www.eg3.com

guide home > mocana embedded security: building firewalls for embedded systems

Building Firewalls for Embedded Systems

Embedded Security - Free Technical Tutorial / White Paper

Contents

  • Executive Summary
  • The Firewall Mandate
  • About Firewalls
  • Embedded Device Firewalls: Required Characteristics
  • Building Firewalls for Embedded Devices: Best Practices
  • Conclusion
  • References
  • Appendix: Mocana NanoWall™

Executive Summary

Despite the fact that there are upwards of 120,000 new malware signatures identified every week, and that attacks on embedded systems are rapidly increasing, most embedded software developers fall into the trap of believing that their devices are safe. Using decade-old rationales, they explain that their devices are immune from malware because of their unique physical and architectural characteristics, such as the use of flash storage and non-x86-based processors.

The truth is, most embedded systems lack at least several of five essential operating system security features: application-kernel separation, memory protection domains, restricted code execution on the system stack, file system access protection, and randomization of process information. These shortcomings actually make most embedded systems more vulnerable to attack than desktop systems. Additionally, standard features of embedded OSes, such as the availability of debug shells in production builds, open source models used to share rogue technology, and fuzzy testing tools that enable detailed code analysis, combine to make it rather simple to exploit embedded devices.

Despite these facts, some developers still argue that embedded systems simply aren’t attractive targets for hackers, and therefore don’t need protection. While it’s true that current attacks on embedded systems are fewer—roughly comparable to the level of attacks on desktop systems 10 years ago—the gap is quickly closing. Headless embedded systems (systems without displays, keyboards, or a mouse) are truly ubiquitous, from printers, wireless equipment, and networking infrastructure, to automobiles, defense, and aerospace—and increasingly, these systems share common OS or CPU platforms. It’s easy, then, for a single hacker to find a vulnerability in the common platform and exploit it to take down hundreds of different devices of a given class or type, simultaneously.

But there is a simple tool that can effectively safeguard embedded devices. It’s cheap, easy to implement, and well-understood... but almost never found in embedded systems. What is it? The firewall. Firewalls protect devices and the networks to which they are connected by preventing unauthorized access. If properly configured, firewalls can block problematic services, drop unauthorized traffic, and serve as a useful security audit point. This paper explains more about firewalls, and then provides information specific to the embedded system environment, including best practices for building embedded firewalls that are inexpensive, efficient and effective.

About Mocana

Mocana - Embedded and Network Security Mocana securely enables Internet-scale applications and services for connected devices. Mocana's industry-leading infrastructure software solutions ensure that wired and wireless devices, networks and services perform and scale with the utmost security - a necessary foundation for a networked society. Customers include Dell, Cisco, Avaya, Nortel Networks, Harris, Honeywell, Symbol, Net.com and Radvision, among others.