security architecture for small branch and iot
TRANSCRIPT
Parallel networking and IoTKent Woodruff, CSO, Cradlepoint
Internet /Private Network
The Monolithic Network
Server
EmployeeTablet
BackOffice
CustomerArea
EquipRoom
CustomerSmartphone
Corporate Applicationsand Data Center(Cloud-based )
NetworkAdmin
CustomerMarketing
SecurityMgmt
StoreOperations
Primary Network (WAN)Typically T1, DSL or Cable
Failover Connection4G-LTE as a backup
WAN connection
4G-LTE
Segmentation
Go Phish Yourself
Spear Phishing Example
Spear Phishing Example
The Result and Impact
9
• The Industry Experts’ Analysis– They passed its PCI Compliance audit in September
– They may have not done enough to wall off its payment systems from the rest of its vast network
people who work with large corporate networks said.
– The company has since moved to isolate its different platforms and networks to make it harder for a
hacker to move between them
an executive said.
– So-called segmentation issues, where computer systems that shouldn't be connected for security reasons
are in fact linked, are a problem at a number of retailers
a person familiar with retail breaches said.
– There shouldn't have been a route between a network for an outside contractor and the one for
payment data
people familiar with large corporate networks said.
Source:
Why is Segmentation Hard?
And then…
And then…
Internet /Private Network
The Monolithic Network
Server
EmployeeTablet
BackOffice
CustomerArea
EquipRoom
CustomerSmartphone
Corporate Applicationsand Data Center(Cloud-based )
NetworkAdmin
CustomerMarketing
SecurityMgmt
StoreOperations
Primary Network (WAN)Typically T1, DSL or Cable
Failover Connection4G-LTE as a backup
WAN connection
4G-LTE
Solution: Parallel NetworkingPhysically separate networks for 3rd parties and non-core applications
KioskNetwork
4GLTE
4GLTE
DigitalSignage
Network
HVACSystem
Network
4GLTE
Customer WiFiNetwork
4GLTE
EmployeeNetwork
4GLTE
4GLTE
EnergyMgmt
Network
Point-of-SaleDevice Network
4GLTE
4GLTE
4GLTE
SecuritySystem
Network
Store withina Store
Network
4GLTE
Internet /Private Network
Solution Overview Cloud-managed IoT/M2M routers dedicated to a single use
Typically used by 3rd-parties for BYON (Bring Your Own Network)
Creates physically separate networks for increased security
Benefits
Increases PCI Compliance by reducing scope of network– PCI Auditors must evaluate everything in the Cardholder Data Environment (CDI)
– Removing usage from the CDI such as customer WiFi, digital signage, 3rd=parties, etc reduces scope, increases PCI compliance, and reduces security risk.
– Dedicated networks for POS devices (checkout, kiosk, etc) have fewer security risks
Eliminates 3rd-party dependencies on branch/store network– 3rd-parties include kiosks, store-within-a-store, digital signage, security, HVAC, energy mgmt– 4G-LTE enables network connectivity with no wires to install or manage– 3rd-parties prefer to homogeneous networks for control, consistency and manageability
Security through Separation– Eliminates the opportunity for thieves to hack into the network and launch a “pivot attack”
– Network segmentation that is “logical” rather than “physical” is prone to misconfiguration
– The Target breach highlights the susceptibility of monolithic networks to a pivot attack.
Enables Offload of Non-Core Traffic from the Private Network– Eliminates the opportunity for thieves to hack into the network and launch a “pivot attack”
– Network segmentation that is “logical” rather than “physical” is prone to misconfiguration
In-Vehicle Networks
15
• The Connected Bus
Trends Driving
In-Vehicle Networks
• Mobility (Access & Deployment)
• Pervasiveness of Affordable, High
Bandwidth, 4G LTE
• Cloud-based Applications
• Big Data
CCTV Cameras for Security
Internal Digital Signage
Passenger WiFi
Credit Card Processor
Connected Exterior
Digital Signage
Bus Driver Tablet
…and if you don’t segment?
DEMOs• Reverse Engineering CANbus
• Searching for easy IoT targets
• Spoofing email
