Slashdot Mirror
Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?
To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall:
It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
Sonicwall (Dell) for instance - they have an Application Control filter that works and can identify specific traffic.
Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.
Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.
This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.
All you really need is... some rules.
If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Like locking lug nuts are a black people problem?
We have the Cujo appliance, which seems to catch bad network traffic, and Fing has a Kickstarter/Indiegogo hardware project in the works to go with the Fing software.
Greg Raven
As long as there's any left, I'll take mine first.
https://en.wikipedia.org/wiki/...
09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
No
How about an IoT device not be consider internet ready until it is fully secure in and of itself.
I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.
No, I think people of all ethnic persuasions could have this issue. Bravo for bringing race into it, do you have any particular list of people you want to express outrage for on their behalf? Because no, they can't speak for themselves. This white devil here forgot to check his privilege on the way in, I am so sorry about that.
Sounds like you want to spin up a managed security provider for home users, to manage their gateways. It's been tried before, but not enough people want to pay for it. Much easier and more economical to just get large ISPs to do it. All we need is the right leverage. As Bruce Schneier observed, it is in part a problem because the device manufacturers and the home users really don't have a strong motivation (yet) to do anything.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
As is so frequently the case, you're trying to solve a social problem with a purely technical solution. Would such a device work? Of course. Would many of the dozens of existing router products work, if properly configured? Yes. Does any of this matter? No. People don't care what devices on their network are doing as long as they appear to mostly be doing what they want. If they're doing other things, people are completely oblivious, and get petulant if you point out their ignorance.
The only market-driven solution is for Apple to make an IoT router and instruct all their fanboys to buy it for $400. ($600 for the gigabit capable one.)
The only real solution is the same as for every other tragedy of the commons. But that requires a competent legislature interested in doing its job, rather than a rabble of moronic sycophants of industry only competent at being elected.
not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.
One of the things I do for a living is write firewall policy. We use Palo Alto gear, which seems to be some of the best available at automatically identifying what stuff is.
Even with a company like that behind the gear spending a lot of time and money keeping things up to date, it doesn't know about every little thing it sees.
Another challenge is that this device would need to be able to do SSL forward proxy for everything, or all it will know is there's an ssl connection to somewhere (although you can use information in the server cert to make further guesses). That means somehow getting a signing cert onto the device that all of the IoT things trust. Good luck.
Yes it's just a firewall.
The smart part would be it only acts as a firewall for IoT devices (welbcams, toasters, receivers) - basically anything with embedded networking in the user would not think to monitor. And it would know what app traffic to allow to connect to the device externally...
Someone like you or me can easily just configure a firewall to do whatever. But such a device would be great to be able to point non-technical (or even technical but uninteresting in networking) friends and family at.
I don't know how you could have anyone non-technical be able to easily add this to an existing network though...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Such a device could turn IoT device connectivity into an on-demand VPN only setup.
Of course, having to fire a VPN client before interacting with the IoT device would be a hassle, but perhaps that could be made automatic. Another problem is that some IoT devices are useless if not connected to the cloud.
Mexico's gonna pay for it
Good lord. I hope the diamonds in your ass don't hurt on the way out. http://www.hulu.com/watch/3170...
Another option is to make IoT devices capable of working inside a LAN without having to communicate with an external cloud server. There are very few IoT devices that couldn't provide near 100% of their functionality without ever having to talk outside your local network.
Develop some IoT devices that can do that and that can gracefully handle it when it loses all communication (e.g., your thermostat should still work), and prepare yourself to take the market by storm. There are a lot of people out there looking for smart devices that don't work worse than their existing ones. As a nice bonus, the problem of IoT botnets becomes a lot easier to solve.
I don't have an "ISP router". I have a customer owned cable modem hooked up to a customer owned router. The desired functionality could be built into either device and both devices could be in the same device, but I find it more effective for diagnostic and replacing for them to be separate.
The only home security or really security model anywhere that makes sense long term is the assumption that your network is hostile and insecure, be it your home network or your corporate network. It is sad, but that seems where we are going. Every device on the network is going to have to navigate through the web of trust/encryption/etc to get anything done, and this is going to require everything to be up to date, else it will be kicked off.
