IEEE Spectrum - North American - March 2015 - 54

DefeNsive weapoNs: rules-based filtering

INTERNET OF THINGS DEVICE
ACCEPT/PROCESS
COMMUNICATION
COMMUNICATION

RULESBASED
FILTERING

FILTER
DROP

WHITE
LIST 1

WHITE
LIST 2

COMMUNICATION

FIRMWARE
BLOCKER

DROP

DROP

DROP

BUMP IN THE WIRE
RULES-BASED
FILTERING

COMMUNICATION

NETWORK/
NETWORK/
INTERNET
INTERNET

COMMUNICATION

HARDWARE SOFTWARE

system and the network to which it is attached to detect, block,
and report suspicious activity. But the software for firewalls
and antivirus programs takes up a lot of storage space and
requires a lot of processing power to run. Most things in the
Internet of Things can't handle the software.
we have to take a DiffereNt approaCh. For the most part, the

gadgets that make up the Internet of Things are what we call
embedded systems-that is, dedicated computers that perform
specific functions within more complex systems. For instance,
they might control the operation of a machine within a waterprocessing plant, manage the lighting of a smart home, or
monitor an organ in the human body. Limiting the function
means they can be small, fast, and efficient.
The security systems must be just as specialized, protecting only against the specific attacks to which the equipment
is vulnerable. Yet we don't want to completely reinvent the
wheel each time we create a new smart thermostat or television, so we also need a system that's flexible enough to shield
devices as diverse as automobile communication gateways,
home printers, and smart door locks.
To do this, you need to pay as much attention to what you
omit from the embedded security system as to what you
include. What we don't need are systems with powerful pro54

|

mar 2015

|

north american

|

SPectrUm.ieee.orG

NETWORK/
INTERNET

[top] uses a small set of policies-such as no
unauthorized remote updates of embedded
firmware-to block dangerous commands from
getting past a simplified firewall. rules-based
filtering systems can also consult white lists of
trusted computers so that only "good guys" have
access to certain functions. a "bump in the wire"
approach relies on a small, dedicated piece of
hardware and software that sits between an iot
device and the internet; a bump in the wire can
shield devices that don't have built-in protection.

cessing engines and large databases of virus
signatures and other chunks of code that
act as fingerprints to help detect known
ACCEPT/
threats. Instead of databases, IoT security
PROCESS
COMMUNICATION
can use rules-based filtering.
To understand how this works, let's look
at a home printer; it's similar to a lot of other
IoT devices. A printer has only a few communication ports and a limited number of
communication protocols. It supports both
print commands, which may be sent from
any other device, and administrative commands that are accepted only if received from
a few predetermined computers. A small set
INTERNET
OF THINGS
of simple firewall policies known as a white
DEVICE
list is all it takes to enforce these two distinct
communication policies. One set of white-list
rules allows communication from any device
that knows the printing protocols. Another
white list specifies that administrative commands will be processed only if they are from a machine on the
white list. An additional rule blocks print commands that contain embedded firmware updates to make sure that malicious
users cannot modify the behavior of the printer.
The complete firewall policy may consist of as few as 5 to 20
rules as opposed to the 200 to 2,000 rules of a typical business
computer's firewall. This smaller, faster, simpler approach
to an IoT security system does not compromise security; it
allows anyone to print with the machine while preventing
malicious users from changing settings, downloading firmware, or performing other harmful actions (like sending
copies of anything you print to a third party). Other, specific
sets of rules could protect door locks, cars, or pacemakers.
some of the major pLayers in the embedded-systems market-
Green Hills, Intel, McAfee, Mentor Graphics, Renesas, Wind
River, and Zilog-are already incorporating such embedded
security technology into the hardware and software building
blocks used for IoT devices. These companies typically don't
make the connected products themselves but rather the processors and operating systems used to build IoT equipment.
But given that some devices in the Internet of Things are rarely
replaced, it will likely take a decade or two-or more-to bring
all systems up to modern security standards. New systems
iLLustratioN by

Mark Montgomery



http://SPectrUm.ieee.orG

Table of Contents for the Digital Edition of IEEE Spectrum - North American - March 2015

