next-generation network virtualization solution for the fourth …arad networks] spn solution for...
TRANSCRIPT
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
Next-generation network virtualization solution for the Fourth Industrial Revolution
Network Virtualization! It’s the beginning of all security.
September, 2018
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
Contents
1/ Market and Technological Trends of IoT
2/ Network Security of IoT
3/ Network Virtualization Solution (SPN)
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
1. Market and Technological Trends of IoT
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
1. Market and Technological Trends of IoT 1.1 Market TrendsIoT-based Hyperconnected Society
Hyperconnected society is on the rise where all electronics, medical and traffic terminals are connected to network
Changes in Info-communication Devices IoT-based Hyperconnected Society
IoT includes ultra-miniature sensing devices and provides user-oriented services further through mutually connected virtual processes
※ Source : Journal of Security Engineering ※ Source : Korea Internet & Security Agency, IoT Products & ServicesResearch for improving Security (2015.9)
[IoT-based Hyperconnected Society][International supply outlook for the internet devices]
Cyber-Spacer(Virtual Object)
Daily-Life(Connected
World)
Physical-Space(Everyday Object)
ICT Trends
In the PC market that rose in the beginning in 2000, more products other than PCs are being launched as of 2018 as the distribution of other devices, such as smartphones and IoTs, increased.
4
Num
ber of Using D
evices Globally
Connected Car
Wearable Devices
Connected TV
IoT
Tablet PC
Smart PhonePC
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
1. Market and Technological Trends of IoT 1.1 Market TrendsConvenient, beneficial new life through
the advancement of info-communication (IoT) devices
Convenient, beneficial new life through the advancement of info-communication (IoT) devices
ICT Trends
Changes into new life with info-communication (IoT) devices
• The core of IoT-based hyperconnected society is the mutual connection of human-oriented things to provide new convenience, values and benefits for humans
• Development into the Fourth Industrial Revolution through the advancement of artificial intelligence, big data, IoT technologies, and convergence with automation
Components & Modules of Smart Devices
< Subminiature & High Density Integration >
Nano-IoT Module Wireless Charging /Energy Harvesting Module
HUD-AR Micro Module Wearable Display Module
<Improving the Smart Sensing function>
Measurement Module of vital sign
Photo/Image Sensor Module
Biometric Authentication Module
RF Motion Recognition Module
< Connection Expansion of Devices>
Wearable BAN Communication Module
LPWA Communication Module
Smart Devices
Micro IoT Device
Garment Device
Band ShapedWellness Devices
Devices of Vehicle Type
Virtual RealityDevices
Services
Tourism
Environ-ment
…
5
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
Virtualized Network
1. Market and Technological Trends of IoT 1.2 Technological TrendsIoT Network Architecture
Suitable Network Architecture for IoT applications?
VirtualizedNetwork
• Flexible network structure is needed to enable linked services in the “terminal-service” format for each need without information linkage.
• “On-demand virtualized network” should be built for network architecture for a special purpose in a certain period.
Transparent One Network Virtualized Overlay Network
D1
D2
D3
S1
S2
S3
Transparent
One Network
Service#1
Service#2
Service#3
6
A number of connected devices are few.
The access method is limited.
The communication method is by Client/Server.
The network architecture is Device-Service.
The network is Fixed Network.
The network service policy is same.
A number of connected devices are large.
The access method is various.
The communication method is by P2P, P2M, M2M .
The network architecture is Device-Connected Service.
The network is On-demand Network, Overlay Network.
The network service policy is different by each service.
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
1. Market and Technological Trends of IoT 1.2 Technological TrendsSD-WAN Network
Is a Software Defined On-demand Network needed for IoT application?
On-demandNetwork
• Software Defined Network : Building flexible network controllable at the center, instead of fixed network• Service Defined : Temporarily constructible and dissolvable network for a special purpose
General Network On-demand Network
N1 S1
CommandControl Center
Cloud(Data Center)
N2 S2
S3N3
N1 S1
CommandControl Center
Cloud(Data Center)
N2 S2
S3N3
Dedicated Network Software defined Service defined
7
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
The solution is “Network Virtualization”
“Network virtualization” is the basicIoT Network Architecture for the Fourth Industrial Revolution
Security limitations
Previous IoT terminals could access to information resources though the Internet
Hackers could access IoT terminals freely via the Internet for desirable attacks
IoT terminals could be infected by ransomware through network
Limitations of Existing Technologies (Physical separation) Physical network separation may
create financial, spatial and integrated control limitations for network facilities, cables, etc.