As far as IoT appliances go, I can't really see a way around many of them having periodic updates, possibly via a paid subscription. Sure on some of them you might be able to firewall off and limit enough, but it is still a pretty big risk if they are connected in some manner.
So can a smart firewall help? Sure. I wouldn't call it the solution though. There is no such thing. What is sufficient one day may not be sufficient tomorrow. If people want actual privacy, well don't put it online is the best advice, but if you must, make sure your defense in depth strategy is good and well hope for the best. No firewall is going to be enough, at least if the attacker is determined and skilled. Limiting IoT devices will help, since at least you limit how easy it is to get a compromised node behind your firewall, but, as mentioned, at some point you pretty much have to assume that your network is compromised and defend against it.
The real problem is not figuring out how to design such defenses. We can do that. How do you design such defenses to be easy to use, particularly on the devices that do have a mixed role?
At the moment, I can't see an alternative to just trusting in someone's walled garden, at least for the average user. For instance, Apple could make all the devices and then handle the security and updates between them all, and then offer users a certain level of confidence that their systems are safer than most...
Untangle is a robust, featureful gateway/router/firewall/dhcp,wrt-like product. To block your IoT devices: enable Captive Portal (Captive Portal is used by most hotels and coffee shop. You give access to the local intranet but require the user to click accept on a website).
Once Captive Portal is enabled, all your IoT Deicide's are given access to your network but not the internet.
If the device still needs access to the internet, you can analyze and filter selectively but I would trade carefully.
Absolutely correct!
There are several ways to use existing router features to do this. A few steps, a few minutes work.
Sadly, most are too ignorant to implement them.
Basically, how to get the unwashed massed to learn to implement them.
How many devices and pieces of software use multiple servers, cloud hosting (aws, etc), different ports, push json to where ever the hell. This will never work unless the firewall is built to auth to the services itself or some higher level inspection...which means a bigger cpu. Also, inspection of https or any TLS traffic is something still hard/different to do. You gonna install a root cert on your smart TV.
I don't think IP/Protocol/Port filtering is enough. Seems we need DPI filtering and security context supplied by the sending device. How do you keep IoT USB devices running on Windows 10 honest? Or even Windows 10 for that matter!
As a guess: more telemetry from networked devices, smarter packet filtering, complex rule configuration from expert sources.
I'd recommend Endian Firewall. It could accomplish this quite easily, and its simple to setup.
Let's make like a bird... and get the flock outta here.
What you're describing is essentially an Intrusion Detection System.
Something about these recent DDoS attacks originating from IoT has always bothered me. And I think it's that many of these vulnerable IoT devices are already behind firewalls from the open internet. I'd wager that most people's thermostats, smart lights, sprinkerly systems, etc are all attached to their local WiFi, not the open Internet. So the question is, how were these devices compromised? I've not read anything on the internet that explains this, other then lists of default usernames and passwords. So I'm left with the conclusion that most IoT devices are hacked probably by malware on the local LAN from existing desktop computers. And the compromise occurs over services that are purposely exposed to the LAN, like a web interface. Of course compromised IoT devices then seek out and attack other IoT devices.
But the point I'm getting at is that a firewall just isn't going to stop this from happening, since the exploited services are open to incoming connections (from the LAN) by design. Obviously a device on the open internet is stupid and needs to be firewalled. But on your LAN a custom little smart firewall is not going to do squat.
The only vendors take security seriously and stop using default passwords and actively try to stamp out security flaws in the software itself such as buffer overruns, cross-site scripting flaws, or database injection, will IoT devices cease to become vulnerable. But I have my doubts these devices will ever be secured.
hashtag smart iptables config is better than stupid iptables config
hashtag firewalls never stopped mattering
hashtag so you really want to know how sausage is made with tcpdump
hashtag what is old is new again
hashtag whatever happened to tripwire
hashtag why won't my isp let me run an irc server at home
90+% of smart/IOT devices would be better off burned, or recycled if you are feeling environmentally friendly. The management cost in time and effort to make them safe is higher than the benefit, and the smarter and more auto-magic your firewall is the more complexity it will add to manage. This is like suggesting that the solution to too heavy is more lead weights.
