The increasing number of sensors, actuators, and devices attached to remote and mobile assets greatly complicates security due to the increased attack surfaces. Protecting the networks and devices is paramount to ensuring the safety and continuity of business. The Cisco Remote and Mobile Assets (RaMA) architecture has been developed with this in mind and has been validated in our labs and with the Cisco internal security audit team to help ensure it provides the safest environment for our customers across three attack vectors:
The Cisco RaMA architecture aligns with the Cisco SAFE security model and methods to simplify end-to-end security depending on the audience needs. Ranging from business flows and their respective threats to the corresponding security capabilities, architectures, and designs, SAFE provides guidance that is holistic and understandable.
Note: More information on the Cisco SAFE security reference architecture is available at: https://www.cisco.com/go/safe
By aligning with the SAFE Places in the Network (PINs) of Threat Defense, Segmentation, Secure Services, and Management, the RaMA architecture provide the ability to segment data and management, encrypt traffic, and provide secure remote access to connected devices.
Figure 1: Key to SAFE
The Key to SAFE organizes the complexity of holistic security into PINs and Secure Domains.
These SAFE requirements optimize protection from potential vulnerabilities by requiring a security centric IoT design that helps ensure that every element of the platform is secure, starting from the authentication of edge devices. In addition to secure device access, multiple secure connectivity options are required to ensure protection of enterprise data. Each layer of the IoT architecture must be secured to ensure security of both the management plane and the data plane.
The Data Plane refers to all customer/user data from the gateway or devices behind it that are not related to the management of the gateway itself. Feature highlights include:
At the gateway level, soft and physical security is provided for the gateway and the connected devices. Feature highlights include:
Figure 2 illustrates key security aspects of the RaMA architecture today. It highlights key data and management plane security as well as software and hardware-based gateway security features.
Figure 2: RaMA Base Security Architecture
Figure 3 builds upon existing security infrastructure with enhanced security features that incorporate Cisco's Cloud-Based security product Umbrella and a host of additional products and services that Cisco offers today to speed up deployment and continually monitor the network for intrusions.
Figure 3: RaMA Enhanced Security Features
Key features for RaMa:
All provisioning and management of the edge gateways occurs over encrypted IPSec tunnels to ensure secure communication between IoT Operations Dashboard and the gateways.
The registration and claim process between IoT Operations Dashboard and the gateways is secured using a certificated-based authentication process. This helps prevents spoofing of the gateway and guards against man-in-the-middle attacks where an external server claims to be acting on behalf of a legitimate IoT Operations Dashboard server.
User names and passwords are no longer a safe security method for online accounts. Data breaches occur daily and hackers are always inventing new ways to take over accounts. The IoT Operations Dashboard platform supports both enterprise Single Sign-On (SSO) and two-factor authentication on its Web-UI to provide an extra layer of security. Users can point their logins to their SSO server if needed and also rely on two layers of security to protect the account in the form of two-factor authentication (2FA).
Cisco's IoT-OD allows users to securely access equipment behind the managed gateway based on tightly defined access methods (SSH, HTTPS, etc) and user permissions.
Cisco IoT Operations Dashboard provides several levels of access to the Web-UI. Depending on the user’s role (administrator, operator, or monitor), various features are either available or restricted.
Figure 4: User Roles
Keeping a record of all actions performed through Cisco IoT-OD, as well as events related to gateway status, helps in a post mortem analysis after a security incident. Similarly, alerts can be configured to be sent immediately when a specified operation or event is observed, allowing the proper individuals to respond accordingly.
Figure 5: Audit Trail
VPNs are designed to securely and inexpensively extend the reach of corporate networks. Several options have been built on top of IPSec, a framework that addresses the task of ensuring the confidentiality, integrity, and authentication (CIA) of origin and secure key distribution for VPNs. Using a VPN secures the data plane and isolates it from the management and configuration of the gateway, which provides segmentation between management and data flow. All data that flows through the gateway flows through a customer-managed headend at the company data center or directly to the internet.
Some of the notable strengths of IPSec are its independence from the transport layer (UDP, TCP, or raw IP) and the simple replacement of one or more of its components (such as hash functions and cryptographic algorithms), so it can withstand brute force attacks while keeping current with the evolution of hardware.
