Have you ever considered how every smart lightbulb in your business is one of 127 IoT devices connected every second? Sure, it helps save on electrical expenses. But at what cost?
That desire to save a penny or two and cost just earned your business a weak point that malefactors could exploit. Just look at the example of the Colonial Pipeline hack, which affected millions of people in the US for weeks afterward.
In 2020, over 32% of infection instances on mobile networks found that IoT devices were the cause, a growth of 100% year-over-year. More concerning still, this rise has coincided with a decline in cybercriminals’ focus on Android-based devices, pointing to a heightened focus on compromising IoT networks.
This is where IoT firewalls fit in your security stack and offer a solution to this growing threat. But, first, let’s briefly look at what they are precisely and dive into how these specialized firewalls can protect your IoT assets.
What is an IoT firewall?
Source: F5
Firewalls by design filter and stop unknown, suspicious, and potentially malicious network traffic. When wireless and cellular networks are added to the equation, especially the IoT devices connected to them, effective protection gets more complex.
In the early 2000s, the first IoT firewall was dreamt up by a German bank with a big dream. They wanted to deploy a firewall routed through a VPN for each of their 2500 ATMs around the country. So, they created a failsafe-backed system that could reroute itself through 3G and modem lines if one or the other was compromised. The solution also offered a universal form factor, built-in upgradeability, a centralized control unit and was managed by just two admins.
IoT firewalls aim to protect IoT devices from internal and external threats, in addition to attacks on the network like DDoS and MiTM. Moreover, they can provide device-specific IP address mapping and apply device-based rules and policies.
There are two types of firewalls commonly used in IoT network deployments: embedded and network firewalls.
1. Embedded IoT firewalls
An embedded firewall is, as the name suggests, one that is installed directly on the IoT device operating system. Installed by the device manufacturer or IoT service provider, these endpoint firewalls aim to protect the particular device on which they are placed.
Usually equipped with basic port and packet filtering capabilities, embedded firewalls can also serve as VPN endpoints or clients. This is important if, as the German bank, you are looking to encrypt the traffic in transit across all wireless networks in addition to traffic traversing the public Internet.
In practice, embedded firewalls vary between devices and are a potential nightmare to manage at scale. If you have more than one type of firewall and numerous central management systems? It gets even worse. However, embedded firewalls provide a critical layer of defense to IoT devices connected to cellular and WiFi networks.
2. IoT network firewalls
Network firewalls come in many shapes and forms, enabling network security features to service providers and enterprises for many years now. Installed on network gateways, they provide a wide array of security capabilities and can usually serve as VPN servers. Managed by network administrators, network firewalls extend protection to the devices and the network behind them.
This proven technology, when applied to IoT, allows for secure micro-segmentation of your IoT infrastructure. This security tactic lets you isolate IoT device networks from other types of networks, assigning a security policy to the connected devices suitable to their applications.
In addition, network firewalls provide an effective and efficient line of defense against data theft and snooping. They do so in the form of wireless traffic encryption with secure VPN tunnel access. This way, even if traffic is intercepted? A malefactor would not be able to extract any information from it without the VPN decryption key.
Specialized IoT firewalls available today offer device-aware, application-centered firewall security controls. These stopgaps combine the best of traditional network firewalls with application monitoring and full support for a wide array of IoT devices and protocols.
The German bank we mentioned previously is a perfect example of a successful deployment of an IoT network firewall through a VPN to achieve encryption and operational security. This security stack provided both embedded and network firewalls working in tandem to provide secure, encrypted communications and operations without impacting performance.
Whether it’s a control switch or a remote sensor, cellular IoT deployments face an increasing number of threats that make a proper IoT firewall more critical than ever.
The cellular IoT challenge: why you need an IoT firewall
It needs to be put plainly – IoT data is not secure. To be exact, 98% of all IoT-related traffic lacks encryption, directly exposing potentially vulnerable data on those networks. Nearly 70% of the devices carrying that data are vulnerable to moderate or severe attacks, often exploiting lagging patch levels, default passwords, and exploited known vulnerabilities.
Identity compromise attacks can exhaust data limits and bypass firewalls, while battery drain attacks accomplish their namesake. This is especially relevant for remote or low-coverage-oriented IoT devices.
Device manipulation attacks allow hackers complete control over a device, while data eavesdropping and tampering attacks leave sensitive business data vulnerable and ripe for manipulation.
Lastly, an aspect that cannot be understated is the threat of abuse of use or privileges by users on the network. IoT firewalls protect network-connected devices from unexpected and unauthorized access and maintain connections to only secure and verified sites.
Still, though IoT firewalls can offer a significantly improved security posture for organizations, it still doesn’t mean you should stop there.
Securing cellular IoT: beyond the IoT firewall
As discussed earlier, the sheer versatility and range of IoT-connected devices available today make it a true challenge to secure effectively. To further complicate things, the joining of cellular and IoT leaves common threats and ample opportunity for cybercriminals to take advantage of the increased vulnerability.
With no all-inclusive solutions, there needs to be a consideration on a case-by-case basis. This includes looking at the threat landscape, device and network types, their locations, and use cases, among other factors. This multi-layered approach needs to start at your organization’s most vulnerable and valuable areas and work outwards from there.
There are multiple methods of protecting your IoT infrastructure, like improving hardware security by establishing Root of Trust or ensuring proper encryption protocols are in place. Keeping the software side secure entails including IoT devices in periodic organization-wide updates, good password hygiene, and proper access controls for each node. Devices on private and APN networks can simply be kept disconnected from the internet to minimize risk and remain connected to a single, on-premises server.
For cellular IoT, embedded firewalls and scanners are insufficient with a lack of portability, unnecessary filtering, and the necessity to be installed singularly on each device. Due to these weaknesses, one of the more effective methods to protect IoT deployments is through network-based and SIM-level, centrally controlled safeguards.
Now that 5G deployment is becoming more and more widespread globally, the potential for cybercrime is rising with it. In addition, 5G has provided several opportunities to improve network security, one of those being network slicing. This creates an environment providing for multiple virtual networks within a single deployment. This method offers built-in resource isolation, which defends against DDoS, MiTM, and other similar network incursions. 5G slicing is also configurable at every level to be tailor-fit to an organization’s security needs.
However, these slices still need their own security controls, and that is where IoT firewalls come into play. By offering a security solution built into a service provider’s network, network-based firewalls can easily help control and manage these network pieces, regardless of their orientation.
Your IoT Firewall & Beyond
IoT is growing at an exponential rate, and the risks for network vulnerability are not far behind. Though firewalls and encryption offer some semblance of defense, they are not enough. If you really aim to secure your networks and those of your subscribers? You need a multi-layered approach to secure IoT devices and connectivity now more than ever.
When it comes to cellular IoT devices and the vulnerabilities that threaten them? Services providers and enterprises need to look beyond IoT firewalls and firewall policies since each device has its own unique requirements and operation. The optimal solution is one that synergizes device-agnostic, customizable, endpoint security with core-network level protection.