Contents
IEEE Spectrum - North American - March 2015 - Cover1
IEEE Spectrum - North American - March 2015 - Cover2
IEEE Spectrum - North American - March 2015 - 1
IEEE Spectrum - North American - March 2015 - 2
IEEE Spectrum - North American - March 2015 - Contents
IEEE Spectrum - North American - March 2015 - 4
IEEE Spectrum - North American - March 2015 - 5
IEEE Spectrum - North American - March 2015 - 6
IEEE Spectrum - North American - March 2015 - 7
IEEE Spectrum - North American - March 2015 - 8
IEEE Spectrum - North American - March 2015 - 9
IEEE Spectrum - North American - March 2015 - 10
IEEE Spectrum - North American - March 2015 - 11
IEEE Spectrum - North American - March 2015 - 12
IEEE Spectrum - North American - March 2015 - 13
IEEE Spectrum - North American - March 2015 - 14
IEEE Spectrum - North American - March 2015 - 15
IEEE Spectrum - North American - March 2015 - 16
IEEE Spectrum - North American - March 2015 - 17
IEEE Spectrum - North American - March 2015 - 18
IEEE Spectrum - North American - March 2015 - 19
IEEE Spectrum - North American - March 2015 - 20
IEEE Spectrum - North American - March 2015 - 21
IEEE Spectrum - North American - March 2015 - 22
IEEE Spectrum - North American - March 2015 - 23
IEEE Spectrum - North American - March 2015 - 24
IEEE Spectrum - North American - March 2015 - 25
IEEE Spectrum - North American - March 2015 - 26
IEEE Spectrum - North American - March 2015 - 27
IEEE Spectrum - North American - March 2015 - 28
IEEE Spectrum - North American - March 2015 - 29
IEEE Spectrum - North American - March 2015 - 30
IEEE Spectrum - North American - March 2015 - 31
IEEE Spectrum - North American - March 2015 - 32
IEEE Spectrum - North American - March 2015 - 33
IEEE Spectrum - North American - March 2015 - 34
IEEE Spectrum - North American - March 2015 - 35
IEEE Spectrum - North American - March 2015 - 36
IEEE Spectrum - North American - March 2015 - 37
IEEE Spectrum - North American - March 2015 - 38
IEEE Spectrum - North American - March 2015 - 39
IEEE Spectrum - North American - March 2015 - 40
IEEE Spectrum - North American - March 2015 - 41
IEEE Spectrum - North American - March 2015 - 42
IEEE Spectrum - North American - March 2015 - 43
IEEE Spectrum - North American - March 2015 - 44
IEEE Spectrum - North American - March 2015 - 45
IEEE Spectrum - North American - March 2015 - 46
IEEE Spectrum - North American - March 2015 - 47
IEEE Spectrum - North American - March 2015 - 48
IEEE Spectrum - North American - March 2015 - 49
IEEE Spectrum - North American - March 2015 - 50
IEEE Spectrum - North American - March 2015 - 51
IEEE Spectrum - North American - March 2015 - 52
IEEE Spectrum - North American - March 2015 - 53
IEEE Spectrum - North American - March 2015 - 54
IEEE Spectrum - North American - March 2015 - 55
IEEE Spectrum - North American - March 2015 - 56
IEEE Spectrum - North American - March 2015 - 57
IEEE Spectrum - North American - March 2015 - 58
IEEE Spectrum - North American - March 2015 - 59
IEEE Spectrum - North American - March 2015 - 60
IEEE Spectrum - North American - March 2015 - 61
IEEE Spectrum - North American - March 2015 - 62
IEEE Spectrum - North American - March 2015 - 63
IEEE Spectrum - North American - March 2015 - 64
IEEE Spectrum - North American - March 2015 - 65
IEEE Spectrum - North American - March 2015 - 66
IEEE Spectrum - North American - March 2015 - 67
IEEE Spectrum - North American - March 2015 - 68
IEEE Spectrum - North American - March 2015 - 69
IEEE Spectrum - North American - March 2015 - 70
IEEE Spectrum - North American - March 2015 - 71
IEEE Spectrum - North American - March 2015 - 72
IEEE Spectrum - North American - March 2015 - 73
IEEE Spectrum - North American - March 2015 - 74
IEEE Spectrum - North American - March 2015 - 75
IEEE Spectrum - North American - March 2015 - 76
IEEE Spectrum - North American - March 2015 - Cover3
IEEE Spectrum - North American - March 2015 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1217
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1117
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1017
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0917
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0817
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0717
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0617
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0517
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0417
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0317
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0217
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0117
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1216
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1116
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1016
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0916
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0816
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0716
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0616
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0516
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0416
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0316
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0216
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0116
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1215
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1115
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1015
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0915
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0815
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0715
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0615
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0515
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0415
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0315
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0215
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0115
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1214
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1114
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1014
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0914
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0814
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0714
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0614
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0514
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0414
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0314
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0214
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0114
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1213
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1113
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1013
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0913
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0813
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0713
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0613
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0513
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0413
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0313
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0213
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0113
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1212
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1112
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1012
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0912
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0812
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0712
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0612
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0512
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0412
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0312
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0212
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0112
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1211
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1111
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1011
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0911
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0811
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0711
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0611
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0511
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0411
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0311
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0211
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0111
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1210
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1110
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1010
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0910
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0810
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0710
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0610
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0510
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0410
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0310
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0210
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0110
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1209
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1109
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1009
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0909
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0809
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0709
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0609
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0509
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0409
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0309
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0209
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0109
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1208
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1108
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1008
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0908
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0808
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0708
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0608
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0508
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0408
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0308
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0208
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0108
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1207
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1107
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_1007
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0907
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0807
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0707
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0607
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0507
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0407
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0307
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0207
https://www.nxtbook.com/nxtbooks/ieee/spectrum_na_0107
https://www.nxtbookmedia.com