The Cisco IOS software offers multiple VPN options including Classic IPSec, IPSec/GRE, Virtual Tunnel Interface (VTI), EasyVPN, and Dynamic Multipoint VPN (DMVPN). Each of these technologies were developed to solve specific problems:
Table 1: VPN Options
|VPN||Inter-Op||Dynamic Routing||IPSec Routing||Remote Access||Simple Failover||Source Failover||Per-peer Configuration||Per-peer QoS||Full AAA Management|
The Cisco RaMA solution uses IPSec-based FlexVPNs rather than SSL-based VPNs. Since it is application agnostic, IPSec can support several legacy protocols and traditional client/server applications with minimal effort. This is not the case with SSL VPNs, which have been built around web-based applications. As a result, SSL VPN-based options like OpenVPN could severely limit the security and network options for remote and mobile assets by requiring always-on connectivity to the headquarters.
FlexVPN is a framework for configuring IPSec VPNs on Cisco IOS devices. It was created to simplify the deployment of VPN solutions of all types, such as hub-and-spoke, spoke-to-spoke, site-to-site, and remote access implemented through EasyVPN, DMVPN, and Crypto Maps.
FlexVPN is Cisco’s implementation of the IKEv2 standard featuring a unified paradigm and CLI that combines site to site, remote access, hub and spoke topologies, and partial meshes (spoke to spoke direct). FlexVPN offers a simple but modular framework that extensively uses the tunnel interface paradigm while remaining compatible with legacy VPN implementations using crypto maps.
FlexVPN supports hardware encryption, which is offered by most Cisco products to optimize VPN performance. This provides exponentially better throughput than software encryption.
Public Access Point Names (APNs) are the default internet connectivity for cellular gateways. Some customers purchase Private APNs from their cellular carriers. A Private APN can either be a dedicated APN for a customer or a “virtual one”, meaning that all traffic coming over the radio network is examined to identify the device cellular ID, enabling this traffic to be routed to the Private APN and subsequently into the enterprise network. In most cases, the data traverses the public internet to get to the network, which always introduces the possibility of security violations.
Because private APNs involve a manual intervention to configure the APN using the WebUI or CLI, Cisco recommends the use of FlexVPNs for Private APNs since this provides end-to-end encryption to ensure that no man-in-the-middle can view enterprise network traffic. If your RaMA applications or devices leverage application-level encryption or do not need access to the enterprise network for security or management, then Public or Private APN without FlexVPN may be an acceptable solution.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card companies.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around card holder data to reduce credit card fraud.
The PCI DSS is organized into six logically related groups called “control objectives”.
Table 2: PCI DSS Control Objectives
|PCI Control Objective||RaMA Design Elements|
|1. Build and maintain a secure network and systems||The RaMA solution is built around securing the entire management plane and fully addresses this control objective through management audit trails as well as secure device configuration.|
|2. Protect card holder data||When using the FlexVPN capability, card holder data in motion is protected and compliant. Cisco recommends that any device or application behind the gateway be secured for data at rest. When using Private APNs, this requirement is not met.|
|3. Maintain a vulnerability management program||Based on customer policies and procedures.|
|4. Implement strong access control measures||Access to the management layer can be secured through two-factor authentication. While this does not address any applications or devices behind the gateway, the gateway itself does implement strong access control measures.|
|5. Regularly monitor and test networks||Based on customer policies and procedures.|
|6. Maintain an information security policy||Based on customer policies and procedures.|
Cisco Umbrella is a cloud-native platform that delivers secure, reliable, and fast internet experience. Umbrella unifies firewall, secure web gateway, DNS-layer security, cloud access security broker (CASB), and threat intelligence solutions into a single platform to help businesses secure their network. As organizations directly connect IoT Gateways to the internet, Umbrella makes it easy to extend protection to roaming users and branch offices. It protects devices behind the gateway from malicious sites and provides content filtering to users behind the gateway. Umbrella leverages insights from Cisco Talos, one of the world's largest commercial threat intelligence teams, to uncover and block a broad spectrum of malicious domains, IPs, URLs, and files that are being used in attacks.
Cisco IR1100 and IR1800 gateways integrate the Umbrella agent directly in the software allowing for seamless Umbrella protection to all devices connected to it, wired or wireless. There are three modes to deploy Umbrella protection on the IR1100:
Figure 6: Umbrella Topology
Note: Refer to Sample Security Configurations for further configuration details.
