Basics of embedded firewalls - Part 1: Exploding the myths

by Alan Grau, Icon Labs , TechOnline India - February 07, 2012

Embedded devices play an ever increasing role in our lives and our society, and the economic, political or personal gain from attacking these devices has grown dramatically. This is the first in a series on basics of embedded firewalls.

Today there are over 5 billion intelligent, connected devices. The leading technology analyst firm International Data Corporation (IDC) is predicting the number will rise to 15 billion by 2015{1}. Our reliance on embedded devices is growing as embedded devices are showing up in almost every area imaginable.

The Smart Grid, networked cars, medical instrumentation and monitoring systems, factory control systems, and military and homeland security equipment are all examples of connected devices. While these devices make our lives easier and more productive, our reliance on them makes us increasingly vulnerable when they fail.
As embedded devices proliferate, new vulnerabilities continue to be exploited, and attacks against embedded devices are on the rise. Recently reported vulnerabilities include:

• Hacking a car's computer and disabling its brakes, stopping the engine, and controlling other functions; even overriding the driver's commands.

• More than 122 medical devices infected by malware at the U.S. Department of Veterans Affairs.

• Attacks against web servers controlling IP cameras and other web-enabled embedded devices.

• Embedded devices failing from packet floods and Denial of Service (DoS) attacks.

• Reprogramming printers with malicious firmware causing them to forward documents to a remote computer, or run continuously causing failure due to heat buildup.

Many embedded devices with Internet connectivity and advanced features, such as a web interface, lack a firewall, a key component of a comprehensive security framework. A firewall provides a basic, but critical level of security for an embedded device, allowing it to block unwanted packets. A home PC or enterprise network is not considered to be secure without a firewall, so the fact that so many embedded devices are deployed without a firewall is alarming.

But I don't need a firewall, do I?

Despite the growing number of vulnerabilities and increasing awareness of hacking dangers, very few embedded designs include a firewall. There are several common arguments given as to why embedded firewalls are not needed.

• As non-Windows devices, embedded devices are not vulnerable to Internet based threats.

• Embedded devices are not attractive targets for hackers; there is no incentive to attack embedded devices.

• Only authentication and encryption are required to ensure a device is secure.

Recent research and trends invalidate these arguments. In fact, researchers in one study reported that embedded devices were over 15 times more vulnerable to Internet-based threats than enterprise networks{2}.

While embedded devices may not be vulnerable to Windows viruses, there are a growing number of other Internet-based threats to which they are susceptible. DoS attacks are on the rise and attacks against web services are proliferating. Because many embedded devices now utilize a web server for connectivity and management, common attacks on web services can be effective against these embedded devices. An Arbor Networks Security Report showed a 1000% increase in DoS attacks from 2005 to 2010 and a 102% increase just from 2009 to 2010. Many of these attacks targeted embedded devices.

Hacking drones constantly scan ranges of IP addresses, probing any device or computer it finds for vulnerabilities. Even devices without a public IP address or web domain are still subject to attack.

More importantly, embedded devices play an ever increasing role in our lives and our society, and the economic, political or personal gain from attacking these devices has grown dramatically. Attacks have been developed and launched that specifically target embedded devices. It is imperative embedded devices now include a firewall to protect against these attacks.

A framework for device security

Security for The Internet of Things requires a firewall combined with authentication and encryption, and each plays a distinct role. Authentication and encryption using protocols such as SSL, SSH and more recently IPSec and IPv6, have long been the staple of embedded security. Authentication and encryption provide secure access and communication, but they are not enough. Systems may be deployed with weak or default passwords, passwords can be stolen, and encryption algorithms can be broken.

The role of a firewall in protecting an embedded device is to control what packets are processed by the device, and to provide an audit point to track attacks. An embedded firewall is an endpoint firewall: it resides on the device and is integrated into the TCP/IP stack. This enables the developer to configure the firewall with a set of rules specifying which packets are processed and which are blocked.
Rules can be set up to block or allow packets by IP address, port, protocol, or other criteria. Some firewalls, such as Icon Labs' Floodgate Packet Filter, support advanced rules allowing additional fine-grained control over the filtering process. For example, the firewall in a printer may be configured to allow print commands from any IP address while blocking firmware upgrades unless from a known upgrade server.

An embedded firewall may also provide Stateful Packet Inspection (SPI) and threshold-based filtering. SPI filtering maintains information on the state of the connection and uses that information to distinguish legitimate from malicious packets. Threshold-based filtering maintains statistics on the number of packets received to detect and block DoS attacks.

Since each packet received by the devices passes through the firewall for filtering before being passed up the TCP/IP stack, many attacks are blocked before a connection is even established. This provides a simple, yet effective layer of protection missing from most devices.


Figure 1: By blocking packets at the IP layer, attacks can be blocked before a connection is established.

Blocking attacks with a firewall

In a system without a firewall, a hacker may attempt to remotely access the device using default passwords, dictionary attacks, or stolen passwords. Such attacks are often automated, allowing a huge number of attempts to break the system's password. The same system, with an embedded firewall configured with an IP address whitelist of trusted hosts, will be able to block the attack. The firewall's IP address filter will block the login attempts from the hacker before a login is even attempted because the IP address is not in the whitelist of trusted hosts.

A firewall supporting SPI filtering and complex rules provides for greater flexibility in device configuration. For example, a firewall in a highly secure military device could be configured in to require all communication to be initiated from the device.
Additional rules could be specified allowing a small number of trusted IP addresses to request communication with the device. Only allowing connections initiated by the device, and blocking all communication initiated from the Internet, provides a "lock down mode" for greater security.

Figure 2: A multi-stage filtering engine provides fine-grained control over the packets processed by the embedded device.

Building an embedded firewall

Part 2 of this article discusses requirements, issues, filtering options and, best practices when building embedded firewalls.

About the author:

Alan Grau is President and co-founder of Icon Labs, a leading provider of security software for embedded devices. He is the architect of Icon Labs' award winning Floodgate Firewall. Alan has 20 years of embedded software experience. Prior to founding Icon Labs he worked for AT&T Bell Labs and Motorola. Alan has an MS in computer science from Northwestern University.


1. Source: John Gantz, The Embedded Internet: Methodology and Findings, IDC, January 2009.
2. Source: Cui, Song, Phatap and Stolfo, Brave New World: Pervasive Insecurity of Embedded Network Devices, Intrusion Detection Systems Lab, Columbia University

Article Courtesy:

About Author


blog comments powered by Disqus