As IP-enabled technology for the home continues to increase, networks and security architectures need to change. Each and every smart device inside the home needs to communicate with a server, which is typically outside the home. The amount of data and frequency of communication varies, but even a single outbound connection increases vulnerability to security threats. Think about the now infamous attack on the Dyn Company, which was launched inside compromised IP video security cameras.
How should networking evolve to provide secure data transport? Minimally, basic access switches on premise need to be replaced with increasingly smarter, session-stateful routers. These routers need to subscribe to registries of certified and authorized Internet of Things (IoT) services. As such, they should provide a secure route between a home and the IoT service. These same routers could prevent any non-conforming traffic from being passed to/from the IoT device. This technique would essentially create a “VPN” between each IoT device and its server. With this approach, both the service and home owners win. The service owner is ensured of the IoT device accuracy and location. The home owner can now prevent any unauthorized outbound flows. Other benefits of this device-specific intelligent router would include clear end-to-end control, even through mid-network NATs, such as NAT64 or Carrier Grade NATs (CGNs).
Some in the industry tout Virtual CPE (vCPE) as a security solution. In actuality, this just moves the security border from the customer edge to the service provider edge, meaning the same networking issues exist. However, by moving the problem from a customer edge to a provider edge, better solutions for security and traffic analysis may be available in a cost-effective manner. Service Function Chaining (SFC) of different types of DPI or firewall technologies can also help. But sadly, the trend in IoT (as well as data exfiltration) is to use encryption. Encrypted packets that originate in a home and are intended for a service cannot be analyzed outside of their IP protocol headers. It seems unlikely that IoT devices can be forced to go through proxies, so this makes DPI and standard firewall technology less likely to work.
Intelligent IP routers that are service-aware, session-stateful, and understand client/server directionality can have a huge impact on how we integrate smart home technology with larger networks in the future. These routers could add metadata to packets that are being routed between a home and a server, to provide improved understanding of a customer’s identity, IoT device identity, or service requirements.
128 Technology has developed a new approach to routing that can help here. The 128T Networking Platform (128T) can be a subscription-based service for IoT service providers, and can be used at either the customer or provider edge. 128T is software-based, service-centric, and provides visibility into key information describing a unique two-way exchange between source and destination endpoints (known as sessions). This allows 128T to recognize and control sessions as they are routed across networks. Advances in technology, such as 128T, are the future of the secure, routed network for IoT.