Most internet gateways are not well secured. Security assumes if you have access to the network you are trusted. Edge routers, internal networks and more advanced IoT networking need fundamental innovation to address the security weakness. New architectures are needed for UI bootstrapping, key distribution, key storage, network segmentation, service discovery and addressing that will work as well at the edge as it does on the open internet.
Open WRT
Fully compatible with OpenWRT code base which is dominant router operating system.
High performance
Highly optimised code for foot print and efficiency. Necessary for networking capability.
ProtoBuf aware
Can be integrated via protobuf and endpoint controlled security for easy of integration.
Network Control
Implements multiple methods of network control, including segmentation and device disable.
Standards Compliant
Embodies ManySecued D3 concepts, IETF MUD and targeting NIST onboarding.
Tools Set
Support toolsets for integrating via SPAN ports and PCAP exports for broader interoperability.
Internal isolation:
External isolation:
network management
Network Management techniques are implemented at the WiFi level protocol. We are using the VLAN mechanism to segment the network of connected devices and consider two types of isolation:
- Internal: The internal isolation is based on subnets as depicted in the example diagram. There are five devices located in five separated subnets. The arrows indicate the bridge connection between devices. Note that device 1 can not communicate with devices 4 and 5, and vice-versa.
- External: The external isolation is based on denying a particular device access to the external network. Here devices 1, 2 and 3 can access the external network. However device 4 has no access.
traffic monitoring
The network capture service has the purpose of monitoring network traffic for each connected device. It can be configured to execute custom middlewares. The packet capture implements the actual network sniffing process.
Currently, it uses the libpcap library, however, it also allows interfacing with PF_RING or similar.
Example configuration:
# absolute path to the capture SQLite db used by the middlewares
captureDbPath = “/path_to_capture/capture.sqlite”
# the capture filter for the libpcap library
# example filter=”src net 10.0 and dst net 10.0″
filter = “”
# libpcap options, see https://www.tcpdump.org/manpages/pcap.3pcap.html
# if true, captures all data on the LAN interface
promiscuous = false
# libpcap buffer timeout in milliseconds
bufferTimeout = 10
# enables libpcap immediate mode if true (disabled buffering)
# see https://www.tcpdump.org/manpages/pcap_set_immediate_mode.3pcap.html
immediate = false
device discovery
secure storage
- Secrets: id is the ID of the generated key, value is the value of the key, iv the initial value (IV) used to encrypt and decrypt the key and salt is the salt parameter. value, salt and iv are base64 encoded.
- Store: key is the key for the value, value is the value to be stored, id is the key id used to encrypt/decrypt the value and iv is the IV used to encrypt/decrypt the value. value and iv are base64 encoded.
| ID | VALUE | SALT | IV |
|---|---|---|---|
| master | LbknNO6o+s+u1b4 ... | Z95m5G/+jgb3ga0dufa//w | hka2MmSUkJUJBf7TQMYnug |
| rest | a2UiZR/DLYb3hX6 ... | RLdlnafYj7279lne7A5UoA | lgTKNxgxbeCxg4VySS/7vw |
| 94:b9:7e:15:47:95 | lPVf5wqMnb9+8Q8 ... | gFvI5tfeHANOafJlFsHXpg | mH2yeX/FEvJd1ilg25Zwcg |
Store table:
| KEY | VALUE | ID | IV |
|---|---|---|---|
| 7815f8ce-57b8-49c8-9121-5b98986cbccd | GCM564Ugwyh0bW3f4JuFkw | master | Ja0pz9cdH7p3Q+BBP2MIrw |
| db07c38a-2842-4f45-9672-74d57ec99e63 | 23cHWe6r033czxopWsv6Ng | master | FU7hUGGbifro65cv0u0OwQ |
| 1a35f54d-c5f9-4072-85b0-4b40f8fb4a14 | LR3iRw6SrN/pWKSTJvNtrA | master | x9hFentG2Q6iynHXCk2ktA |
| 831ffbb1-2e79-422a-bdad-e9e96a56d568 | CdoxKK4PbDvWD9cOdRcTXQ | master | RHR1AGsjpWVHDR4VN2PiLA |