So how about some people start posting step by step instructions on how to do this? If there are flaws in the setup, someone can say so.
I have exactly four items that connect to the internet, my laptop, roku, wii and iPhone. I'm not connecting my lightbulbs, outlets, fridge, thermostat or any other ridiculous crap.
SJWs are the new boogeyman. -Me
UPNP opens holes in your firewall at the request of devices behind it. Turn off UPNP on your router. Problem solved.
I spent considerable time trying to get different IoT vendors interested in integrating firewalls into their IoT device software.
Integrating the firewall inside the IoT device makes the most sense since it prevents cross traffic from intruding on the device. If you have 10 IoT devices and an IoT gateway then once a device gets compromised then they could all get compromised.
My suggestion was to create a firewall on the IoT (a very small basic one ), implement an accurate clock on the IoT device, and use ssh tunnels and shimmer to connect to the remote websites for the individual IoT devices. Shimmer or port knocking would allow only the remote website and the device to communicate. This is something being worked on in military networks where systems instead of just changing ports, they change IP addresses and services in a seemingly random fashion making it a moving target and hard to find. Implementing a moving DNS for services and moving IP addresses in accordance with an encryption algorithm.
My idea was to make this port knocking so that not only would there be a moving port but it would also integrate a trained neural network that would use detect intrusions by the failures to properly communicate with the right port. Think of it as a series of buckets packets good and bad would drop in each bucket but it would be readily apparent when a series of buckets has bad or forged packets in them.
Of course, you still have the problem of the real internet gateway becoming compromised or the remote web server that the IoT device communicates with becoming compromised.
The problem with this method is it has to fit on the IoT device in the space of like 2kb. Contact me if you want to talk more Iot.Firewall@mail.com
the manufacturers would have to provide, in some form, what their devices are supposed to be able to connect to, so that the firewall can block it from connecting to everything else.
In other words, manufacturers would have to admit how extensively their devices spy on you, and phone home with it, and open themselves up to easy consumer monitoring of what their devices send back.
I'm not holding my breath.
My IoT switches are Z-wave. My thermostat is RS485. My individual temp feedback sensors are passive 433 MHz.
It's another layer of abstraction and less holes to plug than just letting everything have unfettered access to the outside world.
Need I say more ? It's not looking for a firewall answer.
Why would we want to actually learn something about the tools that we use, instead lets put another black box IOT thing that i don't know how to administer on the network, we can trust all of our security and personal data to a 3rd party, why wouldn't we? /s
Wait a minute. You want someone to make a device that will identify random IoT devices when we can't even get current home/soho router/firewall device makers to update THEIR firmware?
-EB
Do you ever walk alone like a drifter in the dark?
The only smart firewall is the one that does not exist.
Get the MAC address of your IoT device off the label on the box and give it a Static DHCP assignment in your "non routable" subnet. Your normal phone/tablet/computer/console users in the Dynamic pool are unaffected and can still use their favourite mobile apps to access the IoT devices on the local subnets.
A majority of networks are already firewalled, it's a simple case of turning UPNP off.
If you have a device that needs to communicate with the outside world then find out where it needs to talk to and implement rules accordingly. Again, even basic residential routers allow destination restricted rules.
If the iot device is sparse on docs, then sniff its outbound traffic and determine the best approach.
"How is this different from any firewall"
Because Things(tm) are different than devices which communicate over the Internet Protocol. Things(tm) are special, didn't you get the memo?
Yes. With a single acronym change.
IoT "Internet of Things" --> IoT "Intranet of Things"
Connect them to a local Intranet server, instead of trying to connect them to a server in China, or at Google, or to everyone in the world, and they are no longer a problem.
IoT crap that only dials back to one or two servers shouldn't be on the public Internet. We're doing it wrong. If you want to protect it, if you want to protect others from it, don't use public IP space.
We need MAC addresses that identify a device as being an IoT device (OUI range), private address space that ISPs use to get them back home, 802.1x checks that they are legit (eg, using RADIUS to a host for that OUI range). The tools are there to allow us to deploy connected devices, using Internet protocols, that are not public. We have to do the work to standardize the methods and force that crap off of the normal public Internet. I'd be happy with a more modern solution than that, but the point is that it's not rocket science to come up with a system that allows for point-to-multipoint communication, but not full-mesh. And we desperately need it. Treating neglected things like user-operated computers is the wrong thing to do. It's asking for trouble.
