Image courtesy of Thinkstock
I am searching for a secured gateway that is easy to use and knows about the devices on the local area network (LAN) it protects. Part of the challenge is that the devices on the LAN do not care about cooperative security.
Most people have a home gateway, and quite a few commercial and industrial installations also sit behind a gateway. These typically include basic firewall support to prevent systems on the internet from probing devices on the LAN. The protection tends to be outward with respect to the internet but, these days, devices on the LAN can be compromised—making the outward looking firewall useless in stopping these devices from doing something they should not, such as participating in a distributed denial of service (DDOS) attack.
For devices like PCs, tablets, and smartphones, limiting access on the internet does not make much sense. But for other devices, such as those covered under the Internet of Things (IoT), this is not necessarily the case. In fact, most IoT devices have a very limited connectivity. For example, they often only communicate with a known server on the internet. Likewise, updates are often only delivered from a known host. If our secured gateway knew about these hosts then it could restrict the device to only these connections. It could alert a user if the device tried to communicate with any other host on the internet, since this would typically indicate a compromised device.
A secure gateway could work cooperatively with the device and the hosts on the internet if a suitable secure protocol could be set up. This would allow the system to be configured with minimal user interaction while providing the user with a map of known devices, hosts, and communication links. A more advanced system might include cooperation for features such over-the-air updates.
I have actually done some of this work on a Linux-based gateway since I know the IP address of my devices, including Nest thermostats. These communicate with a host on the internet; the gateway is set to only allow outgoing connections from the thermostats to the known host. Of course, any changes on the internet side require changes on my gateway, and this type of configuration is not for the faint of heart.
Let’s go back to those PCs, tablets, and smartphones. This system might be extended to include these if devices could isolate communication on a per-application basis. Applications like web browsers would need to be more open, but other applications could be more restricted. Some PC security software already does checking on applications and limits them to some degree, but rarely pairs this with limitations on the host side. Essentially an application that is allowed network access can do so without restriction.
Most current set-ups (like mine) need to deal with IP addresses, although it is possible to utilize domain names. Using a secure DNS connection would make using domain names preferable and secure. This would likely be the way any cooperative protocol would work.
A secured home gateway would be great but the amount of cooperation needed to make this work is significant. Major players like Apple and Google are unlikely to want to give up the control of their walled gardens to make such a configuration universally available.
On the other hand, industrial and commercial systems are already more custom, making a secured gateway approach more of a possibility. Some systems have already been set up using this approach of limited connections between devices, hosts, and gateways. It can provide improved security for legacy devices that may have limited security. For example, if polling a device on a LAN can only be done from a fixed host on the internet, then even compromised devices can be identified and isolated.