I Dream of IoT/Chapter 7 : IoT and Security

Introduction to IoT security
The Internet of Things (IoT) can be describe as the interconnection between various uniquely identified stand-alone and embedded computing devices that can automatically transfer data over a network. IoT has the potential to make people’s lives easier by allowing virtual environments, objects and data to be connected with each other and leting people to live with greater efficiency. However, with the increase in number of IoT-enabled devices, there are increasing challenges for these systems to provide a high level of security for users. IoT networks are managed with different priorities in mind, and each has distinct security needs. The priority of the IT network is to protect data confidentiality. The focus of the IoT network is on physical security and secure access to ensure proper and safe operation. As such, several security issues must be addressed when it comes to living the "smart" life.

Network-layer security
Generally, network-layer security with IoT typically involves security mechanisms for resource-constrained sensing applications and devices that provide an important contribution via its integration with the internet. In this context we target the design and experimental evaluation of security mechanisms for communications at the network layer with sensing devices (smart objects) using the standard IPv6 protocol. Although it is certain that not all smart objects on the IoT will have the capability or will be required to support IPv6, the availability of secure end-to-end communications at the network layer with other sensing devices or with internet hosts may enable a much richer integration of sensing applications with the internet. It may also enable new types of sensing applications where smart objects are able to cooperate remotely and securely using internet communications. There are differences between security at the network level and security at the transport level. Both are general-purpose which means they function independent of the layer. At the network layer, the IPsec is not specific to TCP, UDP and other protocols above IP. This makes IPsec more flexible and able to operate at a higher layer because it is transparent to the end user and application via what is called "blanket coverage." As such, we do not need to change software on a user or server system when IPsec is implemented on a firewall or router. We also do not need to train users, issue keying material on a per-user basis or revoke keying material when users leave the organization. On the transport layer, the TLS (Transport Layer Security) works for its application of HTTP, FTP and SMTP, but not for TCP.

Securing TCP connections
TCP/IP (Transmission Control Protocol/Internet Protocol) is a common way that computers of all types communicate with each other. TCP/IP applications are well-known and widely used throughout the "information highway." TCP works with the Internet Protocol (IP), which defines how computers send packets of data to each other. Together, TCP and IP make up the basic rules defining the Internet.

Use packet rules to secure TCP/IP traffic
Packet rules, which represent the combination of IP filtering and network address translation (NAT), act like a firewall to protect an internal network from intruders. IP filtering controls what IP traffic to allow into and out of the network. Basically, it protects a network by filtering packets according to rules that it defines. NAT, on the other hand, was allowed to hide unregistered private IP addresses behind a set of registered IP addresses. This helps to protect internal networks from outside networks. NAT also helps to alleviate the IP address depletion problem, since many private addresses can be represented by a small set of registered addresses.

SSL and TCP/IP
Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the internet or an internal network. In today’s internet-focused world, the SSL protocol is typically used when a web browser needs to securely connect to a web server over the inherently insecure internet.

Technically, SSL is a transparent protocol which requires little interaction from the end user when establishing a secure session. In the case of a browser, for instance, users are alerted to the presence of SSL when the browser displays a padlock, or, in the case of Extended Validation SSL, when the address bar displays both a padlock and a green bar. This is the key to the success of SSL since it is an incredibly simple experience for end users.

Example application with SSL: "Toy SSL," a simple secure channel principle
 * Handshake: Alice and Bob use their certificates and private keys to authenticate each other and exchange shared secret
 * Key Derivation: Alice and Bob use shared secret to derive set of keys
 * Data Transfer: Data to be transferred is broken up into a series of records
 * Connection Closure: Special messages to securely close connection

WLAN Security
A wireless local area network (WLAN) is used in many sectors. WLAN remains popular because of its many advantages, including:


 * installation flexibility;
 * mobility;
 * reduced cost of ownership;
 * scalability; and
 * ease of installation.

However, regardless of the benefits, WLAN has its share of security issues. To protect a WLAN from threats like denial of service (DoS), spoofing, and session hijacking and eavesdropping, Wired Equivalent Privacy should be used.

Wired Equivalent Privacy
Wired Equivalent Privacy (WEP) is a standard encryption type for wireless networking. It is a user authentication and data encryption system from IEEE 802.11 used to eliminate security threats. Basically, WEP provides security to WLAN by encrypting the transmitted information over the air, so that only the receiver who possesses the correct encryption key can decrypt the information.

How WEP works
WEP utilizes a secret key called the “base key” that includes the RC4 encryption algorithm and the CRC-32 (Cyclic Redundancy Code) checksum algorithm as its basic building blocks. WEP tries to achieve its security in a very simple way: it operates on MAC Protocol Data Units (MPDUs), the 802.11 packet fragments. To provide the security of the data in an MPDU, WEP first calculates an integrity check value (ICV) over the MPDU data. This value is the CRC-32 of the data. WEP adds the ICV to the end of the data, growing this field by four bytes. With the help of the ICV, the receiver is able to detect the data of outright forgery and changes during the broadcast. Next, WEP selects a base key and an initialization vector (IV), which is a 24-bit value. WEP determine a per-packet RC4 key by combining the IV value and the selected base key. WEP then uses the per-packet key to RC4, and encrypt the data and the ICV.

Tools for protecting WLAN
AirDefense: This is a WLAN intrusion protection and management system that detects network vulnerabilities, detects and protects a WLAN from intruders and attacks, and supports in the management of a WLAN. Isomair Wireless Sentry: This observes the air space to identify insecure access points (AP), security threats and wireless network problems. Isomair Wireless Sentry is using an Intelligent Conveyor Engine (ICE) to passively observe wireless networks for threats and inform the security managers when these occur. It is a completely automated system and is centrally managed.

Firewalls and intrusion detection systems
IoT is a representation of the globalization in our life. From smart refrigerators to smart clothes, IoT devices promise to make our daily lives more practical, though operational security is of the utmost concern. Operational security involves the analytical part of a process and differentiates the information asset. It also controls the assets or data that go through their respective journey in a networked world. There are two types of operational security that are very well known: the firewall and the intrusion detection system. Both are designed to prevent unauthorized access between computer networks.

In this task, the firewall provides a simple and effective security layer for smart devices. The engineer builds this security system in to prevent our data from being corrupted or lost by unauthorized access. The floodgate design is often used to protect the smart device through firewalls. It carries with it a small footprint and low CPU processing. It provides static filtering, threshold-based filtering, and SPI to protect embedded devices from internet threats. Even though the smart device is secured with encryption and authentication, there are still exposed by external attack since they use a wireless system.

The intrusion detection system (IDS) is necessary for smart device to prevent intrusion from inside 6lowPAN networks (IPV6 over low power wireless personal area network) or from the internet. For example, Raza et al. disucss SVELTE, designed to protect an IoT system from being attacked, routing attacks of those using spoofed or altered information, sinkholes and selective forwarding. Their prototype doesn't function at 100 percent but shows promise. This product is small and can benefit notes with limited energy supply and memory capacity.

Conclusion
IoT has great potential for the populace as well as business, but it doesn't come without risk, requiring a great deal of thought, planning and action. Information security organizations must begin preparations to transition from securing PCs, servers, mobile devices and traditional IT infrastructure, to managing a much broader set of interconnected items incorporating wearable devices, sensors and technology. Therefore, network security teams should take the initiative to look for the best practices to secure these emerging devices and be prepared to update risk issue and security policies as these devices make their way onto enterprise networks.