Secure Remote Access

Introduction

Over the past two decades, secure outbound remote access to enterprise IT resources (servers, applications, services, cloud, etc) became a stable, but often neglected, technology. With the advent of edge computing, industrial enterprises have been increasingly realizing the need for secure inbound remote access for a variety of reasons, including remote troubleshooting, run-time configuration changes, and remote monitoring.

What Isn’t Working

MQTT and CoAP: Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) are two of the most popular publish-subscribe machine-to-machine (M2M) protocols. Both are very easy to use, adaptable and lightweight protocols suitable for effectively connecting a large array of devices over the Internet, and are specifically designed for resource-constrained, M2M use cases (e.g. low power, high latency, limited bandwidth).

However these communication protocols between devices and cloud brokers come with their own risks and pitfalls. A report “The Fragility of Industrial IoT’s Data BackBone: Security and Privacy Issues in MQTT and CoAP Protocols” from Trend Micro in December 2018 puts the issue of M2M security vulnerabilities front and center. The report highlights how attackers have been able to locate exposed IoT servers and brokers to leak over 200 million MQTT messages and 19 million CoAP messages. Attackers can then weaponize these in industrial espionage, denial-of-service attacks, and targeted attacks:

  • Although MQTT can run over TLS, there are situations where the MQTT protocol may be unsafely used with the applications for process messages. Tainted data and commands insertion, fake devices insertion, DoS attack, or remote code execution attack are the major risks.
  • Over-the-air code or software upgrades over MQTT could be easily intercepted by attackers to take complete and persistent control of an endpoint.
  • MQTT and CoAP are only good for stereotypical “IoT” application traffic to connect to outbound cloud broker services but do not fit inbound shell/console access.
  • Applications are required to be rewritten to use their protocol and semantics.
  • Neither MQTT nor CoAP secure the entire gateway or host attached to the sensors and machines; they just secure their own device stream.
  • Neither MQTT nor CoAP natively support scalable device provisioning and key management.

Traditional VPN Models: Legacy VPN models also lack the flexibility and the ability to scale to meet machine builders’ specific needs with secure inbound remote access.

The Way Going Forward

As Gartner recommends, today’s digital enterprise needs is worldwide fabric / mesh of network and network security capabilities that can be applied when and where needed to connect entities to the networked capabilities they need access to. Think of an edge compute friendly, modular network infrastructure that functions as a global virtual LAN with firewalls, identify and access management, over-the-air updates, remote access and troubleshooting, etc. are all built-in foundationally. This network runs over any untrusted host as well as over any access or cloud infrastructure for any edge computing needs. Besides, the network can self-isolate depending on user needs while remaining invisible to the rest of the public Internet. Lastly, such a network infrastructure must offer a user-friendly interface for facilities operators to manage the network seamlessly, all from a single pane of glass based dashboard.

Key Takeaway

Industrial enterprises with dispersed assets and diverse data sources are increasingly realizing that relying on conventional VPNs or point-to-point MQTT/CoAP device-to-cloud-broker connections do not scale and are not relatively secure. Instead, the industrial enterprise of tomorrow needs an identity-centric, network security-based model that is akin to a global virtual LAN that runs invisibly over the untrusted public Internet. This helps enterprises simplify the inbound secure remote access and connectivity needs of the dispersed networks of things and machines realize economies of scale.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us