Securing Gateways in Next Generation Networks

June 3, 2016

Keeping the perimeter safe is just as important as keeping devices safe

By Ernest Worthman

Executive Editor
AGL Small Cell Magazine

When we talk about the Internet of Anything, (IoX) we have come to realize that it will really be made up of a lot of different “things.” It will envelope everything from home automation to intelligent vehicles, wearables, industrial applications, military and infrastructure – the list is almost endless. And there is a lot of discussion about securing these “things” on any number of levels, and platforms – from the IoX to 5G, cellular and all of the sub-platforms in between.

To discuss them all in one article would be endless lengthy and intolerably boring. But we can tackle them one, or a few at a time. This time the topic is the gateway, and more specifically its role in the IoX, of which anything and everything will be a part of, eventually.

And it doesn’t matter what type of gateway, they all have the same purpose – to connect various platforms to each other. But that purpose is going to be a lot more challenging as the world evolves to an “all things connected” ubiquity.

However, it would be somewhat oversimplified to say that using gateways to connect that unconnected infrastructure is the answer. Doing a high-level flyover, one begins to realize that all of these “things” are really part of any number of almost, infinite networks – networks that have their own security issues, some local, some global, some infrastructure and some with devices themselves.

And within these networks, infrastructures and devices, exist any number of unique security challenges. While next-generation gateways promise the potential of some very sophisticated hardware that can address many of the challenges of complex and often convoluted networks, they will only be a cog in the intricate web of global interconnect.

Take wearables, for example. Wearables can be something as simple as a pace counter that tracks your vitals as you run. Perhaps it will, simply, talk to the IoX to download comparison data or upload the data to your personal network. On the other end, with advances in telemedicine, there might be something like a wireless version of a Holter monitor, insulin pump, pacemaker, etc. that not only continuously monitors cardiac or other activity and uploads the data via the IoX, but may be connected to any number of emergency responder networks or hospitals, as well.

What both have in common, as will almost all the devices within the IoX, is that there will be gateways within the path. And gateways are a huge security risk. If a hacker can get past the gateway designed to protect the network, there is no limit to the havoc they can create – especially once the IoX deploys.

The Gateway Function

Fundamentally, the gateway is the “gate keeper” of a network – the point where all traffic funnels through. Depending on the type of network, the gateway can have a variety of functions and various levels of sophistication. Gateways can also be integrated with other components, generally a router or switch, or both. In such a capacity the gateway will partition the network into two separate components – one that is trusted and secure, and one that is untrusted and unsecure.

The gateway of the IoX will, in its most complex form, will have sophisticated computing and networking capability. Some of which will include; aggregating data from a multitude of devices, becoming the fabric switch to route device data and providing security.

That segregation and the understanding of the gateway’s role in the networks of the future becomes critically important going forward. With the IoX vision to expand connectivity throughout the world, components such as gateways will not only be connected to each other, but, potentially, to every other device on the IoX. That means they will no longer be exposed to just localize threats, but potentially threats from any network, anywhere, including the global network. Therefore, it will be vital to ensure the trustworthiness of the gateways, not only across networks, but also globally.

Next Generation IOX Gateways

IoX gateways will be a different breed. There are new technical requirements that these gateways will have to employ. Among them are:

• Mesh and edge and computing techniques. A lot of the data will be coming from the edge or fog and will need to be handled close to the edge to conserve bandwidth, and the time required to process it in the cloud.

• An advanced design to be able to offer flexible platforms to accommodate a large variety of interfaces and network protocols, as well as complex software and exposed deployments. These designs must also protect the connectivity so the gateway doesn’t permit malicious attacks.

• High levels of interoperability as well as supporting a variety of standards – even legacy network protocols for a time. This is necessary to provide the most flexible connectivity support among the pervasive various types of components and devices from a plethora of different vendors.

• Certification to a number of standards, both wireless and wireline, as well as other industry standards.

• Agnostic to any platform, so services can be offered for applications across the board, from structured data subsets to raw physical data from a broad set of devices.

• Highly autonomous, ultra-reliable, self-configuring and remotely reconfigurable.

The Technology

To accomplish this, especially with the likely environment that will exist as the IoX evolves, will require a number of interconnect options. There are several manufacturers’ chipsets that can fit the bill. Of course, depending upon application these will vary from design to design. But in most cases, next generation gateway solutions will have to support interfaces, including Ethernet, PCI Express, USB 2/3.0, SD/SDIO/ eMMC, SPI, UART, and I2C/GPIO, and there will be more in the future. It will also contain a variety of wireless interfaces, including Wi-Fi, Bluetooth, ZigBee, Z-Wave, Thread, and their low-power brethren, and 3/4/5G radio protocols.

