Orchestrating and Automating Security for the Internet of Things

Delivering Advanced Security Capabilities from Edge to Cloud for IoT

Häftad, Engelska, 2018

Av Anthony Sabella, Marcelo Yannuzzi, Rik Irons-Mclean

699 kr

Beställningsvara. Skickas inom 7-10 vardagar

Fri frakt för medlemmar vid köp för minst 249 kr.

Master powerful techniques and approaches for securing IoT systems of all kinds–current and emerging

Internet of Things (IoT) technology adoption is accelerating, but IoT presents complex new security challenges. Fortunately, IoT standards and standardized architectures are emerging to help technical professionals systematically harden their IoT environments. In Orchestrating and Automating Security for the Internet of Things, three Cisco experts show how to safeguard current and future IoT systems by delivering security through new NFV and SDN architectures and related IoT security standards.

The authors first review the current state of IoT networks and architectures, identifying key security risks associated with nonstandardized early deployments and showing how early adopters have attempted to respond. Next, they introduce more mature architectures built around NFV and SDN. You’ll discover why these lend themselves well to IoT and IoT security, and master advanced approaches for protecting them. Finally, the authors preview future approaches to improving IoT security and present real-world use case examples.

This is an indispensable resource for all technical and security professionals, business security and risk managers, and consultants who are responsible for systems that incorporate or utilize IoT devices, or expect to be responsible for them.

· Understand the challenges involved in securing current IoT networks and architectures

· Master IoT security fundamentals, standards, and modern best practices

· Systematically plan for IoT security

· Leverage Software-Defined Networking (SDN) and Network Function Virtualization (NFV) to harden IoT networks

· Deploy the advanced IoT platform, and use MANO to manage and orchestrate virtualized network functions

· Implement platform security services including identity, authentication, authorization, and accounting

· Detect threats and protect data in IoT environments

· Secure IoT in the context of remote access and VPNs

· Safeguard the IoT platform itself

· Explore use cases ranging from smart cities and advanced energy systems to the connected car

· Preview evolving concepts that will shape the future of IoT security

Produktinformation

Utgivningsdatum2018-08-06
Mått190 x 235 x 52 mm
Vikt1 860 g
FormatHäftad
SpråkEngelska
Antal sidor1 008
Upplaga1
FörlagPearson Education
ISBN9781587145032

Tillhör följande kategorier

Anthony Sabella, CCIE No. 5374, is the lead cybersecurity architect for the Enterprise Chief Technology Office at Cisco and has worked at Cisco for eight years. Anthony leads innovative work streams on methods to break free from manual tasks by applying the latest virtualization and orchestration techniques to cybersecurity. He combines this with machine learning concepts and the ingestion of intelligence feeds, to design effective solutions that can self-manage and self-heal. Anthony applies these concepts across a variety of use cases, including financial institutions, healthcare, energy, and manufacturing (examples included in this book).Before joining Cisco, Anthony worked as principal engineer for a global service provider for 13 years, where he created cybersecurity solutions for enterprise customers. Anthony was also the cofounder and CTO for a technology consulting firm responsible for designing cybersecurity solutions for both commercial and enterprise customers. Anthony’s expertise has resulted in speaking engagements at major conferences around the world for both Cisco and its major partners. Anthony holds a master’s degree in computer science and an active CCIE, and he is a contributing member in the IEEE Cyber Security community.Rik Irons-Mclean is the Industry Principal for Oil & Gas at Cisco. Rik has worked at Cisco for 11 years and has had lead roles in IoT/IIoT, communications and security for power utilities and process control industries, and energy management and optimization. He has led technical global teams in taking new products to market in all theaters, specializing in driving new technology adoption in both established and emerging markets. Before joining Cisco, he worked for a Cisco service provider partner for eight years, where he focused on converged solutions.Rik has represented Cisco in a number of industry and standards bodies, including Open Process Automation, IEC 61850 for industrial communications, and IEC 62351 for industrial security. Additionally, he elected the U.K. lead for Cigre SC D2 for communications and security in the power industry. Rik has written for a number of industry publications and authored whitepapers on such topics as industrial cybersecurity, IoT security, distributed industrial control systems, next-generation operational field telecoms, fog computing, and digital IoT fabric architectures.Rik holds a bachelor of science degree and a master of business administration degree, focused on international leadership. He is currently studying for a doctorate in cybersecurity.Marcelo Yannuzzi is a principal engineer at the Chief Strategy Office in Cisco. Marcelo leads strategic innovation in the areas of IoT, security, and novel architectures fusing cloud and fog computing. He has led flagship innovations across different industry verticals, some of which are outlined in this book. Marcelo also provides strategic advisory on new business opportunities and technologies for Cisco and start-ups.Before joining Cisco, Marcelo was the head of the Advanced Network Architectures Lab at the Department of Computer Architecture in a Barcelona university. He was the cofounder and CTO of a start-up for which Cisco was its first customer. Marcelo is the author of more than 100 peer-reviewed publications, including top journals and conferences in the areas of IoT, fog computing, security, NFV, software-defined systems (SDX), multilayer network management and control, sensor networks, and mobility. Marcelo has led several European research projects and contracts in the industry, and his research was funded multiple times by Cisco. He is a frequent speaker and invited panelist at major conferences and forums. He held previous positions as an assistant professor at the physics department in a university’s school of engineering.Marcelo holds a bachelor’s degree in electrical engineering and both a master of science degree and a Ph.D. in computer science.