(Logical separation) Network separation using existing VPN facilities is currently not supported. Financial issues and limitations in integrated control may be resulted to construct for IoT security.
New technologies are needed for the new market
8
Based on High-performing
Network
BuildingVirtual Network
Hiding Information Resources in
Info-communication Devices
Unidentifiable Access Route to
Info-communicationDevices
Information Resource Protection
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved. 9
Architecture Diagram for Network Virtualization of IoTSD
-WAN
Netw
ork
Virtu
alization
Service Defin
edN
etwork
- Service Availability (Data/Control Plane separation)
- E2E Network Security (Network Slicing)
- Service Flexibility (On-demand Service NW)
Public
PublicServices
PublicServices
PublicServices
Public
Public
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
2. IoT Network Security
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
2. IoT Network Security 2.1 ICT SecurityChanges in IoT Security Threats
Expansion of the hacking scope from specific purposes to random attacks into unspecified majority
Change Security Codes by hacking
Open door locks by hacking
Hacking home cameras
Past) Hacking for specific purpose Present) Random hacking into unspecified majority
As all things are connected to each other, more convenience and benefits are guaranteed, but hacking may expand from attacking major services (games, portals, etc.), business, informative websites, and internet banking for financial gains to wide and random attacks into infrastructure providing public service information and privacy.
ICT Security
11
Moonlight Maze in 2000First massive APT case of attacking into government agencies such as the United States Department of Defense, NASA, etc.
Gozi & Zeus in 2007Banking virus, Trojan horse malware that steals financial information from online banking and card payment information
Sykipot in 2006APT attacks into American and British corporations (Spear phishing email including malware); APT (Advanced Persistent Threat)term used by the United States Air Force
In 2008 (South Korea)
Personal information of 8.2 million persons leaked from Shinsegae Mall
GhostNet & Operation Aurora in 2009“Tibet’s government-in-exile hacked” by China, and source codes and other confidential information leaked from about 70 major corporations, including Google and Dow Chemical
In 2010 (South Korea)
Personal information of 18,630,000 users leaked from Auction
StuxNet in 2010‘StuxNet computer worm,’ a computer HW invasion into Iranian nuclear facility
User information hacked from SK Communications and Nexon, Nonghyupcomputer network paralyzed
In 2011 (South Korea)
RSA attack on the largest cyber security conferenceIn 2012 (South Korea) Personal informationleaked from 3 carriers
and broadcasting corporations
RSA Attack in 2011Malware program aiming to steal information from government agencies and corporations spread to 36 countries
Red October in 2012
Personal information leaked from 3 carriers and broadcasting corporations
In 2012 (South Korea)
Broadcasting corporations and bank computer networks paralyzed
In 2013 (South Korea) Massive personal information leaked from major credit card companies, and internal information hacked from major public agencies
In 2014 (South Korea)
Gartner ATA, intellectual target attack terms used
ATA (advanced Targeted Attack) in 2014
Security vulnerability of smart home
Weak security system of smart home
Able to control the vehicle and lighting & heating
Smart home’s market is 21 trillion won after 2 years
Device hacking linked to human’s life such as gas, etc.
Expansion ofthe hackingscope
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
2.2 ICT SecurityLimitations of Traditional Cyber Security
Security unavailable for IoT devices/facilities through traditional cyber security methods
보안코드 변경 집주인으로 착각
Major IoT hacking cases IoT hack-related yearly trend
According to a press release on security threat scenarios on smart TV, smart electronics, routers, smart cars, traffic, and medical devices, the security vulnerability of each device has been exposed to enable device and infrastructure control when controlling network is accessed. (KISTEP InI No. 14_ Development of Internet of Things and changes in the security paradigms)
ICT Security
Classification Description
Smart TV In August 2013, a demonstration in Last Vegas showed a private video
hacked from the camera equipped at a smart TV to expose the security vulnerability of home devices connected to the Internet
Smart Electronics
In September 2014, Black Perl Security demonstrated real-time monitoring through the camera equipped at the robotic vacuum by hacking the device using the vulnerability in the security setting of the AP connected to the robotic vacuum as well as the vulnerabilities of the certification method of the application needed for remote control of the vacuum.
Distribution, Home
In March 2014, Team Cymru, a security consulting firm, warned that hackers hacked about 300,000 routers from D-Link, Micronet, TP-Link, etc.
Smart car
A team of hackers from Spain disclosed an assemblable circuit board (20 dollars) that can invade a vehicle network, through which an automobile company may access the automobile CAN (Controller Area Network) installed in the engine to inspect the computer system and control the brake, set the direction, and turn off the warning device, etc.