Fog computing will entail a number of functions, mainly data analysis, event management and routing. For example, the gateway can analyze sensor data from edge devices and make deterministic decisions whether or not the data is authentic, is meaningful, or requires further action. They can also aggregate this data, package, and store or forward based upon a set of criterion from the application. Figure 1 is an example of what one of these IoX gateways is capable of.

At the Edge

The edge and the fog will be pervasive in the IoX. In fact, edge and fog networks will be one of the major elements of the IoX, and IoX gateways must be able to closely integrate with edge and fog networks.

The purpose of intelligence at the edge is to allow data to, seamlessly, flow between the cloud and the devices at the edge. Furthermore, for a time, there will be both legacy and new systems that will require integration, which is more efficiently be handled close to the source. It will not always make sense to send all of the data to the cloud, for several reasons. First, it can sometimes be just too distant. Second, it can be a lot of “noise”-type data, with little real information. Or it can just be data that needs to be consumed locally. Fog computing is really just localized processing, and the gateway is just a good device to manage some of this.

Gateway Intelligence

Really, intelligence simply means a menu of technologies coupled with code that analyzes conditions and applies the correct solution. It can be integrated into the hardware as IP or as a software stack. A simple example of that is the radio interface. Assume that the gateway has an integrated multi-band, multi-frequency RF modem capable of working on all the flavors of wireless. It is a simple matter to add code to analyze the signal and process it.

Other intelligence, such as determining the relevancy of data from an edge sensor for example, works similarly. A series of conditions is coded into the application that analyzes the data. if it meets certain conditions it is valid, if not it can be deemed an error, irrelevant or even routed for further analysis. Artificial Intelligence and fuzzy logic can be used to “teach” the application, or the gateway, to make better decisions and improve the margins of error.

This will become more and more important as the IoX unfolds, simply because of the massive amounts and diversity of data that will be part of the IoX. To be able to keep up with that, intelligent gateways will require advanced processors and specialized chips to handle the load.

Gateway Security

The importance of gateway security cannot be over emphasized. The reason for that is because many of the IoX devices will be of the low-cost, low-tech variety. Simple sensors will be challenged to have

Communications connectivity September 1, 2000

Courtesy Lerablog

anything other than the most basic of security, if any at all. One can argue that this may change as technology advances, but the reality is that many common, low-cost sensors will have razor-thin margins, and OEMs are reluctant to add the cost of security at these points. And there are no real indicators that this is changing.

Therefore, the security burden falls on the other devices in the loop, and gateways are a reasonably good solution from a system perspective. At the higher level, IoX devices will have encryption by default so that issue becomes less of a problem for gateways.

But, that doesn’t mean gateways don’t have vulnerabilities. They do. There are a lot of possible compromise issues in an access point because there are various levels that can be a vector for an attack.

One of the issues, relevant to that, harkens back to legacy devices. Gateways must be able to pass a variety of data, and legacy devices generally use very simple protocols that can easily be used as vehicle to “trick” gateways and other devices into allowing malicious software to get by. So gateways must understand the simple structures of legacy equipment, yet be aware of the vulnerabilities.

Another consideration for security is complexity. High-tech gateways present a higher risk because they can run more complex software with raised levels of communications. Not only do they communicate with IoX devices but also have command and control capabilities.

In that vein, the gateway is responsible for proving to the systems that it communicates with on the back side that it running authentic, boot software, the right application stack, and that the data feeds passing though are verified. With gateways that is less of an issue than with many of the IoX devices since they are relatively high-end and can bear the cost of high levels of security. Next-generation gateways will integrate high-end SoCs with dedicated MCUs, which are capable of tasks like separate execution routines and identity verification.”

Another platform that works well with gateways is firewalls. The evolution of firewalls has increased a few orders of magnitude in the last 15 to 20 years or so. That means they are becoming valuable as a security protocol for gateways. That works well because the gateway is used to protect the perimeter and firewall technology is an excellent platform to support that.

Overall, the gateway is taking on a number of roles, from traffic cop to security patrolman, and various functions in-between. It will become a much more critical component of networks as they evolve to the next generation.

Missive

Secure gateways will become a major player in the IoX infrastructure. The IoX will have so many devices, networks, and systems that perimeter security will become a principal element, and be implemented on a massive scale. Perimeter defense is emerging as an essential element in the overall security platform.

Securing devices is a given. But many of the generic, lower end devices will not have adequate security to prevent compromise. Next-generation gateways will be sophisticated devices that will integrate myriad technologies. To protect those technologies, they will also integrate a number of advanced security platforms.

Gateways are coming of age. They are taking on new roles and reaching new heights of sophistication. As a tool in the security wheelhouse, they will play an integral part in the protection of the new IoX.