While the debate rages on whether SSL everywhere is necessary and/or good for the Internet, the number of sites and services supporting SSL and TLS encryption continues to soar. The focus of the SSL Everywhere debate has centered on typical browser-based web applications and mobile apps, but the Internet of Things (IoT) is also increasingly encrypting communications by default. IoT devices and services aren’t confined to smart thermostats and other home automation gadgets.
In the enterprise, copier/printers, security sensors, and the variety of gadgets employees bring to the office are just a few examples of how the IoT trend is invading corporate offices everywhere. If all of them merely connected to WiFi and used HTTP-based API calls to communicate to their Internet-based services, then we could apply existing expertise in monitoring outbound web-traffic. However, these devices use everything from WiFi and LTE to Bluetooth, NFC, RFID, and Zwave technologies to communicate.
Any of these devices and services could be inadvertently sharing sensitive data about our organizations and infrastructure. New technologies are emerging to monitor the airwaves in the office for unauthorized wireless communications. For services we do authorize to communicate outbound, we must re-evaluate capacity-planning in many key points of the infrastructure. While the communication from such devices are likely to be lightweight, IoT devices are often communicating 24×7, and cause stress to Internet links in larger offices. Additionally, any security sensors such as Next-Gen Firewalls (NGFW), Intrusion Detection Systems (IDS), and Secure Web Gateways (SWG) will need to be instrumented and scaled to support the inspection of these new outbound communications where possible.
For outbound IoT communications which observe standard protocols such as TLS-encrypted HTTP, traditional IPS, NGFW, and SWG solutions are useful for inspection and enforcement of security policy. The performance profiles for TLS decryption can be very different, since API calls are short-lived and TCP connections aren’t left open. Profiling the traffic behavior is vital to ensuring that the IoT devices don’t overrun the capacity of your existing inspection solutions, particularly where decryption and TLS-handshaking is concerned. In addition, there are many wired and wireless network access control solutions to prevent rogue IoT devices from being joined to the LAN.
There is an emerging industry for inspecting non-HTTP protocols employed by IoT devices ranging from home automation to full-blown industrial control systems (ICS), which may also be encrypted at transport or message levels. The other concern is detecting communications over non-Ethernet wireless protocols ranging from cellular to Bluetooth to NFC and more that do not require LAN access. How do we detect data-leakage via systems connected in this fashion? Is it possible to restrict or ban these sort of devices, and enforce that policy, as well?
Just as technology solutions evolved to make personal smartphones and BYOD possible to secure and enforce, the IoT trend will drive the creation of new technology solutions. One such company is Bastille (www.bastille.io) who announced a solution capable of monitoring radio frequencies for rogue IoT devices at the RSA Conference this year. It will be interesting to see the the information security community adapt to yet another set of technologies, protocols, and solutions in an attempt to establish enforceable security policies for the Internet of Things. With the skills shortage in infosec already stretching organizations thin, will IoT security be something we can even consume operationally?
As a Senior Security Solutions Architect at F5 Networks, Brian McHenry focuses on web application and network security. McHenry acts as a liaison between customers and F5 product teams, providing a hands-on, real-world perspective. He is a regular contributor on InformationSecurityBuzz.com, a co-founder of BSidesNYC, and a speaker at AppSecUSA, BC Aware Day, GoSec Montreal, and the Central Ohio Infosec Summit, among others. Prior to joining F5 in 2008, McHenry, a self-described IT generalist, held leadership positions within a variety of technology organizations, ranging from startups to major financial services firms.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.