next-generation network virtualization solution for the fourth …arad networks] spn solution for...

Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.

Next-generation network virtualization solution for the Fourth Industrial Revolution

Network Virtualization! It’s the beginning of all security.

September, 2018


Contents

1/ Market and Technological Trends of IoT

2/ Network Security of IoT

3/ Network Virtualization Solution (SPN)

Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.

1. Market and Technological Trends of IoT


1. Market and Technological Trends of IoT 1.1 Market TrendsIoT-based Hyperconnected Society

Hyperconnected society is on the rise where all electronics, medical and traffic terminals are connected to network

Changes in Info-communication Devices IoT-based Hyperconnected Society

IoT includes ultra-miniature sensing devices and provides user-oriented services further through mutually connected virtual processes

※ Source : Journal of Security Engineering ※ Source : Korea Internet & Security Agency, IoT Products & ServicesResearch for improving Security (2015.9)

[IoT-based Hyperconnected Society][International supply outlook for the internet devices]

Cyber-Spacer(Virtual Object)

Daily-Life(Connected

World)

Physical-Space(Everyday Object)

ICT Trends

In the PC market that rose in the beginning in 2000, more products other than PCs are being launched as of 2018 as the distribution of other devices, such as smartphones and IoTs, increased.

4

Num

ber of Using D

evices Globally

Connected Car

Wearable Devices

Connected TV

IoT

Tablet PC

Smart PhonePC


1. Market and Technological Trends of IoT 1.1 Market TrendsConvenient, beneficial new life through

the advancement of info-communication (IoT) devices

Convenient, beneficial new life through the advancement of info-communication (IoT) devices

ICT Trends

Changes into new life with info-communication (IoT) devices

• The core of IoT-based hyperconnected society is the mutual connection of human-oriented things to provide new convenience, values and benefits for humans

• Development into the Fourth Industrial Revolution through the advancement of artificial intelligence, big data, IoT technologies, and convergence with automation

Components & Modules of Smart Devices

< Subminiature & High Density Integration >

Nano-IoT Module Wireless Charging /Energy Harvesting Module

HUD-AR Micro Module Wearable Display Module

<Improving the Smart Sensing function>

Measurement Module of vital sign

Photo/Image Sensor Module

Biometric Authentication Module

RF Motion Recognition Module

< Connection Expansion of Devices>

Wearable BAN Communication Module

LPWA Communication Module

Smart Devices

Micro IoT Device

Garment Device

Band ShapedWellness Devices

Devices of Vehicle Type

Virtual RealityDevices

Services

Tourism

Environ-ment

…

5


Virtualized Network

1. Market and Technological Trends of IoT 1.2 Technological TrendsIoT Network Architecture

Suitable Network Architecture for IoT applications?

VirtualizedNetwork

• Flexible network structure is needed to enable linked services in the “terminal-service” format for each need without information linkage.

• “On-demand virtualized network” should be built for network architecture for a special purpose in a certain period.

Transparent One Network Virtualized Overlay Network

D1

D2

D3

S1

S2

S3

Transparent

One Network

Service#1

Service#2

Service#3

6

A number of connected devices are few.

The access method is limited.

The communication method is by Client/Server.

The network architecture is Device-Service.

The network is Fixed Network.

The network service policy is same.

A number of connected devices are large.

The access method is various.

The communication method is by P2P, P2M, M2M .

The network architecture is Device-Connected Service.

The network is On-demand Network, Overlay Network.

The network service policy is different by each service.


1. Market and Technological Trends of IoT 1.2 Technological TrendsSD-WAN Network

Is a Software Defined On-demand Network needed for IoT application?

On-demandNetwork

• Software Defined Network : Building flexible network controllable at the center, instead of fixed network• Service Defined : Temporarily constructible and dissolvable network for a special purpose

General Network On-demand Network

N1 S1

CommandControl Center

Cloud(Data Center)

N2 S2

S3N3

N1 S1

CommandControl Center

Cloud(Data Center)

N2 S2

S3N3

Dedicated Network Software defined Service defined

7


The solution is “Network Virtualization”

“Network virtualization” is the basicIoT Network Architecture for the Fourth Industrial Revolution

Security limitations

Previous IoT terminals could access to information resources though the Internet

Hackers could access IoT terminals freely via the Internet for desirable attacks

IoT terminals could be infected by ransomware through network

Limitations of Existing Technologies (Physical separation) Physical network separation may

create financial, spatial and integrated control limitations for network facilities, cables, etc.