Foreword xxviiIntroduction xxixPart I Introduction to the Internet of Things (IoT) and IoT SecurityChapter 1 Evolution of the Internet of Things (IoT) 1Defining the Internet of Things 2Making Technology and Architectural Decisions 5Is the Internet of Things Really So Vulnerable? 8Summary 9References 10Chapter 2 Planning for IoT Security 11The Attack Continuum 11The IoT System and Security Development Lifecycle 13Phase 1: Initiation 15Phase 2: Acquisition and Development 15Phase 3: Implementation 16Phase 4: Operations and Maintenance 17Phase 5: Disposition 17The End-to-End Considerations 17Segmentation, Risk, and How to Use Both in Planning the Consumer/Provider Communications Matrix 21Segmentation 21New Approach 25Summary 30References 30Chapter 3 IoT Security Fundamentals 31The Building Blocks of IoT 31The IoT Hierarchy 35Primary Attack Targets 37Layered Security Tiers 43Summary 46References 47Chapter 4 IoT and Security Standards and Best Practices 49Today’s Standard Is No Standard 49Defining Standards 53The Challenge with Standardization 56IoT “Standards” and “Guidance” Landscape 58Architectural or Reference Standards 59Industrial/Market Focused 61Standards for NFV, SDN, and Data Modeling for Services 63Data Modeling and Services 67Communication Protocols for IoT 70Physical and MAC Layers 73Network Layer 73Transport Layer 74Application Layer 74Specific Security Standards and Guidelines 75Summary 79References 80Chapter 5 Current IoT Architecture Design and Challenges 83What, Why, and Where? A Summary 85Approaches to IoT Architecture Design 88An X-Centric Approach 91The People-/User-Centric IoT Approach (Internet of People and Social IoT) 98The Information-Centric IoT Approach 100The Data-Centric IoT Approach 104System Viewpoint: A Cloudy Perspective 106Middleware 118Lambda Architecture 119Full IoT Stack/Universal 120General Approaches 120Internet of Things Architecture Reference Architecture (IoT-A RA) 120ITU-T Y.2060 125IoT World Forum (IoTWF) Reference Model 126oneM2M Reference Architecture 129IEEE P2413 IoT Architecture 132The OpenFog Consortium Reference Architecture 133Alliance for the Internet of Things Innovation (AIOTI) 138Cloud Customer Architecture for IoT 140Open Connectivity Foundation and IoTivity 142Industrial/Market Focused 144The Industrial Internet Consortium (IIC) 144Industry 4.0 148OPC Unified Architecture (OPC UA) 150Cisco and Rockwell Automation Converged Plantwide Ethernet 153Cisco Smart Grid Reference Model: GridBlocks 153NFV- and SDN-Based Architectures for IoT 154Approaches to IoT Security Architecture 156Purdue Model of Control Hierarchy Reference Model 157Industrial Internet Security Framework (IISF) IIC Reference Architecture 160Cloud Security Alliance Security Guidance for IoT 165Open Web Application Security Project (OWASP) 168Cisco IoT Security Framework 168The IoT Platform Design of Today 172Security for IoT Platforms and Solutions 178Challenges with Today’s Designs: The Future for IoT Platforms 179Summary 183References 183Part II Leveraging Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for IoTChapter 6 Evolution and Benefits of SDX and NFV Technologies and Their Impact on IoT 185A Bit of History on SDX and NFV and Their Interplay 185Software-Defined Networking 188OpenFlow 192Open Virtual Switch 195Vector Packet Processing 198Programming Protocol-Independent Packet Processors (P4) 201OpenDaylight 203Extending the Concept of