information contained in the packet header. A stateful firewall operates in layer four of the OSI stack. It gathers and aggregates packets looking for patterns and state information such as new connections versus existing connections. Application filtering is yet more sophisticated in that it can search for certain types of application network flows, including FTP traffic or HTTP data. 

A firewall can also utilize a demilitarized zone (DMZ). A DMZ is simply a logical zone. A DMZ host is effectively not firewalled, in the sense that any computer on the internet may attempt to remotely access network services at the DMZ IP address. Typical uses involve running a public web server and sharing files. The DMZ host is usually specified by a direct IP address.

Port forwarding is a concept that enables certain ports behind a firewall to be exposed. Several IoT devices need an open port to provide services that are controlled by cloud components. Again, a rule is constructed that allows a specified IP address within the firewalled zone to have an exposed port.

Both DMZs and port forwarding open ports and interfaces within an otherwise protected network. Caution should be exercised to ensure this is the intention of the architect. In a mass IoT deployment with many edge routers, a generic rule to open a port may be useful for one location but a significant security risk for another. Additionally, keeping an audit of DMZ and open ports should be a security process as network topology and configurations change with time. A DMZ, at any one time, could lead to an open hole in the network security later.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.154.151