(Logical separation) Network separation using existing VPN facilities is currently not supported. Financial issues and limitations in integrated control may be resulted to construct for IoT security.

New technologies are needed for the new market

8

Based on High-performing

Network

BuildingVirtual Network

Hiding Information Resources in

Info-communication Devices

Unidentifiable Access Route to

Info-communicationDevices

Information Resource Protection

Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved. 9

Architecture Diagram for Network Virtualization of IoTSD

-WAN

Netw

ork

Virtu

alization

Service Defin

edN

etwork

- Service Availability (Data/Control Plane separation)

- E2E Network Security (Network Slicing)

- Service Flexibility (On-demand Service NW)

Public

PublicServices

PublicServices

PublicServices

Public

Public


2. IoT Network Security


2. IoT Network Security 2.1 ICT SecurityChanges in IoT Security Threats

Expansion of the hacking scope from specific purposes to random attacks into unspecified majority

Change Security Codes by hacking

Open door locks by hacking

Hacking home cameras

Past) Hacking for specific purpose Present) Random hacking into unspecified majority

As all things are connected to each other, more convenience and benefits are guaranteed, but hacking may expand from attacking major services (games, portals, etc.), business, informative websites, and internet banking for financial gains to wide and random attacks into infrastructure providing public service information and privacy.

ICT Security

11

Moonlight Maze in 2000First massive APT case of attacking into government agencies such as the United States Department of Defense, NASA, etc.

Gozi & Zeus in 2007Banking virus, Trojan horse malware that steals financial information from online banking and card payment information

Sykipot in 2006APT attacks into American and British corporations (Spear phishing email including malware); APT (Advanced Persistent Threat)term used by the United States Air Force

In 2008 (South Korea)

Personal information of 8.2 million persons leaked from Shinsegae Mall

GhostNet & Operation Aurora in 2009“Tibet’s government-in-exile hacked” by China, and source codes and other confidential information leaked from about 70 major corporations, including Google and Dow Chemical


Personal information of 18,630,000 users leaked from Auction

StuxNet in 2010‘StuxNet computer worm,’ a computer HW invasion into Iranian nuclear facility

User information hacked from SK Communications and Nexon, Nonghyupcomputer network paralyzed


RSA attack on the largest cyber security conferenceIn 2012 (South Korea) Personal informationleaked from 3 carriers

and broadcasting corporations

RSA Attack in 2011Malware program aiming to steal information from government agencies and corporations spread to 36 countries

Red October in 2012

Personal information leaked from 3 carriers and broadcasting corporations


Broadcasting corporations and bank computer networks paralyzed

In 2013 (South Korea) Massive personal information leaked from major credit card companies, and internal information hacked from major public agencies


Gartner ATA, intellectual target attack terms used

ATA (advanced Targeted Attack) in 2014

Security vulnerability of smart home

Weak security system of smart home

Able to control the vehicle and lighting & heating

Smart home’s market is 21 trillion won after 2 years

Device hacking linked to human’s life such as gas, etc.

Expansion ofthe hackingscope


2.2 ICT SecurityLimitations of Traditional Cyber Security

Security unavailable for IoT devices/facilities through traditional cyber security methods

보안코드 변경 집주인으로 착각

Major IoT hacking cases IoT hack-related yearly trend

According to a press release on security threat scenarios on smart TV, smart electronics, routers, smart cars, traffic, and medical devices, the security vulnerability of each device has been exposed to enable device and infrastructure control when controlling network is accessed. (KISTEP InI No. 14_ Development of Internet of Things and changes in the security paradigms)

ICT Security

Classification Description

Smart TV In August 2013, a demonstration in Last Vegas showed a private video

hacked from the camera equipped at a smart TV to expose the security vulnerability of home devices connected to the Internet

Smart Electronics

In September 2014, Black Perl Security demonstrated real-time monitoring through the camera equipped at the robotic vacuum by hacking the device using the vulnerability in the security setting of the AP connected to the robotic vacuum as well as the vulnerabilities of the certification method of the application needed for remote control of the vacuum.

Distribution, Home

In March 2014, Team Cymru, a security consulting firm, warned that hackers hacked about 300,000 routers from D-Link, Micronet, TP-Link, etc.

Smart car

A team of hackers from Spain disclosed an assemblable circuit board (20 dollars) that can invade a vehicle network, through which an automobile company may access the automobile CAN (Controller Area Network) installed in the engine to inspect the computer system and control the brake, set the direction, and turn off the warning device, etc.