Traffic
IOActive Labs, a security company, investigated the detection technology of road vehicles and found wide design and security defects. Particularly, the attacker may transmit false data to the traffic control system under the guise of sensor and control major infrastructure
Medical device In the Black Hat Security Conference in 2012, a hacker demonstrated that an
insulin pump can be controlled from 800m to inject lethal dose.Source: Korean Boan News, other Newspaper Media
2015 2021
[Number of IoT Devices]
2015 2021
[Damages from hacks]
53 billion
5 billion
3000 trillion won
6000 trillion won
12
2. IoT Network Security
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
2.3 Necessity of Network Virtualization Responses to IoT Security Threats
Security unavailable for IoT devices/facilities by traditional security methods (Share · Block · Cover · Inspect)
보안코드 변경 집주인으로 착각
Security elements of IoT network IoT network security method: network separation
Access security to IoT devices has been identified as the most urgent issue, and updating remote terminal devices for communication channels security has been designated as the most urgent task to protect IoT products. Also, the recent “various seminars on IoT security” commented that traditional cyber security methods cannot deal with IoT security, and proposed separating networks for IoT devices/facilities.
ICT 보안
※ Source : Capgemini Consulting(Nov.2014)
Embedded software security for terminal
devices
Data security saved in terminal devices
Update security for remote terminal device
Communication channel security
Access security for terminal device
39%
44%
50%
55%
60%
Info-communication technologies (including IoT) security element to be resolved at network
Virtual network building for each IoT service (network separation)
Access security in virtual network (control by service in separated network)
Communication security (encoded communication if necessary)
Terminal device security (update, save data, operation system test)
1
2
3
4
Service
Access Security
4
Virtual Network
Virtual Network
Virtual Network1
3
2
13
2. IoT Network Security
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. Network virtualization(SPN)
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.1 Overview of SPN SPN Architecture Diagram
SPN Controller
SPN AgentS/W for Window
SPN Agent S/W for Linux
SPN Agent S/W for Android
Point Gateway(LTE-R)
SPN NMS
SPN Architecture Diagram
Point Gateway
15
Service Gateway
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution
Hiding Information resources from general users/unauthorized users Unidentifiable access route due to hidden information resources Minimizing further infection range from an infected IoT device Uncontrollable via hacker’s server even if information resources of virtual network are infected through an infected device Inaccessible to another network even without additional installation between independent virtual networks Accessing to my own virtualized space with the registered IP
A Network
B Network
C Network
Using Registered/Private IP Using Registered/Private IP
Hiding Information Resources Hiding Information Resources
16
3.1 Overview of SPN SPN Concept Diagram
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3.1 Overview of SPN Features and Strengths of SPN
Building my own stable network through independent network architecture by service/terminal1
• Inaccessible and unidentifiable from other network resource through the Network Separating technology (virtual routing) and IP Tunneling
• Delivering accessible network information from each network to the authorized users only• Controlling unauthorized traffic in constructed virtual network • Diversifying virtual network services through stable service provision
Centralized One-Stop Management System for integrated control/network status identification2
• Building inter-household virtual networks and authorizing accesses by users• Facility performance/status check monitoring system on Service Gateway and Point Gateway• Login history view through the administrator’s page and the inaccessibility control function• System resource usage analysis on CPU usage rate, Memory usage rate, etc.
