Re: Spitballing IoT Security

[Bruce Curtis <bruce.curtis () ndsu edu>]

> On Oct 25, 2016, at 3:49 AM, Aled Morris <aledm () qix co uk> wrote:
>
> On 25 October 2016 at 09:37, Jean-Francois Mezei <
> jfmezei_nanog () vaxination ca> wrote:
> > One way around this is for the pet feeder to initiate outbound
> > connection to a central server, and have the pet onwer connect to that
> > server to ask the server to send command to his pet feeder to feed the dog.
>
> This is pretty common but, IMHO, the worst solution to this problem.
>
> It creates a dependence on a cloud service which is typically undocumented
> (what protocol do they use?  where is the server located, China?); a
> centralised service is a security risk in it's own right (crack one server,
> own all the pet feeders); and it is liable to disappear when the operator
> goes out of business, rendering all the products sold useless.
>
> A strength of IP is that it is fundamentally a peer-to-peer protocol,
> please don't break that.  NAT broke it but IPv6 can fix it again.
>
> There's nothing wrong with accepting incoming connections if the device is
> secure.  If your problem is security, fix that.  Don't throw the baby out
> with the bath water.
>
> Aled

  How about SDP?  SDP is most often implemented in a gateway in the network today but there is no reason it couldn’t be 
implemented in each IoT device.
With SDP inbound connections are not allowed until they are authenticated by another box.

A good quote from Gartner.

"Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage 
software-defined perimeter (SDP) technology to isolate sensitive environments." 

http://info.vidder.com/gartner-predicts-2016-security-solutions

This is the presentation on SDP from the 2015 Internet2 Tech Exchange.

http://meetings.internet2.edu/2015-technology-exchange/detail/10003978/


Videos explaining SDP.

https://www.vidder.com/product-videos/

https://www.vidder.com/wp-content/uploads/2016/09/rethinking-connectivity.mp4

https://www.vidder.com/wp-content/uploads/2016/09/spa.mp4


SDP info from another vendor.

https://www.cryptzone.com/forms/the-software-defined-perimeter-creating-an-invisible-infrastructure

http://www.infosecurityeurope.com/__novadocuments/90951?v=635709327725830000



https://cloudsecurityalliance.org/group/software-defined-perimeter/

https://en.wikipedia.org/wiki/Software_Defined_Perimeter



https://cloudsecurityalliance.org/media/news/cloud-security-alliance-to-host-third-software-defined-perimeter-sdp-hackathon-top-prize-of-10000-available/

" no one was able to circumvent even the first of the five SDP security controls layers (single packet authorization 
protocol), despite more than 5 billion packets being fired at the SDP.”


https://www.vidder.com/resources/docs/CSA-Verizon-Vidder-Hackathon4-Reliability.pdf


http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html

https://www.sdxcentral.com/articles/news/software-defined-perimeter-remains-undefeated-in-hackathon/2015/08/





---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University