Traffic

IOActive Labs, a security company, investigated the detection technology of road vehicles and found wide design and security defects. Particularly, the attacker may transmit false data to the traffic control system under the guise of sensor and control major infrastructure

Medical device In the Black Hat Security Conference in 2012, a hacker demonstrated that an

insulin pump can be controlled from 800m to inject lethal dose.Source: Korean Boan News, other Newspaper Media

2015 2021

[Number of IoT Devices]

2015 2021

[Damages from hacks]

53 billion

5 billion

3000 trillion won

6000 trillion won

12



2.3 Necessity of Network Virtualization Responses to IoT Security Threats

Security unavailable for IoT devices/facilities by traditional security methods (Share · Block · Cover · Inspect)

보안코드 변경 집주인으로 착각

Security elements of IoT network IoT network security method: network separation

Access security to IoT devices has been identified as the most urgent issue, and updating remote terminal devices for communication channels security has been designated as the most urgent task to protect IoT products. Also, the recent “various seminars on IoT security” commented that traditional cyber security methods cannot deal with IoT security, and proposed separating networks for IoT devices/facilities.

ICT 보안

※ Source : Capgemini Consulting(Nov.2014)

Embedded software security for terminal

devices

Data security saved in terminal devices

Update security for remote terminal device

Communication channel security

Access security for terminal device

39%

44%

50%

55%

60%

Info-communication technologies (including IoT) security element to be resolved at network

Virtual network building for each IoT service (network separation)

Access security in virtual network (control by service in separated network)

Communication security (encoded communication if necessary)

Terminal device security (update, save data, operation system test)

1

2

3

4

Service

Access Security

4

Virtual Network

Virtual Network

Virtual Network1

3

2

13



3. Network virtualization(SPN)


3. SPN Solution 3.1 Overview of SPN SPN Architecture Diagram

SPN Controller

SPN AgentS/W for Window

SPN Agent S/W for Linux

SPN Agent S/W for Android

Point Gateway(LTE-R)

SPN NMS

SPN Architecture Diagram

Point Gateway

15

Service Gateway


3. SPN Solution

Hiding Information resources from general users/unauthorized users Unidentifiable access route due to hidden information resources Minimizing further infection range from an infected IoT device Uncontrollable via hacker’s server even if information resources of virtual network are infected through an infected device Inaccessible to another network even without additional installation between independent virtual networks Accessing to my own virtualized space with the registered IP

A Network

B Network

C Network

Using Registered/Private IP Using Registered/Private IP

Hiding Information Resources Hiding Information Resources

16

3.1 Overview of SPN SPN Concept Diagram


3.1 Overview of SPN Features and Strengths of SPN

Building my own stable network through independent network architecture by service/terminal1

• Inaccessible and unidentifiable from other network resource through the Network Separating technology (virtual routing) and IP Tunneling

• Delivering accessible network information from each network to the authorized users only• Controlling unauthorized traffic in constructed virtual network • Diversifying virtual network services through stable service provision

Centralized One-Stop Management System for integrated control/network status identification2

• Building inter-household virtual networks and authorizing accesses by users• Facility performance/status check monitoring system on Service Gateway and Point Gateway• Login history view through the administrator’s page and the inaccessibility control function• System resource usage analysis on CPU usage rate, Memory usage rate, etc.

Flexible network architecture with perfect compatibility with existing network facilities3

• Perfectly compatible with network protocols offered by existing network facilities• Standard monitoring protocol for various traffic and device statue monitoring• Standard Authentication protocol for connection to various user control DB• Standard protocol offered for system access

3. SPN Solution

17


3.1 Overview of SPN Effects of the adoption

Safe service network

• One’s own cyber space secured with no privacy infringement• Differentiated IoT terminal access authorities by classifying user’s access type

Virtual network (CCTV, POS, etc.) using public net (Internet)

• Affordable and safe public services • Information sharing with related organizations by constructing various types of (1:1 ~ N:N ) virtual network

Virtual network for each task in closed network

• No further spread of unexpected hacks to the entire closed network• Network access authorization by task type

Concise and intuitive one-stop virtual network management and control

• Flexible virtual network generation and architecture• Excellent stability through multiple network architecture• Monitoring on unauthorized accessing terminals

