On Securing Home Networks

 

Senthil Sengodan,Robert Ziegler Linda Edlund

Nokia Research Center Ericsson Telecom AB

5 Wayside Road P.O. Box 1885

Burlington, MA 01803, USA SE-581 17 Linkoping, Sweden

{senthil.sengodan,robert.ziegler}@nokia.com linda.edlund@home.se

 

 

Abstract

Home networking has widely been touted as the next frontier in the Internet and technology revolution. Within the home network itself, several technologies such as Bluetooth, 802.11, UPnP, JINI, HAVi, HomePNA, HomeRF, etc. have emerged. While some of these are competing technologies, others can act as complementary technologies. Alongside the development of these technologies, has risen the interest/need for secure and flexible delivery of services from a Wide Area Network (WAN) to such home networks. In this paper, we take a two-pronged approach. Firstly, an overview of the security features in several of the home networking technologies mentioned above, are discussed. Secondly, security aspects involved in service delivery from a WAN to a home network, are discussed. A discussion of personal firewalls, and the general trend of moving policy/firewall functionality to the edge is also made – within the context of home networks.

Key words: home networks, security, personal firewalls, OSGi

 

1 Introduction

The last couple of years have seen dramatic activity in the specification and standardization of home networking solutions. Home networking technologies that are used as an infrastructure for the transport of signaling and media, have seen rapid advances. This includes wireless technologies that may be used within the home such as Bluetooth, 802.11 and HomeRF. Similarly, networking technologies that are used to interconnect the home network with the Wide Area Network (WAN) have also matured. With the availability of network infrastructure technologies, the need for the development and standardization of middleware technologies arose. Technologies such as UPnP, HAVi, Jini and OSGi began to emerge, facilitating the ease of service/application development and deployment; and the ease of use by the end-user.

The need for providing adequate security services to the different players – end-user, operator, service provider etc. – is paramount. Such security services include authentication, confidentiality, integrity, access control and possibly non-repudiation. In this paper, we discuss various aspects dealing with security of home networks.

2 Network Infrastructure and Communication Protocols

The nature of the network infrastructure technology has an impact on the security of the entire system. Certain network infrastructure technologies are inherently more secure than others. Similarly, the security mechanisms incorporated within certain communication protocols are more sophisticated than those in others. We discuss two different categories:

  • Infrastructure technologies and communication protocols used to interconnect the various devices within the home network. (Section 4.1)
  • Infrastructure technologies and communication protocols used to interconnect a home network with a Wide Area Network (WAN). (Section 4.2)

2.1 Home Network Infrastructure technology

The four main technologies for home network infrastructure are: (1) Phone-line based (2) Power-line based (3) Wireless technologies (4) Bus-based technologies. While security has been explicitly addressed at times, at other times security has been left to higher layers to handle. Where security has been specified, it is important that interoperability exists between the different implementations.

The most popular phone-line based specifications are the two specifications by the Home Phoneline Networking Alliance (HomePNA) – Specification 1.0 at 1 Mbps and Specification 2.0 at 10 Mbps. The technology leverages off IEEE 802.3 (Ethernet) technology – HomePNA frames are similar, and the Medium Access Control (MAC) protocol is Carrier Sense Multiple Access with Collision Detection (CSMA/CD). Neither the physical layer [4] nor the link layer [5] specifications of the HomePNA specifications contain any explicit provisions for security.

The most popular power-line based specification is that specified by the HomePlug Powerline Alliance. The alliance, after evaluating various powerline networking candidate solution, decided to adopt Intellon’s PowerPacket™ solution. This is an integrated physical and MAC solution that operates in the 4.3MHz – 20.9 MHz range, and is capable of achieving data rates of 14 Mbps. The MAC protocol is CSMA/CA. The PowerPacket™ technology also boasts secure communication. Other power-line networking solutions include X-10 (legacy, mainly unidirectional, used for controlling home lighting, appliances, heating etc.) and proprietary protocols by Enikia Incorporated (which provides security by using a 3-way handshake protocol and a token bus based Secure Sparse Token MAC protocol) and Inari. LonWorks by Echelon is yet another popular power-line technology, that has been standardized by the American National Standards Institute (ANSI), the Institute of Electrical and Electronics Engineers (IEEE) and other bodies.

