How to design network architecture to make IoT devices safe and reliable?

[51CTO.com Quick Translation] While the Internet is changing everything, a new revolution called the Internet of Things is expected to bring even greater disruption.

[[178031]]

This is mainly because IoT sensors will be used everywhere, in hospitals to monitor medical equipment, in factories to monitor production operations, in buildings to control temperature and lighting, and so on.

The data from these sensors will be used for production operations management, predictive maintenance and more. At the same time, all of these applications are usually integrated with the enterprise's IT infrastructure. Because of this, they bring many new security challenges.

Just like in the current IT environment, there is no foolproof security solution that can protect IoT devices from every possible cyber threat.

Because the Internet of Things generates data in different locations for many end users (including enterprises, customers and partners), network segmentation and segment-based topology are needed to prevent large-scale attacks.

For example, a compromised network segment within a partner network should not be able to compromise the corporate network.

In a recent security incident, France-based hosting provider OVH fell victim to a massive DDoS attack using IoT devices, which OVH claimed reached nearly 1 Tbps of traffic at its peak. The IoT devices involved were mainly CCTV surveillance cameras and digital video recorders.

Changing architecture to prevent IoT devices from being hijacked

To mitigate the threat of large-scale attacks that hijack IoT devices, both branch office and on-premises architectures need to make some important changes.

Data intended for partner use should be offloaded at the first hop from the corporate network. Today, most partner network connections are routed through a demilitarized zone (DMZ). This backhauling puts unnecessary strain on the network infrastructure (routers and switches). Instead, this data can be offloaded locally via VPN, by establishing a third-party secure partner DMZ in the cloud or at a carrier's hosting facility. Here, multiple parties' VPNs can be connected to each other while limiting these DMZs to a few locations.

A big advantage of this model is that the first hop offloads partner data at each site, rather than backhauling large amounts of site data through the corporate DMZ before delivery to the partner network. The second benefit is based on a segmented topology. Not all partners need to be connected at every location. For example, partners can be given the flexibility to connect freely and collect data at well-defined drop points in the cloud. This is similar to implementing a cloud-based VPN.

In a manufacturing environment, IoT devices used for industrial automation are not associated users and do not have encryption capabilities. Therefore, in order to maintain data integrity and confidentiality, the network must provide security services such as encryption for IoT devices.

The X86 machine receives, segments and encrypts the sensor data and transmits it securely to the vendor on the Internet via the virtual DMZ.

As mentioned earlier, in most current deployments, sensor data is backhauled through the corporate DMZ and network. This forces IT departments to develop complex policies for data that travels across the network.

In Figure 1, partition P0 on the x86 white box machine has its own VPN, which manages the activities connected to all PLCs. The connection data of each PLC can be programmed from the control layer in the network. In this scenario, the data transmitted between the PLC and the control element contains operation information related to the manufacturer and operation information related to the industrial equipment provider.

A data source (PLC controller) must be divided at the source and provided to two independent enterprise organizations. Data from the same P0 PLC data source can be placed in two different VPNs by the edge router, each with a different topology. Data for manufacturers can be processed locally and then backhauled on the factory floor or backhauled to the enterprise data center. Data related to PLC suppliers is processed locally by the analytical engine and then sent to partners for their use.

This architecture is best deployed with a VPN that connects from the factory to the cloud and then to the partner. This can be done with an enterprise-managed approach or a carrier-managed approach.

Methods of business management

Using this approach, enterprises build iDMZ VPNs and choose cloud locations where data is placed for partners to process. Enterprises are responsible for protecting cloud endpoints and internal factory networks. This requires the establishment of a complete security architecture to ensure that adequate protection measures are in place.

Operator management method

Here, operators can offer cloud VPN as a service to enterprise plant networks. Operators can announce VPN drop points; these drop points can be distributed around the world based on the distribution location. Enterprises can specify which partner collects data from which VPN in which place. Operators can provide all network functions as a fully managed service, including security. Using the Internet as a secure transmission mechanism, only the VPN docking location is visible to the partner.

Figure 2 below shows this connectivity model, eliminating the need to build dynamic, arbitrary VPNs and protecting the enterprise network from the burden of carrying irrelevant partner traffic.

To reap the benefits of IoT, companies must unlock valuable information from sensors and devices in their manufacturing facilities. However, they need the help of partners to analyze large amounts of data securely without burdening the corporate IT network. Building arbitrary VPN segmentation topologies to use optimized data routing and strong encryption is one way for companies to work with partners to build an IoT ecosystem, thereby protecting the integrity of data without exposing the network to security threats.

Original title: How to architect the network so IoT devices are secure

By Khalid Raza

[Translated by 51CTO. Please indicate the original translator and source as 51CTO.com when reprinting on partner sites]