The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet...
Transcript of The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet...
![Page 1: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/1.jpg)
The IoT-Revolution - Security für das Internet der Hippies
Dror-John Roecher - @droecher
Lead Consultant – Secure Information
![Page 2: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/2.jpg)
© COMPUTACENTER 2014 2
IoT Revolution Security Architektur für das Internet der Hippies Dror-John Röcher
Computacenter
![Page 3: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/3.jpg)
© COMPUTACENTER 2014 3
“The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of
existing interconnected networks.”
David D. Clark, 1988 http://ccr.sigcomm.org/archive/1995/jan95/ccr-9501-clark.pdf
“the Internet originally developed among a community of like-minded technical
professionals who trusted each other”
[RFC 3724]
DAS HIPPIE NETZ VERTRAUEN & ROBUSTIHEIT
![Page 4: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/4.jpg)
© COMPUTACENTER 2014 4
ARCHITEKTUR PRINZIPIEN
Survivability in the Face of Failure
End-to-End Principle
Robustness Principles
![Page 5: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/5.jpg)
© COMPUTACENTER 2014
NEUE SPIELER BETRATEN DIE SZENERIE
5
UND DIE UNTERNEHMEN FÜHREN DIE MIDDELBOXEN EIN
Unternehmen • Schützen Ihre Assets
mit Netzwerk-Security
Hacker • Spielen mit fremden Assets
![Page 6: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/6.jpg)
© COMPUTACENTER 2014 6
RFC 3234 (2004) Taxonomy and Issues of Middleboxes "middleboxes" - defined as any intermediary box performing functions apart from normal, standard functions of an IP router on the data path between a source host and destination host .
Fire
wal
l
NAT
IPS
![Page 7: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/7.jpg)
© COMPUTACENTER 2014 © COMPUTACENTER 2014 7
! Ersetzen Vertrauen durch Reputation ! Mail/Web
! Filtern Pakete ! Schalten „Leitungen“ ! „Stateful Firewall “
! Authentisieren ! Isolieren
! Durchsuchen Pakete/Leitungen
nach „bad stuff“
Middleboxes sind mächtige Security-Werkzeuge
![Page 8: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/8.jpg)
© COMPUTACENTER 2014 © COMPUTACENTER 2014 8
Widerspruch zum Ur-Internet
Survivability in the Face of Failure
End-to-End Principle Robustness Principles
![Page 9: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/9.jpg)
© COMPUTACENTER 2014
Aber jetzt kommt ja das IoT und damit ändert sich Einiges
M2M Communication ( Not M2FW2M )
![Page 10: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/10.jpg)
© COMPUTACENTER 2014 10
https://blogs.cisco.com/ioe/beyond-mqtt-a-cisco-view-on-iot-protocols/
Protocol
CoAP XMPP RESTful HTTP MQTT
Transport
UDP TCP TCP TCP
Messaging
Request/ Response
Publish/Subscribe Request/Response
Request/ Response
Publish/Subscribe Request/Response
2G, 3G, 4G Suitability
Excellent Excellent Excellent Excellent
IPv6 TCP -> MPTCP HTTP -> HTTP/2
![Page 11: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/11.jpg)
© COMPUTACENTER 2014
PROTOKOLL-IMPLIKATIONEN
! IPv6 ! End-to-End-Prinzip per
Design
! Variable / Flexible Header
! Anderer Adress-Umgang
! /64 für „Endpunkte“
11
DES IOT
! MPTCP
! HTTP2/SPDY ! TLS per Default
! Mehrere SPDY-Stream über eine TCP Verbindung
! Server Push
![Page 12: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/12.jpg)
© COMPUTACENTER 2014
Multiplexed: War um M iddel boxe n sch eit ern …
SPDY (+MPTCP) Warum Middelboxen scheitern…
3G/4G
WLAN
Ethernet
Nicht Multiplexed
12
![Page 13: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/13.jpg)
© COMPUTACENTER 2014
DIE KONSEQUENZEN
! Einige Middlebox-Aufgaben werden schwieriger / komplexer in der Umsetzung ! Reputation
! Stateful Stuff (nicht nur TCP -> auch z.B. Neighbor Cache Themen auf L2)
! Einige Mifflebox-Aufgaben werden sich so gar nicht mehr realisieren lassen ! Content-based Security & Signature-based Security
! Encryption
! Header-Foobar
! [IPv6 IPS Evasion aktuell viel diskutiert]
! Vermutlich müssen wir ein wenig umdenken
13
![Page 14: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/14.jpg)
© COMPUTACENTER 2014
DAS UMDENKEN
! Verlagerung von Security-Funktionen zum Endpunkt (Vorsicht -> Endpunkt mit limited Computing & Battery Power)
! Identity, Encryption
! Trust-Model, Endpoint-Firewall
! Advanced Endpoint Security
! Beim Einsatz von Netzwerk/Middlebox-Security ! Erst Decryption / Sanitization / Scrubbing
! Lasst uns State vergessen ! Vielleicht einfach mal wieder mit stateless ACLs arbeiten?
! Ist auf dem Netzwerk dann ACL vielleicht einfach „good enough“?
14
BACK TO THE ROOTS
![Page 15: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/15.jpg)
© COMPUTACENTER 2014 © COMPUTACENTER 2014 15
Mit freundlicher Unterstützung von - @WEareTROOPERS - Enno Rey - @insinuator - Carsten Dibbern, Computacenter
@droecher
Ende – Vielen Dank
![Page 16: The IoT-Revolution - Cisco...3 © COMPUTACENTER 2014 “The top level goal for the DARPA Internet Architecture was to develop an effective technique for multiplexed utilization of](https://reader036.fdocuments.us/reader036/viewer/2022071403/60f41fc28b5f5509e475164a/html5/thumbnails/16.jpg)
Thank you.