Basics of embedded firewalls - Part 1: Exploding the myths

Security for The Internet of Things requires a firewall combined with authentication and encryption, and each plays a distinct role. Authentication and encryption using protocols such as SSL, SSH and more recently IPSec and IPv6, have long been the staple of embedded security. Authentication and encryption provide secure access and communication, but they are not enough. Systems may be deployed with weak or default passwords, passwords can be stolen, and encryption algorithms can be broken.

The role of a firewall in protecting an embedded device is to control what packets are processed by the device, and to provide an audit point to track attacks. An embedded firewall is an endpoint firewall: it resides on the device and is integrated into the TCP/IP stack. This enables the developer to configure the firewall with a set of rules specifying which packets are processed and which are blocked.

Rules can be set up to block or allow packets by IP address, port, protocol, or other criteria. Some firewalls, such as Icon Labs' Floodgate Packet Filter, support advanced rules allowing additional fine-grained control over the filtering process. For example, the firewall in a printer may be configured to allow print commands from any IP address while blocking firmware upgrades unless from a known upgrade server.

An embedded firewall may also provide Stateful Packet Inspection (SPI) and threshold-based filtering. SPI filtering maintains information on the state of the connection and uses that information to distinguish legitimate from malicious packets. Threshold-based filtering maintains statistics on the number of packets received to detect and block DoS attacks.

Since each packet received by the devices passes through the firewall for filtering before being passed up the TCP/IP stack, many attacks are blocked before a connection is even established. This provides a simple, yet effective layer of protection missing from most devices.

Blocking attacks with a firewall
In a system without a firewall, a hacker may attempt to remotely access the device using default passwords, dictionary attacks, or stolen passwords. Such attacks are often automated, allowing a huge number of attempts to break the system's password. The same system, with an embedded firewall configured with an IP address whitelist of trusted hosts, will be able to block the attack. The firewall's IP address filter will block the login attempts from the hacker before a login is even attempted because the IP address is not in the whitelist of trusted hosts.

A firewall supporting SPI filtering and complex rules provides for greater flexibility in device configuration. For example, a firewall in a highly secure military device could be configured in to require all communication to be initiated from the device.

Additional rules could be specified allowing a small number of trusted IP addresses to request communication with the device. Only allowing connections initiated by the device, and blocking all communication initiated from the Internet, provides a "lock down mode" for greater security.

Building an embedded firewall
Part 2 of this article discusses requirements, issues, filtering options and, best practices when building embedded firewalls.

About the author:
Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for embedded devices. He is the architect of Icon Labs' award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University.

References:
1. Source: John Gantz, The Embedded Internet: Methodology and Findings, IDC, January 2009.

2. Source: Cui, Song, Phatap and Stolfo, Brave New World: Pervasive Insecurity of Embedded Network Devices, Intrusion Detection Systems Lab, Columbia University

For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the biweekly Embedded Internet newsletter (free registration).