3. SPN Solution

18

1

2

3

4


3. SPN Solution 3.2 Product Introduction SPN Product Group

SPN Agent• S/W installed in devices to use

virtual networks• Equipped at industrial machines

(CCTV, POS, etc.)• Window, Android, Linux supported

SPN NMS• Central control system for real-time

status and trouble management

SPN Controller• SD-WAN central control system

that virtualizes and controls networks

19

SGW-BC-4610

Service Gateway• A facility for tunnel access

control, network virtualization and management

PGW-RT-5T

Point Gateway• A facility that generates and manages

virtual network to control wired/wireless user terminals

Cen

tral c

ontro

l sys

tem

Har

dwar

eSo

ftwar

e

>> See More information of SPN


3. SPN Solution 3.3 Competitive Technology Analysis

SPN SolutionPhysical Separation

Physical separation• Safe network architecture through physical

separation• Pricing unavailable due to ineffective facilities• Rising maintenance costs due to the increasing

management points• Design changes needed due to the rising cable

volume and weight

Existing Technology (VPN)

VPN Switch• Independent network cannot be built through the

existing VPN method• Price rises for the increasing facilities for network

separation by service• Rising maintenance costs due to the increasing

management points• P2P communication, Client/Server communication

method

Network Segmentation• Separating and controlling multiple networks

with one facility• Available for use with existing security facilities• E2E security enhanced• P2P, P2M supported

General Switch

VPN Switch

“Single Network”

“VPN Encryption”

ServiceGateway

> >

Point Gateway

20

Cla

ssi-

ficat

ion

Con

figur

atio

nD

escr

iptio

nC

ost


3. SPN Solution 3.4 Architectural MethodNetwork Virtualization between Smart City Services

IoT Devices

IoT DevicesPoint Gateway

Point Gateway IoT Devices

IoT Devices

Public Services (WiFi)Service#3

Service#2Service#1

Service#4

방제실

Inte

grat

ed C

ontr

ol C

ente

r for

Sm

art C

ity

SPN Controller

SPN NMS

Strengths and Features Description

Independent network architecture by services

• Providing safe public and private services through independent network architecture for each service• Hiding service information resources• Only authorized terminal accessing to independent service network• Fully separating traffic to prevent security breaches

Active response to failures • Intelligent network that offers automatic fail-over and recovery in case of trouble

Service quality assurance • Accessing continuous and virtual network through the dualized SPN tunnel between Point-Gateway and services

Convenience through central control

• One-stop network, service provision and monitoring through centralized management/control

Public Application Services

21

Service Gateway


3. SPN Solution 3.4 Architectural MethodNetwork virtualization of CCTV

CCTV Agentless Method

NVR(4/8/16CH)

Point G/WService G/W

Controller

When agent cannot be installed in CCTV, network virtualization is provided by concentrating on Point Gateway

CCTV Agent-based Method

Wall pad

Providing network virtualization by installing agent in CCTV terminal


Cost reduction • Internet or owned network lines used as independent IP-exclusive lines; CCTV agentless method is suitable for existing analog method or low-resolution CCTV

Independent network architecture between CCTVs

• Even if built in one network (L2/L3), each CCTV is built on separate network• Mutual communication unavailable as information resources are hidden in each household

Active response to troubles • Intelligent network dualizes the facility that concentrates on virtual network for automatic fail-over and automatic recovery in case of any trouble with one virtual network concentrating facility

• Accessing virtual network through the dualized SPN tunnel between Point-Gateway and services

Convenience through central control • One-stop network, service provision and monitoring through centralized control/management

22

NVR(4/8/16CH)

Service G/W

Controller

VirtualizedNetwork Virtualized

Network


3. SPN Solution 3.4 Architectural MethodNetwork virtualization of Smart Home

23


Cost reduction • Economic independent network building for each household through network virtualization-based architecture

Independent network architecture by household

Separate network built for each household even if build on one network base (L2/L3)Mutual communication unavailable as information resources are hidden in each household

Active response to troubles • Intelligent network dualizes the facility that concentrates on virtual network for automatic fail-over and automatic recovery in case of any trouble with one virtual network concentrating facility

• Accessing virtual network through the dualized SPN tunnel between Point-Gateway and services

Convenience through central control • One-stop network, service provision and monitoring through centralized control/management

MDF ARAD APT. #201

ARAD APT. #101No Access

AuthorizedUser #101

No Access

SPN Manager

SPN Switch

SPN Agent

internet

ElevatorServer

Parking ControlServer

Gas ControlServer

Security Monitoring

Server

CCTVServer

MDF

Point Gateway

Unauthorized User


Thank youSafe IP Network by ARAD

next-generation network virtualization solution for the fourth …arad networks] spn solution for...

Documents