Software-Defined Networks 212Network Functions Virtualization 217Virtual Network Functions and Forwarding Graphs 221ETSI NFV Management and Orchestration (MANO) 225The Impact of SDX and NFV in IoT and Fog Computing 235Summary 248References 249Chapter 7 Securing SDN and NFV Environments 251Security Considerations for the SDN Landscape 2511: Securing the Controller 2522: Securing Controller Southbound Communications 2563: Securing the Infrastructure Planes 2604: Securing Controller Northbound Communications 2635: Securing Management and Orchestration 2686: Securing Applications and Services 270Security Considerations for the NFV Landscape 272NFV Threat Landscape 273Secure Boot 274Secure Crash 275Private Keys Within Cloned Images 276Performance Isolation 278Tenant/User Authentication, Authorization, and Accounting (AAA) 279Authenticated Time Service 281Back Doors with Test and Monitor Functions 281Multi-administrator Isolation 282Single Root I/O Virtualization (SRIOV) 283SRIOV Security Concerns 285Summary 285References 285Chapter 8 The Advanced IoT Platform and MANO 287Next-Generation IoT Platforms: What the Research Says 287Next-Generation IoT Platform Overview 291Platform Architecture 294Platform Building Blocks 295Platform Intended Outcomes: Delivering Capabilities as an Autonomous End-to-End Service 303Example Use Case Walkthrough 308Event-Based Video and Security Use Case 309Summary 321References 321Part III Security Services: For the Platform, by the PlatformChapter 9 Identity, Authentication, Authorization, and Accounting 323Introduction to Identity and Access Management for the IoT 324Device Provisioning and Access Control Building Blocks 326Naming Conventions to Establish “Uniqueness” 327Secure Bootstrap 328Immutable Identity 328Bootstrapping Remote Secure Key Infrastructures 329Device Registration and Profile Provisioning 330Provisioning Example Using AWS IoT 331Provisioning Example Using Cisco Systems Identity Services Engine 334Access Control 336Identifying Devices 336Endpoint Profiling 337Profiling Using ISE 337Device Sensor 340Methods to Gain Identity from Constrained Devices 345Energy Limitations 346Strategy for Using Power for Communication 347Leveraging Standard IoT Protocols to Identify Constrained Devices 348Authentication Methods 351Certificates 351Trust Stores 355Revocation Support 356SSL Pinning 357Passwords 357Limitations for Constrained Devices 358Biometrics 359AAA and RADIUS 361A/V Pairs 362802.1X 363MAC Address Bypass 365Flexible Authentication 366Dynamic Authorization Privileges 367Cisco Identity Services Engine and TrustSec 368RADIUS Change of Authorization 368Access Control Lists 374TrustSec and Security Group Tags 376TrustSec Enablement 379SGACL 384Manufacturer Usage Description 390Finding a Policy 390Policy Types 390The MUD Model 392AWS Policy-based Authorization with IAM 394Amazon Cognito 395AWS Use of IAM 395Policy-based Authorization 395Accounting 397How Does Accounting Relate to Security? 