Some of the popular wireless technologies for home networking include IEEE 802.11 (wireless LAN), Bluetooth, HomeRF, Digital Enhanced Cordless Telecommunications (DECT) etc. Due to the ease of eavesdropping in wireless technologies, the need for security is great. Consequently, all wireless technologies have incorporated security features into them. DECT uses dynamic channel selection and encryption techniques to prevent against eavesdropping, while Bluetooth and IEEE 802.11 have mechanisms for encryption as well. Bluetooth uses a stream cipher algorithm for encryption, IEEE 802.11 uses a 64-bit shared key encryption mechanism within its security mechanism termed WEP, while HomeRF uses a 56-bit shared key encryption mechanism.

The popular high-speed bus technologies include the Universal Serial Bus (USB), the IEEE 1394 standard, and the IEEE 802.3 (Ethernet) standard. The USB 2.0 Specification does not explicitly mention security at all. IEEE 1394’s "5C" mechanism protects content that flows over the 1394 bus. In addition, service providers may incorporate their own content protection mechanisms.

 

2.2 Home Network Interconnectivity technology

Some of the popular network infrastructure technologies for connecting a home network to a Wide Area Network (WAN) include Digital Subscriber Line (xDSL), Cable, Multichannel Multipoint Distribution System (MMDS), Local Multipoint Distribution System (LMDS), satellite technologies and powerline technologies.

Since xDSL involves a dedicated physical line between the customer premises and the Central Office (CO), the chances of eavesdropping are small. When cable technology or wireless technologies such as MMDS, LMDS and satellite are used, the shared nature of the medium among several subscribers, implies that more sophisticated mechanisms are needed to prevent eavesdropping.

The always-on nature of these technologies, while a convenience to subscribers, is an added security threat. Once an attacker is able to penetrate a user’s home network, he/she could potentially do one of two things:

  • Access confidential information belonging to the subscriber. This directly hurts the subscriber since sensitive information such as credit card numbers etc. can be stolen.
  • Utilize subscriber system resources to run "zombie" programs and launch attacks such as Distributed Denial-of-Service (DDoS) attacks. The victims in this case are both the subscriber whose home resources are being utilized as well as the server on which the DDoS attack is launched. In addition to his/her resources being utilized, the subscriber may also be held liable for damages to the server if he/she has not taken suitable measures to combat such an attack.

The use of personal firewalls, as described in a later section, decreases the chances of an attacker successfully attacking a user’s home network. In addition, some recent effort within the IETF that facilitate in countering DDoS attacks include:

  • Efforts within the itrace working group in the area of ICMP traceback. The idea here is that routers, in addition to forwarding packets, would also generate ICMP packets with a small probability. These ICMP packets are destined to the same destination as the other packets. Using such ICMP traceback packets, the destination can determine the path that the packets traversed from the source. Such forward path information is useful to combat source address spoofing that is commonly used in DDoS and other attacks. While the generation of such ICMP traceback messages has clear advantages, some of the major challenges that such an effort faces includes dealing with user privacy issues, ISPs wishing to keep their network topology confidential, message authentication etc.
  • While Intrusion Detection Systems (IDS) are available for detecting network, host and application intrusion, the Intrusion Detection Exchange Format working group (IDWG) aims to specify a common message format. This would facilitate better coordination among various IDSs, thereby reducing intrusion instances by attackers.

 

3 HAVi, Jini, UPnP, OSGi

The Home Audio/Video Interoperability (HAVi) provides middleware in terms of a set of APIs that can be used to develop multimedia applications. HAVi devices use the IEEE 1394 technology as the underlying network technology. HAVi has security mechanisms built-in to protect against malicious applications:

  • HAVi uses software elements (SE) – such as Registry, Event Manager, Stream Manager etc. – which are objects that exchange messages and events between themselves. In order to protect against a malicious application sending potentially dangerous messages to certain SEs, all SEs are classified as being either trusted or untrusted.
  • Device Control Modules (DCM), which exists for each HAVi appliance, may be downloaded. The authenticity of such downloaded DCMs is determined by a digital signature that is associated with it.