Flexible network architecture with perfect compatibility with existing network facilities3
• Perfectly compatible with network protocols offered by existing network facilities• Standard monitoring protocol for various traffic and device statue monitoring• Standard Authentication protocol for connection to various user control DB• Standard protocol offered for system access
3. SPN Solution
17
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3.1 Overview of SPN Effects of the adoption
Safe service network
• One’s own cyber space secured with no privacy infringement• Differentiated IoT terminal access authorities by classifying user’s access type
Virtual network (CCTV, POS, etc.) using public net (Internet)
• Affordable and safe public services • Information sharing with related organizations by constructing various types of (1:1 ~ N:N ) virtual network
Virtual network for each task in closed network
• No further spread of unexpected hacks to the entire closed network• Network access authorization by task type
Concise and intuitive one-stop virtual network management and control
• Flexible virtual network generation and architecture• Excellent stability through multiple network architecture• Monitoring on unauthorized accessing terminals
3. SPN Solution
18
1
2
3
4
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.2 Product Introduction SPN Product Group
SPN Agent• S/W installed in devices to use
virtual networks• Equipped at industrial machines
(CCTV, POS, etc.)• Window, Android, Linux supported
SPN NMS• Central control system for real-time
status and trouble management
SPN Controller• SD-WAN central control system
that virtualizes and controls networks
19
SGW-BC-4610
Service Gateway• A facility for tunnel access
control, network virtualization and management
PGW-RT-5T
Point Gateway• A facility that generates and manages
virtual network to control wired/wireless user terminals
Cen
tral c
ontro
l sys
tem
Har
dwar
eSo
ftwar
e
>> See More information of SPN
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.3 Competitive Technology Analysis
SPN SolutionPhysical Separation
Physical separation• Safe network architecture through physical
separation• Pricing unavailable due to ineffective facilities• Rising maintenance costs due to the increasing
management points• Design changes needed due to the rising cable
volume and weight
Existing Technology (VPN)
VPN Switch• Independent network cannot be built through the
existing VPN method• Price rises for the increasing facilities for network
separation by service• Rising maintenance costs due to the increasing
management points• P2P communication, Client/Server communication
method
Network Segmentation• Separating and controlling multiple networks
with one facility• Available for use with existing security facilities• E2E security enhanced• P2P, P2M supported
General Switch
VPN Switch
“Single Network”
“VPN Encryption”
ServiceGateway
> >
Point Gateway
20
Cla
ssi-
ficat
ion
Con
figur
atio
nD
escr
iptio
nC
ost
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.4 Architectural MethodNetwork Virtualization between Smart City Services
IoT Devices
IoT DevicesPoint Gateway
Point Gateway IoT Devices
IoT Devices
Public Services (WiFi)Service#3
Service#2Service#1
Service#4
방제실
Inte
grat
ed C
ontr
ol C
ente
r for
Sm
art C
ity
SPN Controller
SPN NMS
Strengths and Features Description
Independent network architecture by services
• Providing safe public and private services through independent network architecture for each service• Hiding service information resources• Only authorized terminal accessing to independent service network• Fully separating traffic to prevent security breaches
Active response to failures • Intelligent network that offers automatic fail-over and recovery in case of trouble
Service quality assurance • Accessing continuous and virtual network through the dualized SPN tunnel between Point-Gateway and services
Convenience through central control
• One-stop network, service provision and monitoring through centralized management/control
Public Application Services
21
Service Gateway
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.4 Architectural MethodNetwork virtualization of CCTV
CCTV Agentless Method
NVR(4/8/16CH)
Point G/WService G/W
Controller
When agent cannot be installed in CCTV, network virtualization is provided by concentrating on Point Gateway
CCTV Agent-based Method
Wall pad
Providing network virtualization by installing agent in CCTV terminal
Strengths and Features Description
Cost reduction • Internet or owned network lines used as independent IP-exclusive lines; CCTV agentless method is suitable for existing analog method or low-resolution CCTV
Independent network architecture between CCTVs
• Even if built in one network (L2/L3), each CCTV is built on separate network• Mutual communication unavailable as information resources are hidden in each household
Active response to troubles • Intelligent network dualizes the facility that concentrates on virtual network for automatic fail-over and automatic recovery in case of any trouble with one virtual network concentrating facility
• Accessing virtual network through the dualized SPN tunnel between Point-Gateway and services
Convenience through central control • One-stop network, service provision and monitoring through centralized control/management
22
NVR(4/8/16CH)
Service G/W
Controller
VirtualizedNetwork Virtualized
Network
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
3. SPN Solution 3.4 Architectural MethodNetwork virtualization of Smart Home
23
Strengths and Features Description
Cost reduction • Economic independent network building for each household through network virtualization-based architecture
Independent network architecture by household
Separate network built for each household even if build on one network base (L2/L3)Mutual communication unavailable as information resources are hidden in each household
Active response to troubles • Intelligent network dualizes the facility that concentrates on virtual network for automatic fail-over and automatic recovery in case of any trouble with one virtual network concentrating facility
• Accessing virtual network through the dualized SPN tunnel between Point-Gateway and services
Convenience through central control • One-stop network, service provision and monitoring through centralized control/management
MDF ARAD APT. #201
ARAD APT. #101No Access
AuthorizedUser #101
No Access
SPN Manager
SPN Switch
SPN Agent
internet
ElevatorServer
Parking ControlServer
Gas ControlServer
Security Monitoring
Server
CCTVServer
MDF
Point Gateway
Unauthorized User
Copyright © 2018 ARAD Networks Co., Ltd. All rights reserved.
Thank youSafe IP Network by ARAD