As Drinkypoo said, no need for new hardware, this is all about configuration. If you have a great many devices, configuration could be difficult, but there is a short cut. It's called "anomaly detection". The firewall learns what's normal, and when unusual traffic starts it takes one of three different actions, depending on the level of risk it estimated. Snort os open source software that can do this.
Along with anomaly detection covering 90%, you might also add some manual rules.
I am going to give you all the secret sauce to a more secure IoT device.
Step one NO open ports. I mean none that accept data. If you have to have a remote login it better be behind a password that is nearly impossible to guess and easy for only the end user to change. It will be random and only the end user has it.
Step two only the device connects to the server.
You have 1 port that all you can do is connect to. It accepts no data other than a known encrypted key. It immediately closes when someone connects to it. That key shall be unique for all devices. Connections shall only be allowed from a known server which IP is encrypted into the wakeup message. Anything else is dropped and nothing happens.
That causes a pattern of telling the device to call in. That call in shall be encrypted. To prevent DOS on the device and server? You have a logarithmic backoff that decays back to normal.
Your server only allows a max set of connections at a time. If that is exceeded the connection is immediately dropped and the device has to randomly backoff and wait. The server will only allow a device to connect for a max time before the device is dropped.
The device through the use of its router tables will only be able to talk to known servers. Anything else is dropped.
The device shall have an end user reset which puts the device back to 100% factory settings.
Any of these rules are broken and the device is marked as suspicious and looked into.
Presumably, this "smart firewall" can itself be accessed and managed remotely. So the questions is, what device would be needed to protect the backdoors and security holes of this "smart firewall"?
As it has been demostrated by Samsung in several instances, a hardware firewall is the best protection against unauthorized accesses. Nobody can hack a self-destroyed device.
>> Could A 'Smart Firewall' Protect IoT Devices?
No. A big fire would be more adequate.
IOT is BS.
aaaaaaa
The Dowse project aims to do exactly this. It's open source, and is in part funded by Dutch SIDN fund, which are themselves funded by the Dutch domain registry.
https://www.openhub.net/p/dowse
http://dowse.equipment/
The solution already exists, fresh to the market a few days ago.
The solution is as good as any commercial IPS, but with added flexibility for the home requirements. As some commenters point out, it is the home network that needs protecting not just the toaster! And more importantly any IPS/NGFW needs expertise to manage the ever changing configuration needs and the rules required to detect the hacks. That is why this solution is a service, a managed SOC for the home, small business and the traveller.
just go look at idappcom.com, see where they are coming from and follow some of the links to the services. or just go direct to ipssecurityrules.co.uk
You don't need to be worried about people who might think about hooking up a special router or even RPi to their network to deal with IoT devices, but rather with people that don't. And that's going to be pretty difficult to solve before all consumer routers come with decent default firewall rules or such additional functionality you're describing.
I was convinced that "in front of" meant on the DSL side of the router. You know, outside your LAN. Like someone crossing in front of a car is outside the car.
So, how are you supposed to connect this thing in front of the router, if it only has ethernet ports? And how does it handle dynamically assigned NAT?
Yeah, great idea - let's block all the Internet access from our IoT devices... no, wait... they were supposed to be INTERNET of things devices... Duh!
It's called a ... wait for it... a network firewall!
You would then whitelist the routes you want to allow.
And whatever you do, you would not let your IoT device update the firewall's ruleset!
Bad analogies are like waxing a monkey with a rainbow.
Don't use NAT and the problem vanishes.
Could A 'Smart Firewall' Protect IoT Devices? No. "Smart" firewalls are in fact the problem. Getting rid of them, and using regular non-smart firewalls that only allow incoming connections when you explicitly and manually configured them to do so can protect your IoT devices.
The finnish antivirus company F-Secure has announced such a home user IoT shielding product, a small hardware-based appliance called SENSE, but it's release has been back-scheduled repeatedly, now until the end of 2Q2017.
pfSense with Snort will block access to CnC servers. Add in a DNS blackhole and you'll be in pretty good shape, for free.