Once a gateway is configured to use Umbrella for all DNS needs, all additional configurations and restrictions are on the Umbrella Cloud Applications UI. A user can perform any of Umbrella security functions as shown in Figure 7.
Figure 7: Umbrella Security Functions
Zone-Based Policy Firewall (ZFW) is a new configuration model for the Cisco IOS Firewall feature set. This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. In Configuring ZFW, Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones.
However, the feature is also backward compatible to nearly all classic Cisco IOS Firewall features implemented in prior releases.
The Cisco IR1100 gateway incorporates a ZFW which, for ease of use, is configurable using a template from the Cloud Management platform. The software also supports per-class session/connection and throughput limits, as well as application inspection and control for many popular applications. Those limits make the feature ideal to control LTE bandwidth usage and avoid congestion among downstream connected devices.
In a typical configuration as shown in Figure 8, there could be three zones for an IoT gateway and private, DMZ, and public internet zones. Each zone would have its own policy and then interfaces are assigned to a zone. Interfaces that share a zone would have unrestricted connectivity while traffic that crosses zones would be subject to the policies of each zone.
Figure 8: Basic Security Zone Topology
Note: Refer to Sample Security Configurations for further configuration details.
Cisco StealthWatch deployment requires three components:
Both Flow Collectors and the Management Console are on-prem applications and therefore installed in the customer data center Figure 9.
Figure 9: StealthWatch Components and Sample SMC Dashboard
The recommendations for FC and SMC deployment is to deploy in the data center one 4210 Series Flow Collector/Database (see https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/m5/hw/SW_FC_4210_Spec_Sheet_DV_1_1.pdf) capable of collecting up to 200,000 flows per second on UCS M5SX. Refer to the Hardware Installation Guide for deployment. Second, deploy in the data center one 2210 Stealth Watch Management Console (SMC) (see https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/m5/hw/SW_SMC_2210_Spec_Sheet_DV_1_1.pdf) on UCS M5SX.
Once the SMC is deployed, activate the following management applications:
Cisco Cyber Vision is an industrial cybersecurity solution specifically designed to ensure continuity, resilience, and safety of industrial operations. It provides asset owners with full visibility into their industrial automation and control systems (IACS) networks so they can ensure operational and process integrity, drive regulatory compliance, and enable easy deployment within the industrial network. Cisco Cyber Vision leverages Cisco industrial network equipment to monitor industrial operations and feeds other Cisco IT security platforms with OT context (e.g., IACS device information) to build a unified IT/OT cybersecurity architecture.
Cisco Cyber Vision has the following components:
For additional information on how to use Cisco Cyber Vision to secure industrial IOT networks, refer to the following resources:
The Cisco RaMA solution allows greater flexibility for end user devices connected to the Cisco Industrial Router (IR). Since the gateways support secure connectivity with technologies such as FlexVPN and WPA2 with IEEE 802.1x authentication, security policies can be enforced on the gateway instead of relying on the edge devices (such as laptops, phones, tablets, and video cameras), allowing users to connect and authenticate as if connected to an enterprise network.
Any typical TCP/IP network that uses DHCP is defenseless against individuals who can find an unsecured network drop. The DHCP server could grant an IP address to unauthorized end devices, which would enable an attacker to launch a variety of attacks such as breaking into specific servers, eavesdropping on network packets, or unleashing a worm or a Denial of Service (DoS) attack. IEEE 802.1x provides a solution for such problems. By authenticating user access at the network edge, network administrators can ensure that unauthorized access is prevented, and all user authentication can take place on a centralized authentication server like a RADIUS server deployed at the enterprise headquarters.
Cisco ISE or alternatives like FreeRADIUS and Open RADIUS can be used to authenticate 802.1x clients for access to the network. For further information on Cisco ISE, refer to: https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html
Cisco IRs offer hardware-accelerated encryption to support a full range of security services such as hardware cryptography to significantly increase IPSec VPN performance. This allows the use of Cisco’s Next Generation Encryption (NGE), which evolves traditional encryption technology to meet today’s increasing security needs while improving scalability and efficiency. Figure 10 lists the technologies that are included in NGE.
