Securing Your IoT Ecosystem

Securing IoT: from Connectivity to the IoT Cloud Platform

IoT Opportunity and Security Challenges

IoT is causing a revolution in almost every industry, as well as in our everyday lives. The ability to monitor any physical entity and perform advanced data mining and analytics on the resulting data is creating opportunities and efficiencies in energy, manufacturing, healthcare, retail, and many other industries. Communication Service Providers (CSPs) have been building IoT ecosystems, from specialized connectivity infrastructure, such as narrowband-IoT (NB-IoT), to IoT services and complete IoT cloud platforms.

mobile-carrier-iot-security-fortios.jpg

IoT networks have some specific properties that bring challenges for security:

Constrained devices:
IoT devices are often constrained in terms of CPU, memory, persistent storage, and network bandwidth. This can mean that security capabilities are limited, especially when it comes to strong cryptography.

Device location:
IoT devices are often geographically dispersed, and may be installed in locations which are difficult to access or not secure.

Device numbers:
Often, IoT devices consist of very large numbers of very small devices. This can present scalability challenges at aggregation points when it comes to signaling, authentication, or tunnel termination. A particular concern is the case of malfunctioning or compromised IoT devices that perform repeated connections to the network, resulting in a potential overload of the signaling infrastructure with the possibility of impacting other services.

Lack of security:
This is mostly an issue with consumer devices because the small margins and fierce competition mean that often security is not included or able to be implemented. Security should therefore be provided at the network and IoT platform layers.
 

Lack of awareness:
Consumers are often unaware of the potential risks of installing such devices in their homes and businesses. When devices are provided as part of a package from an operator, the legal liabilities when something goes wrong may not be clear, so operators need to ensure that services are secured to minimize the risk that a device may be used for malicious intent.

Connectivity:
Because of the distributed nature of IoT, connectivity can be a challenge, and because of this, new protocols have emerged specifically targeted at IoT. On the one hand, new cellular categories have been developed such as Cat-M1 and NB-IoT which target low bandwidth, low power communications. In addition, there are new protocols such as LoraWAN and SigFox, which target ultra-low bandwidth wide area communications.

Identity and Privacy:
Another aspect of connectivity is ensuring that only authorized devices are allowed on to the network, and that data is encrypted to prevent eavesdropping. Because of the potentially massive numbers involved, terminating encrypted tunnels (TLS or IPsec) from IoT devices can present a scalability challenge.

IoT Cloud Platform:
As CSPs build their multi-tenant IoT Cloud platforms to deliver IoT-related services such as data storage and analysis, artificial intelligence (AI), and machine learning (ML) and their services and applications to their customers, the access to these services, insights, and data is web based. True multi-tenancy security, micro-segmentation, identity management, and web application protection must be ensured.
 

Fortinet Security for The Entire IoT Ecosystem

Fortinet and the Fortinet Security Fabric architecture provide the required range and depth to secure CSP IoT infrastructure and services:

Scalable and Secure IoT Termination

FortiGate PNF and VNF providing advanced IPsec/TLS capabilities. FortiGate as a PNF provides hardware acceleration of cryptographic functions. FortiGate VNF provides massive scalability via load-balancing mechanisms and SDN auto-scaling.

 

Mobile Core Protection

FortiGates’ GTP firewalling capabilities allows IoT sessions to be inspected and rate limited. This enables signaling storms caused by malfunctioning or compromised devices to be contained before they have an impact on the core network infrastructure.

 

IoT Attack Protection

A combination of several FortiGate capabilities:

  • IPS capabilities can detect and block such attacks, ranging from specific attack-focused signatures to more generic rules designed to detect and block typical attack vectors such as brute force login and protocol scanning.
  • Application control support for IoT devices enables operators to ensure that only authorized protocols are permitted from IoT devices. Deep signatures allow further restrictions to ensure that within a given protocol, only the expected message types are permitted. Support is available for IoT protocols including MQTT, CoAP, WebSocket, and AQMP.

 

IoT Cloud Platform Security

The Fortinet Security Fabric integrated and automated security ecosystem, consisting of:
  • FortiGate PNF/VNF to provide security multi-tenancy and micro-segmentation.
  • FortiAuthenticator for strong, two-factor authentication
  • FortiWeb Web Application Firewall, providing behavioral and ML-based security for web applications.
  • FortiADC Application Delivery Controller for secure load balancing to optimize performance and availability of IoT platform web applications
  • FortiSandbox for advanced threat protection

 

file

Physical Appliance (PNF) or Virtual Network Function (VNF) Implementations

FortiGate and its capabilities for securing the end-to-end IoT ecosystem can be implemented as a PNF with high availability (HA) and the highest proven scalability. Fortinet’s custom security processors  provide hardware acceleration to meet today and tomorrow’s traffic and session volume.

The same capabilities are provided by FortiGate virtual machines (VMs) acting as a virtual network function (VNF), with the industry’s smallest footprint and fastest boot time. Dynamic and massive auto-scaling is achieved via proven integration with software-defined networking (SDN) and European Telecommunications Standards Institute (ETSI) NFV management and orchestration (MANO) platforms such as Amdocs, Ciena’s Blue Planet, HPE, Ericsson, Nokia, Cisco, more.

file

SDN Integration

Fortinet technology and Fabric-Ready Partner programs ensure SDN integration via Fortinet SDN Connectors and Fortinet APIs (available via the Fortinet Developer Network). These include integration with Nuage Networks, Cisco ACI, and VMware NSX.