398Using a Guideline to Create an Accounting Framework 398Meeting User Accounting Requirements 400Scaling IoT Identity and Access Management with Federation Approaches 402IoT IAM Requirements 403OAuth 2.0 and OpenID Connect 1.0 404OAuth 2.0 404OpenID Connect 1.0 405OAuth2.0 and OpenID Connect Example for IoT 405Cloud to Cloud 406Native Applications to the Cloud 408Device to Device 409Evolving Concepts: Need for Identity Relationship Management 411Summary 414References 415Chapter 10 Threat Defense 417Centralized and Distributed Deployment Options for Security Services 418Centralized 418Distributed 420Hybrid 422Fundamental Network Firewall Technologies 422ASAv 423NGFWv 423Network Address Translation 424Overlapping 425Overloading or Port Address Translation 425Packet Filtering 426Industrial Protocols and the Need for Deeper Packet Inspection 428Common Industrial Protocol 428Lack of Security 429Potential Solutions: Not Good Enough 430Alternative Solution: Deep Packet Inspection 430Sanity Check 431User Definable 432Applying the Filter 432Application Visibility and Control 433Industrial Communication Protocol Example 435MODBUS Application Filter Example 436Intrusion Detection System and Intrusion Prevention System 437IPS 438Pattern Matching 438Protocol Analysis 439IDS/IPS Weakness 439Advanced Persistent Threats and Behavioral Analysis 440Behavior Analysis Solutions 441Protocols Used to Gain Additional Visibility 442Network as a Sensor 444Pairing with Contextual Information and Adaptive Network Control 446Encrypted Traffic Analytics 450Malware Protection and Global Threat Intelligence 455Cisco Advanced Malware Protection and TALOS 456DNS-Based Security 462Umbrella (DNS Security + Intelligent Proxy) 463Centralized Security Services Deployment Example Using NSO, ESC, and OpenStack 466ETSI MANO Components in the Use Case 468VMs (Services) Being Instantiated in the Use Case 469Use Case Explanation 469Distributed Security Services Deployment Example Using Cisco Network Function Virtualization Infrastructure Software (NFVIS) 486Solution Components 487NFVIS 488Orchestration 490vBranch Function Pack 490Summary 495References 495Chapter 11 Data Protection in IoT 499Data Lifecycle in IoT 507Data at Rest 518Data Warehouses 521Data Lakes 522Data in Use 524Data on the Move 527Protecting Data in IoT 531Data Plane Protection in IoT 531Protecting Management Plane Data in IoT 565Protecting Control Plane Data 566Considerations When Planning for Data Protection 567Summary 573References 574Chapter 12 Remote Access and Virtual Private Networks (VPN) 575Virtual Private Network Primer 575Focus for This Chapter 576Site-to-Site IPsec VPN 576IPsec Overview 577IKEv1 Phase 1 579IKEv1 Phase 2 582Internet Key Exchange Protocol Version 2 584Benefits of IKEv2 over IKEv1 586Software-Defined Networking-Based IPsec Flow Protection IETF Draft 588IPsec Databases 589Use Case: IKE/IPsec Within the NSF 589Interface Requirements 590Applying SDN-Based IPsec to IoT 592Leveraging SDN for Dynamic Decryption (Using IKE for Control Channels and IPsec for Data Channels) 592Software-Based Extranet Using Orchestration and NFV 594Traditional Approach 594Automating Extranet Using Orchestration Techniques and NFV 595Software-Based Extranet Use Case 597Remote Access VPN 598SSL-Based Remote Access VPN 598Reverse Proxy 599Clientless and Thin Client VPN 599Client Based: Cisco AnyConnect Secure Mobility Client 611Modules 612Using AnyConnect in Manufacturing: Use Case Example 617Summary 622References 622Chapter 13 Securing the Platform Itself 625(A) Visualization Dashboards and Multitenancy 627(B) Back-End Platform 631Scenario 1: A New Endpoint Needs to Be Connected to the Network 639Scenario 2: A User Wants to Deploy a New Service Across the Fog, Network, and Data Center Infrastructure 639Scenario 3: Creating New Data Topics and Enabling Data Sharing Across Tenants 641Docker Security 