Figure 10: Hardware Encryption Features on Cisco Industrial Router Platforms
Note: MACsec is not supported on IR1800 routers. For more information about Cisco Next Generation Encryption, refer to: https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
The ACT2 chip is a security device containing product identity information and assertion functionality to support product identity for anti-counterfeit, secure storage, and other security functions. Key capabilities include:
Image signing ensures that, at every instance, the software stack, including the boot loader and OS stack, is authentic and has not been tampered with or manipulated. It provides software integrity against any back-door image modifications.
Figure 11: Industrial IoT Anti-Counterfeit Protection Steps
Note: While these configurations have not been fully validated end-to-end, the IR1101 Umbrella, Zone-Based Firewall, and StealthWatch with NetFlow configurations illustrate examples of what is possible on the IR1101 and IR1800 routers.
The following is the most basic Umbrella configuration on IR1101 to connect the gateway to the Umbrella cloud instance, enable DNS encryption and apply the configuration to the WAN and LAN interfaces as needed.
! the cert below adds umbrella to the router and is provided by Umbrella. can be used as is in template. crypto pki trustpool import terminal -----BEGIN CERTIFICATE----- MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz -----END CERTIFICATE----- ! ! Needed for IR to resolve api.opendns address. can be variable to be assigned by user or not. ip name-server 188.8.131.52 ! ! Create a pool for LAN with dns-server ip dhcp pool lan ! network and router are variables to be chosen by user network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 ! DNS server is variable and can be any global or enterprise server. MUST NOT be router itself. dns-server 184.108.40.206 ! domain name is variable and assigned by user as needed domain-name cisco.com ! parameter-map type regex dns_bypass ! following s regex for domains to bypass umbrella. should be variable. pattern .*\.cisco\..* ! parameter-map type umbrella global ! token for umbrella should be a variable. Token is generated from Umbrella site under Admin, API Keys, ! Create API for "Legacy Network Devices" token <Umbrella Obtained Token> local-domain dns_bypass dnscrypt udp-timeout 5 ! ! wan interface needs to be the umbrella out cmd, can be wired or wireless. interface GigabitEthernet0/0/0 umbrella out ! ! all internal interfaces need to have umbrella in cmd. tag can be variable or just chose fixed value interface Vlan 1 ip nbar protocol-discovery umbrella in my_tag ! needed to disable the router as a dns server if already configured as it should not be. no ip dns server
The following class-map and policy are used for Direct Cloud Access type deployments of Umbrella integration without or without Cloud Policy. In addition to those lines, the only other change is lan inbound interface where “Umbrella in” is applied.
class-map match-all umbrella-direct-access match protocol dns in-app-hierarchy match protocol attribute application-set saas-apps ! policy-map type umbrella umbrella-direct-access class umbrella-direct-access direct-cloud-access ! interface Vlan 1 ip nbar protocol-discovery ! DCA & NO Cloud Policy umbrella in direct-cloud-access umbrella-direct-access ! DCA & Cloud Policy umbrella in direct-cloud-access umbrella-direct-access lanTag
For additional documentation on Umbrella Configurations see:
The following is a typical Zone-Based Policy with three zones, INSIDE, OUTSIDE, and default. A policy map is allied to a service policy, and that is applied to the new zone-pair statement which determines direction the access restriction is applied.
ip access-list extended Web_acl permit ip any any class-map type inspect match-any Web_app match protocol tcp match protocol udp match protocol ftp match protocol icmp class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Web inspect class class-default drop log ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default ! zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY ! interface X zone-member security INSIDE interface Y zone-member security OUTSIDE
For additional documentation on zone-based firewalls see: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
For each NetFlow template, three components are needed. A flow record to define what is being recorded, a flow exporter to define where the data will be sent and using what transport method, and finally a flow monitor which joins a flow record and exporter together. Once those are created the flow monitor needs to be applied to an interface. Below is a sample configuration for the minimum required fields in a flow record for StealthWatch to be able to determine unique flows. If any additional fields are needed they can be added to the record with additional “collect” statements.
flow record defaultStealthWatch match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match ipv4 tos collect interface output collect counter bytes long collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! flow exporter export_Gi0_0_0_-63055531 destination 10.1.1.1 source GigabitEthernet0/0/0 transport udp 2055 template data timeout 60 ! flow monitor dsw_Gi0_0_0_-63055531 exporter export_Gi0_0_0_-63055531 cache timeout active 60 record defaultStealthWatch