The Universal Plug and Play (UPnP) uses open technologies and standards in order to communicate between devices. Such technologies include HTML/XML, HTTP and TCP/IP. Consequently, the security features that are available within these open standards, are applicable to UPnP as well. For instance, some of the security features that are provided within XML are – XML Access Control, XML Digital Signatures, and XML field encryption. Similarly, HTTP provides two mechanisms for authentication – basic and digest. The TCP/IP protocol suite includes the Transport Layer Security (TLS) and the IP Security (IPSec) protocols for security.

Jini utilizes Java technology as a foundation. Consequently, the security features provided by Java 2 are directly applicable to Jini. For instance, the set of lookup services that a Jini service/application can discover is limited by access control policies determined by the Permissions class. Jini defines the net.jini.discovery.DiscoveryPermission class for this purpose.

The Open Services Gateway Initiative (OSGi) provides an API that enables the easy development and deployment of new services. The API is based on the Java 2 platform, and leverages off the security capabilities offered by the Java 2 platform. The security specification, currently under development, is expected to be released with the next version of the OSGi specification. Some of the security features within the OSGi specification include:

  • Authenticity and access control of bundles. Since bundles are installed when a new service is needed, the authenticity and integrity of bundles is important. Otherwise, an attacker could incorporate malicious code into a bundle. Similarly, the request for installation/deployment of bundles needs to be authenticated as well. In other words, mutual authentication is required.
  • Issue of trust. An important issue in OSGi is determining the trust relationship among the different entities – the OSG manufacturer, the OSG operator, the OSG service provider, the OSG service user etc. Typically, the OSG operator is trusted by all other entities, while the OSG operator itself must trust the OSG manufacturer to provide a secure platform.
  • OSGi uses a public key mechanism. The OSG operator is likely to be a Certification Authority (CA).

 

4 Private Addressing, Personal Firewalls and VPNs

4.1 Private Addressing

Private IPv4 addresses may be assigned to devices within a home network in order to cope with limited IPv4 address space. Since assignment of private IP addresses comes with no added cost to the user, this is attractive from a pricing perspective as well. However, when a device within the home network needs to communicate with a device that is outside the home network, one of two possible approaches is resorted to:

  • Network Address Translators (NAT) residing at the boundary of the home network replace the private IP address with a public address when the packet leaves the home network, and vice versa.
  • Realm Specific IP (RSIP) is a mechanism whereby a suitable IP address (private or public) is assigned to the device depending on whether the remote communication endpoint resides within the same home network or outside it.

One of the security related features that NAT provides is the privacy of the endpoint within the home network. The remote endpoint outside the home network is not aware of the IP address or topology of the local endpoint within the home network. When a local and a remote endpoint communicate with each other at two different instances, the NAT feature prevents the remote endpoint from detecting that it is the same local endpoint, thereby facilitating privacy.

There are two flavors of NATs that are commonly used within home networks – basic NAT and Network Address Port Translators (NAPT). With basic NAT, a subscriber with only one public IP address can have only one device within the home network communicating with a remote device outside the home network, at any given instance. However, with NAPT, although a subscriber may have only one public IP address, several devices within the home network may communicate with devices outside the home network simultaneously. The reason is that while basic NATs bind private IP addresses to public IP addresses, NAPTs bind a private transport address (IP address and port) to a public transport address. Thus, several devices within the home network may be bound to the same public IP address, while being distinguished by different port numbers.

Although NATs provide privacy to some extent, they suffer from a serious security drawback, in that they break the end-to-end IP Security (IPSec) security model. When a local endpoint within the home network establishes an IPSec Authentication Header (AH) or Encapsulating Security Payload (ESP) Security Association (SA) for packet authentication purposes, any modification in the IP address and/or port number by the NAT would result in the packet being discarded at the remote endpoint.

Using RSIP, a home user can obtain end-to-end IPSec authentication while coping with the problem of limited IPv4 addresses. Since a public transport address is assigned a local device communicating with a remote endpoint outside the home network, no address/port translation is needed, thereby facilitating interworking with IPSec authentication.

4.2 Personal Firewalls

Firewalls have traditionally been used at the periphery of corporate networks, in order to protect these networks from outside attacks. In addition, they also act as a policy enforcement point whereby different policies may be enforced for different users/hosts within the protected domain. With the proliferation of networked devices within a home network, firewalls protecting home networks are desirable. These firewalls are typically referred to as personal firewalls.