653Kubernetes Security and Best Practices 656(C) Communications and Networking 658(D) Fog Nodes 660(E) End Devices or “Things” 666Summary 667References 667Part IV Use Cases and Emerging Standards and TechnologiesChapter 14 Smart Cities 669Use Cases Introduction 669The Evolving Technology Landscape for IoT 670The Next-Generation IoT Platform for Delivering Use Cases Across Verticals: A Summary 672Smart Cities 676Smart Cities Overview 678The IoT and Secure Orchestration Opportunity in Cities 688Security in Smart Cities 693Smart Cities Example Use Cases 696Use Case Automation Overview and High-Level Architecture 701Power Monitoring and Control Use Case: Secure Lifecycle Management of Applications in the Fog Nodes 702Access Control and Sensor Telemetry of City Cabinets: Simple and Complex Sensor Onboarding 705Event-Based Video: Secure Data Pipeline and Information Exchange 709Public Service Connectivity on Demand: Secure User Access and Behavioral Analysis 714Emergency Fleet Integration 718Automated Deployment of the Use Cases 721Summary 725References 727Chapter 15 Industrial Environments: Oil and Gas 729Industry Overview 733The IoT and Secure Automation Opportunity in Oil and Gas 735The Upstream Environment 738Overview, Technologies, and Architectures 739Digitization and New Business Needs 742Challenges 743The Midstream Environment 744Overview, Technologies, and Architectures 744Digitization and New Business Needs 747Challenges 748The Downstream and Processing Environments 749Overview, Technologies, and Architectures 749Digitization and New Business Needs 752Challenges 753Security in Oil and Gas 754Oil and Gas Security and Automation Use Cases: Equipment Health Monitoring and Engineering Access 763Use Case Overview 763Use Case Description 765Deploying the Use Case 767Preconfiguration Checklist 773Automated Deployment of the Use Cases 777Securing the Use Case 778Power of SGT as a CoA 781Auto-Quarantine Versus Manual Quarantine 782Leveraging Orchestrated Service Assurance to Monitor KPIs 783Evolving Architectures to Meet New Use Case Requirements 788Summary 792References 794Chapter 16 The Connected Car 797Connected Car Overview 800The IoT and Secure Automation Opportunity for Connected Cars 809The Evolving Car Architecture 824Security for Connected Cars 830Connected Car Vulnerabilities and Security Considerations 838Connected Car Security and Automation Use Case 849Use Case Overview 852Use Case Automation Overview 854Secure Access/Secure Platform: Boundary Firewall for OTA Secure Updates 855Secure Network: Segmentation, Zones, and Interzone Communication 857Secure Content: Intrusion Detection and Prevention 858Secure Intelligence: Secure Internet Access from the Vehicle 861The Future: Personalized Experience Based on Identity 862Federal Sigma VAMA: Emergency Fleet Solution 863Automated Deployment of the Use Case 867Summary 871References 871Chapter 17 Evolving Concepts That Will Shape the Security Service Future 873A Smarter, Coordinated Approach to IoT Security 876Blockchain Overview 880Blockchain for IoT Security 888Machine Learning and Artificial Intelligence Overview 890Machine Learning 893Deep Learning 894Natural Language Processing and Understanding 895Neural Networks 896Computer Vision 898Affective Computing 898Cognitive Computing 898Contextual Awareness 899Machine Learning and Artificial Intelligence for IoT Security 899Summary 900References 9019781587145032 TOC 4/25/2018