Look at next generation firewalls that are identifying applications (including web apps) based on complex app fingerprint (from DPI, list of hosts it communicates to, traffic patterns, etc), not only port/protocol. They are available in small boxes and also as virtual machines.
https://pfsense.org/products/
real problem is devices not having security updates available for the life of the device - hell look at android, routers etc etc
lots of mini firewalls avail
people don't care though - they want flexibility and features above all else - that will always be at odds with security
best is iot registration and filter at the isp level - charge it back to the manufacturers - this will also help protect the isps
I use a Raspberry Pi as a firewall between the ISP's router and my network. And I could only allow specific access for certain devices while denying the rest of the access. The downside is that even a RPi3 has limits on bandwidth, but eh, my speeds are crap anyways. 11.8 Mbps download, and 9.8 MBps upload.
hide a potentially broken/hackable device behind another potentially broken/misconfigured device. the internet of things is bullshit, just remove these items and never talk about them again.
because I wasn't willing to get an account at the manufacturerers (ok, sellers) site so all the images of my house could be accessed there.
Without internet access the thing is pretty much useless (well, without more rooting around on google and hacking than I was willing to put up with).
Some stuff won't work without internet access.
Isn't the problem the default usernames and passwords not being changed instead of what ports they are listening on? I know I got an infected raspberry pi because I forgot to change the root password. The pi did need outside access so blocking the ports would have made the device useless to me. Stupid mistake I know but most people don't know. Look at consumer routers and their default usernames and passwords.
Couldn't a halfway decent modern router be designed to do something like this?
Naw .. never mind .. that's just crazy talk.
Hmm, you could call it a "Manufacturer Usage Description."
Why do security discussions like this always focus on ways to restrict the communication to trusted addresses? As multiple posters have pointed out, there are too many circumstances where the address just can't be predetermined with enough specificity.
Instead we should focus on restricting traffic to trusted correspondents. I.E. by using identity certificates in a public/private key infrastructure. My IOT device should have a unique identity cert and should know (and disclose to me) the certificate public key of all parties it needs to communicate with. For communication with me, I should be able to securely add a cert for me.
This could ultimately extend into something of a Secure Hardware Environment (a la Rainbows End by Vernor Vinge). Every device or entity on the net needs a unique identity cert. Devices would also contain configuration for necessary trusted parties.
Could this be abused? Well, crap manufacturers could share certs from other crap manufacturers who are willing to sell them. That's what certificate revocation is for. There can also be public blacklists warning of shady operators. And that escalates all the way to root cert revocations for untrustworthy CAs.
This is all about identity security. Of course the communication traffic should also be securely encrypted (and signed) to ensure integrity of the content. That protects against Man In The Middle exploit.
We currently live in a quaint and naive age with respect to network security.
Let's replace the whole clusterfuck with a... FireCloud!
Brought to you by Carl's Junior.
would be if it could also run tcpdump and wireshark so that we could see just what data the spyware ( win10 ) on our systems is sending home and allow us to block it
Can someone please explain to me where these comments come from and what they mean? Are they simply just to piss everyone off? The overuse of the word apps, cows, and Luddites are simply obnoxious to me.
Posted by bots.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
The overuse of the word apps, cows, and Luddites are simply obnoxious to me.
And so Tyler stood on the precipice of enlightenment. Why did it have to be a precipice, he wondered. Whatever happened to good old thresholds?
Hey, does anyone else have some good moneymaking ideas they could throw out there, for free?
For this to really work, IoT manufacturers would have to care about security, spend some money on it and give a flying fart about what the resulting security posture is.
The OP is living in la-la land because they think that adding an "intelligent firewall" will solve the problem. The thing is, even if you invented the "intelligent firewall" and added it to the IoT devices, the manufacturers are going to screw that up just like they screwed up the software stack on the core IoT device.
The manufacturers have a giant I Don't Care About Security sign flashing on their foreheads, and the OP thinks that adding some kind of firewall changes that! WTF??
https://www.getcujo.com/
Walmart, BestBuy, Amazon carry this home Firewall.
Too bad their website has a bad SSL cert.