Typically, firewalls have come in three categories:

  • Packet Filters: These are of two kinds – static packet filters and stateful packet filters. Static packet filters have a static configuration based on which packets are either granted or denied access. They do not maintain any state about the session, and handle packets on a per-packet basis. Stateful packet filters, on the other hand, maintain information on session state, and based on this information, packets may dynamically be granted or denied access. The static nature of static packet filters makes them unsuitable for home networks due to the typical dynamic nature of port assignment for several home network sessions. Stateful packet filters are neither adequate nor economically feasible, and the performance requirements are too high for a low-end single-point-of-access gateway.
  • Circuit Gateways: The most common circuit gateway is SOCKS. Here, a SOCKS server typically residing at the edge of the home network establishes a TCP connection (or circuit) to each of the communicating endpoints, and the session data is relayed by the SOCKS server. The SOCKS client within the home network authenticates the establishment of such a virtual circuit. Such a mechanism is also complex and not very suitable for UDP traversal.
  • Application Level Gateways: Application level gateways (also known as proxies) operate by being aware of the application. While being very secure, they are not scalable since such a solution would require that each application require a proxy at the edge of the home network. In addition, this is an expensive solution.

In light of the unsuitability of some of the traditional firewall solutions for home networks, newer solutions are being considered. One technique that holds promise is based on a Firewall Control Interface between a device within the home network and the firewall. Using such an open interface, all application level functionality can be moved towards the end-devices, and the end-device controls the firewall to allow legitimate traffic to pass through.

4.3 Virtual Private Networks (VPN)

Users within a home network may need to connect securely with a remote network (such as a corporate network) while traversing through an insecure network (such as the public Internet). Some commonly used mechanisms to achieve this include the Layer 2 Tunneling Protocol (L2TP) and IP Security (IPSec) used in the tunnel mode.

5 Conclusion

Although tremendous progress has been made within the home networking industry in recent years, several challenges remain. Particularly, making such systems secure from an end-to-end perspective is a critical area that needs greater investigation. For instance, one may have a scenario where Jini is used to discover available services within a community, following which an OSGi bundle is installed within the residential gateway, and HAVi is used to actually deliver the service itself. In such a case, the interworking of different technologies requires greater investigation into the security implications.

Personal firewalls at the edges of the home network are beginning to become necessary specifically with the prevalent use of "always-on" technologies such as DSL and cable-modem. Suitable and user-friendly techniques are still lacking in this area, and a "firewall control interface" solution seems to hold most promise. Other standardization efforts within the IETF – such as for ICMP traceback and intrusion detection – were also discussed in the context of DDoS attack prevention.

 

 

 

 

References

1.

O’Driscoll G., "The Essential Guide to Home Networking Technologies," Prentice Hall, 2001.

2.

Open Services Gateway Initiative (OSGi), www.osgi.org

3.

Home Phoneline Networking Alliance (HomePNA), www.homepna.org

4.

"Interface Specification for HomePNA 2.0 10M8 Technology," HomePNA, Dec 1999.

5.

"Interface Specification for HomePNA 2.0 10M8 Technology: Link Layer Protocols," HomePNA, Dec 1999.

6.

Enikia Incorporated, www.enikia.com

7.

HomePlug Powerline Alliance, www.homeplug.com

8.

Intellon, www.intellon.com

9.

Inari, www.inari.com

10.

IETF itrace working group, http://www.ietf.org/html.charters/itrace-charter.html

11.

IETF Intrusion Detection Working Group, http://www.ietf.org/html.charters/idwg-charter.html

12.

IEEE 1394 Trade Association, http://www.1394ta.org/

13.

Universal Serial Bus, http://www.usb.org

14.

Universal Serial Bus Specification 2.0, April 2000.

15.

S. Kent, R. Atkinson, "Security Architecture for the Internet Protocol," RFC-2401, IETF, Nov. 1998.

16.

W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security," Addison-Wesley, 1994.

17.

M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, L. Jones, "SOCKS Protocol Version 5," RFC-1928, IETF, March 1996.

18.

P. Srisuresh, M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations, RFC-2663, IETF, Aug 1999.

19.

IETF NAT Working Group, http://www.ietf.org/html.charters/nat-charter.html