cira labs secure home gateway project secure home gateway ...€¦ · gateway (shg) prototype 7 mud...
TRANSCRIPT
![Page 1: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/1.jpg)
1
SECURE HOME GATEWAY PROJECT
CIRA LabsSecure Home Gateway Project
ICANN IDS Bangkok
Jacques Latour
May 10 & 11 2019
![Page 2: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/2.jpg)
Project Evolution – From Idea in late 2016
2
Need security access controls
Developing a new framework to prevent lightbulbs from killing the internet!
Has to be easy to use
In the homeGateway
x x?
MIRAI Dyn AttackOctober 2016
![Page 3: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/3.jpg)
3
x
x
Secure Home Gateway (SHG) Goals
Protect the internet from IoT devices attacks
Protect IoT devices from internet attacks
x Protect IoTdevices from internal attacks
![Page 4: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/4.jpg)
No Standard Home Network Security Framework
The many problems of today’s Home Gateway
4
No standard onboarding
process
No outbound traffic security
controls Not globally reachable (no domain name)
No unique WIFI keys per home deviceNo device
quarantining processes
No visibility on network activities
HomeGateway
![Page 5: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/5.jpg)
IoT Device Security Landscape
5
Many are Vulnerable
Software is out of date
Focus: Time to marketNot to build correctly
Contribute to DDoS attacks
Cloud architecture dependencies
Compromise your network
Steal private information
Record video and voice
Steal WIFI credentials
Distribute malware
Send spam
Some are Unsupported
Many standards being developed
Full access to the ENTIRE Internet
•Lack of secure testing and design
Require active monitoring
![Page 6: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/6.jpg)
IoT vendors are creating dependency on cloud architecture
6
At home
IoT CloudServices
On the road
Direct is better
Personal information is of great value to vendors
A domain name for the home makes this easier
![Page 7: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/7.jpg)
Project Evolution –> To a Secure Home Gateway (SHG) Prototype
7
MUD Server Repository /
Curation
openWRTTurris Omnia
CZNIC
SHG MUD ControllerSupervisor
SHG App “Ease of Use”
SIDN (.NL) SPIN
prplFoundation(prplWrt)
Mozilla IoT -Web Thing
API
SHG Security Access
Controls
CIRA DNS & SHG Provisioning
Standards DevelopmentIETF, CSA/UL, ISO/IEC
Enhanced WIFI security
In progress:DOTS, DNSSEC, Domain
aware NFtable
Secure Home Gateway Framework
RunningCode
ProposedStandards
OpenSource
![Page 8: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/8.jpg)
We put a team together to work on the idea
8
CIRA Labs
SandelmanSoftware
TwelveDot
Viagénie
TELUS/ Algonquin
College
SIDN Labs
Canadian Multistakeholder
Process: Enhancing IoTsecurity
iotsecurity2018.ca
CIRASecure Home Gateway
Project
![Page 9: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/9.jpg)
9
Let’s look at the solution we have so far
Group Development
Forming
Storming
NormingPerforming
Mourning
Phase 1PoC
Phase 2Explore
Prototype
Phase 3Agile FocusStandards
![Page 10: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/10.jpg)
10
No passwords
Mobile Application
SwipeUp Down Left Right
Criteria #1: “Has to be easy to use”
Scan & tap
Grandma
![Page 11: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/11.jpg)
Criteria #2: Apply enterprise security framework to home networks
11
Home SecurityPDAP
AppliancesPDAP
SensorsPDAP
ManagementApplication
IoT CloudServices
PDAP: Per Device Access Policy
Network Access Controls in the home network
![Page 12: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/12.jpg)
Challenge #1: A solution forSecure Home Gateway Initial Setup
12
SHGapplication
https://datatracker.ietf.org/doc/draft-richardson-anima-smarkaklink/
BRSKI enrollment of with disconnected Registrars – smarkaklinkThis document details the mechanism used for initial enrollment using a smartphone of a BRSKI Registrar system.
…where the registrar device is new out of the box and is the intended gateway to the Internet (such as a home gateway),
but has not yet been configured…
kaklink
StandardAPI
![Page 13: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/13.jpg)
Challenge #2: A solution forHome Network Device Onboarding
13
Grandma (the home admin) has to do something for each new devices
• Unique WIFI keys per IoT device
• By default new devices have <Deny All> policy until granted access
• MUD to the rescue!
SGH
FullAccess
ACME CameraJust connected
?No
Access
IoTAccess
BEEP BEEPYou have a new device
![Page 14: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/14.jpg)
Challenge #3: A solution forIoT Device Quarantining
14
Who do we call?• The ISP help desk?• The IoT maker / vendor• The police?• The national CSIRT?• The home gateway vendor?
Need a standard for responding to IoT based cybersecurity events. WIP.
SGH
Monitor
ACME FridgeCompromised
?Release
Confirm Quarantine
BEEP BEEPYou have bad lettuce in the fridge
![Page 15: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/15.jpg)
New standard – MUD - Manufacturer Usage Description – RFC8520 – <YANG Modules>
15
I’m an ACME water sensor - MUD File at: https://acme.corp/mud/ws1.0.json
MUD YANG Model:- I have WIFI & apply the water sensor access policy- I need to upgrade my firmware at https://acme.corp- Configure me at https://myip/setup- Alerts available at https://myip/alerts
It would be nice if the IoT device could advertise it’s current firmware version and/or current MUD file URL via WIFI or network connection (DPP, DHCP, LLDP…) in order to setup correct security profile
![Page 16: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/16.jpg)
IoT Device Onboarding Workflow
16
MUD Controller
(1)Scan MUD QR code &
send to MUDController
(DHCP in future)
CIRA SHGMUD Repository
SHGApp
(2)Send to
CIRA
(2)Get vendor
MUD file
ACME.CORPMUD
Repository
SHG
ACME.CORPIoT Water Sensor
(1)
(3)User acceptsprovisioninginstructions
MUD QR Code
(1)
(4)IoT device added to network with specific network access controls
Network Access control:Allow access to ACME.CORP
Allow to send alerts internallyAllow to be configured by appDeny all other internet access
(4)
Netconf/Yang(IP Tables)
MUD Supervisor
SPIN
![Page 17: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/17.jpg)
Recap: Secure Home Gateway (SHG)
17
MUD Server Repository /
Curation
openWRTTurris Omnia
CZNIC
SHG MUD ControllerSupervisor
SHG App “Ease of Use”
SIDN (.NL) SPIN
prplFoundation(prplWrt)
Mozilla IoT -Web Thing
API
SHG Security Access
Controls
CIRA DNS & SHG Provisioning
Standards DevelopmentIETF, CSA/UL, ISO/IEC
Enhanced WIFI security
In progress:DOTS, DNSSEC, Domain
aware NFtable
Secure Home Gateway Framework
RunningCode
ProposedStandards
OpenSource
![Page 18: CIRA Labs Secure Home Gateway Project SECURE HOME GATEWAY ...€¦ · Gateway (SHG) Prototype 7 MUD Server Repository / Curation openWRT Turris Omnia CZNIC SHG MUD Controller Supervisor](https://reader036.vdocuments.mx/reader036/viewer/2022070711/5ec954ec30cb4501e768b7c1/html5/thumbnails/18.jpg)
Questions?
18
https://cira.ca/cira-secure-home-gatewayhttps://github.com/CIRALabs
We are looking for sponsorship $$$