Embedded firewalls vs. desktop firewalls
Firewall technology is standard in home and corporate networks and is a proven and reliable technology. So why not just use one of these existing solutions in your embedded device? For the same reasons desktop operating systems are not used in embedded devices; they are slow, big, and are not easily ported to an embedded device.
Most open source firewalls work using Linux iptables to support filtering. Most embedded OSes do not utilize Linux iptables, making this approach inappropriate for those systems.
OS considerations: what if there is no OS
When building a custom firewall, the design can be tailored to the operating system used in the design. For a commercial solution, the design should ensure portably between operating systems and even scale to systems not using an operating system. This is achieved through use of a simple design that does not rely heavily on OS services and by that provides an abstraction layer to isolate OS specific calls from the internals of the firewall software.
Integration with the TCP/IP stack
There are several options for integrating the firewall with the communication stack. One option is to integrate the firewall at the Ethernet driver layer, allowing filtering by MAC address. The drawback of this approach is that it adds processing to the device driver.
For most applications, filtering can be performed at the IP layer. By filtering at a lower layer in the stack, packets can be dropped before the embedded device utilizes additional resources in processing the packet. When filtering at the IP layer, the firewall can first perform filtering based on IP packet header information, then on protocol specific criteria such as TCP port, UDP port, etc.
Another approach is performing filtering at multiple layers in the communication stack. Filtering by IP address and protocol could be performed at the IP layer, while filtering for TCP and UPD ports could be performed at the TCP and UDP layer. This simplifies the filtering at the IP layer and can be used to provide custom filtering for a specific protocol or application.
If you are building your own firewall software, you can integrate the filtering at the layer in the stack appropriate for your application. Some commercial firewall solutions, such as Floodgate from Icon Labs, provide layer-based callbacks allowing you to insert the firewall at whatever layer in the stack you choose.
Other features of an embedded firewall
In addition to providing filtering, there are a number of important requirements for an embedded firewall. It is crucial to provide users with a flexible and easy to use, yet secure, configuration interface. If the firewall configuration can be compromised, then the firewall can be reconfigured and bypassed, or possibly even disabled.
The firewall should also provide statistics and logging capability to allow security audits to determine if the device has been attacked, what IP address the attack originated from, and other relevant details. The firewall may also provide notifications of attacks or threshold crossing events.
A firewall provides a simple and effective layer of security for embedded devices. When implementing a firewall, the engineers must consider the services provided by the device to determine the appropriate type of filtering. Engineers must also choose between buying a commercial embedded firewall, porting an open source firewall, or building a firewall solution from scratch. Regardless of the approach selected, it is critical to include a firewall to protect the devices making up The Internet of Things.
About the author:
Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for embedded devices. He is the architect of Icon Labs' award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University.
For more articles like this and others related to designing for the embedded Internet, visit Embedded Internet Designline and/or subscribe to the biweekly Embedded Internet newsletter (free registration).