Root Causes 81: What Is Embedded Firewall?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We are doing great because we have our super guest today, Alan Grau. Alan is the VP of IoT and embedded solutions here at Sectigo. We always enjoy talking to Alan. How are you doing today, Alan?

  So, thanks for coming on. One of the things that we talk about - - we find ourselves talking about with increasing frequency just out in the market and out in the public is the concept of embedded firewalls and I think everybody knows what a firewall is and I think we can all imagine what embedded means. But I thought - - we thought - - Jason and I thought it would be great to get you on to give everybody a real clear explanation of this concept, what it is, how it works and things along those lines. So, why don't we just kick off? What is your pithy definition Alan of an embedded firewall?

• 

  Alan Grau

  So, an embedded firewall really is a piece of software that, or could be hardware, but it's a solution that allows a device to control what packets it receives. It can have that packet filtering capability on the device itself and the embedded part of it is, you know, we're not talking about a Windows machine, we're not talking about a big network router or a big network appliance sitting in your infrastructure. Right? We're talking about a medical device that's running in a hospital or in a patient's home or a wearable device. We could be talking about an industrial control system sitting out on a power grid or in a factory someplace. We could be talking about a connected car that's driving down the road but still communicating with infrastructure, with other vehicles, with smartphone applications and, you know, all of these devices are subject to attack. Hackers are going to, you know, if they can find something, they're going to try to break into it and so they need an ability to manage and control what communication is happening on the device.

• 

  Tim Callan

  And so just like a traditional firewall, what we think of as a firewall, what the embedded firewall does is it has a set of expectations for what kind of communications will be allowed and anything that isn't meeting those expectations is blocked. Am I getting that right?

• 

  Alan Grau

  Yeah. At the very highest level, that is absolutely what it’s doing.

• 

  Tim Callan

  And so, I would imagine that the devices you're talking about can be very limited in terms of memory, compute power, things along those lines. Is that an important factor when we're talking about embedded firewalls?

• 

  Alan Grau

  I think that's, you know, the factor that distinguishes between an embedded firewall and a traditional firewall, or at least one of the main differentiators. So, yeah it absolutely is and one of the first ports that we did when we originally, so ICON Labs, part of Sectigo, developed and embedded firewall product quite some number of years ago. I think our first release of that was back in like 2013 or 2014.

• 

  Tim Callan

  Ok.

• 

  Alan Grau

  I’d have to go check. And one of the first use cases we had for that was a company that was building a device using an 8-bit MCU that had a TCPIP stack on it but they wanted, the company we were working with was concerned about security and so we were able to port that product onto that 8-bit MCU integrated with their TCPIP stack and, you know, in this case, it's very resource limited device so, it only supported a fairly small set of rules. It didn't support all the features that the product supports but I think at the end of the day we were running into something under 10K of RAM and 10K of ROM it like in just under 10. So it was, you know, by most standards, very, very, very small. Obviously, if you get into, you know, a larger, you know, a medical device, a connected car, ECU, maybe a much, much larger capable, you know, even a 64 bit device with, you know, a lot of storage, there are other features that we can bring along, but, yeah, in some cases it can be quite small.

• 

  Tim Callan

  And there's another implication of what you just said, which is very customized. Um, should we assume that each embedded firewall is sort of, what do I want to say, custom built for the particular device and circumstances in which its operating?

• 

  Alan Grau

  Yeah, that is generally quite true. I mean so these firewalls, you know, we work with the OEMs, you know, the companies building the products and provide them the software toolkit to build the firewall in. And so, as they're building the firewall in, they can customize the types of filtering that are being done. Right? Whether it's just simple rules-based filtering. Whether they have what's called stateful packet inspection, which can detect, you know, if you look at, and this gets kind of into the details on some TCPIP based attacks, that exploit the stateful behavior of the protocol to do malicious things. The firewall can actually detect if they're sending in packets that violate those state rules and block them, you know, so that may or may not be included depending upon the specific nature of the device, you know, our threshold-based filtering. There's some intrusion detection capability that can be included. And then there's the set of the specific rules. So, there's kind of like the capabilities of the firewall and then there are the rules for the specific device which can be configured, you know, during manufacturing or as the device is being used, they can be updated as with the traditional firewall. There's definitely, a lot of, of customization and configuration that can be supported.

• 

  Tim Callan

  So, what are the - - you rattled off a couple of examples in the beginning - - I know you said things like automotive. What - - where do we expect these devices to be deployed, right? Obviously, you and I won't see them, but we're probably benefiting from them on a regular basis. What sorts of industries and types of devices are using embedded firewall?

• 

  Alan Grau

  So, the security professional in me says it should be everywhere.

• 

  Tim Callan

  Sure.

• 

  Alan Grau

  If your device is - - but the really interesting example is the automotive space. So, if you go back to, it’s been several years ago there's the, you know, the now infamous, uh, Chrysler Jeep hack that, Charlie Miller and Chris Vilsack demonstrated, right, where they were actually able to remotely hack into a vehicle as it was driving down the road, change the firmware on it and take control over it. They started playing with the wipers and eventually, you know, drove it off the road.

• 

  Tim Callan

  They could speed up and slow down and yeah, exactly.

• 

  Alan Grau

  So, in the automotive space, you know, that was a kind of a turning point for the automotive industry where they woke up and said, oh wow, we are building safety critical devices that every American uses or gets touched by and we need to do more for security. And so, that's one space that is - - they’ve been really aggressive about ensuring security and doing so on multiple levels. You know, the firewall isn't the only component, but the modern car typically has what's called a gateway ECU in it. So, an ECU is an electronic control unit. Basically, it's a computer within a car. but the terminology in the automotive space is an ECU and the gateway ECU is the focal point for communication with the car. Well, as a focal point for communication, it's now become the focal point for attacks with the car. And so that's, one application where we've been working with companies to build the embedded firewall into those ECUs .

• 

  Tim Callan

  And so how prevalent are these? Like, should I assume that if I'm driving a late model vehicle that I am benefiting from an embedded firewall or is this still a technology that's coming into the mainstream?

• 

  Alan Grau

  I would say it's still relatively early days. There are, you know, companies that we are actively working with that are building these into models and deploying them. I don't know that there are a lot of models that are on the road today that have this built in. There certainly are some but it's, you know, it's something that is, you know, we're going to see a lot more of in the coming years, you know, we've seen, you know, a much bigger interest with this, you know, 12/18 months as compared to, you know, 2, 3, 4 years ago.

• 

  Tim Callan

  So, we obviously need more adoption. This probably means we need an industry to get educated about it and understand the benefits and the needs. What else - - are there other ways that embedded firewalls in the industry are going to be evolving and changing? What's next for embedded firewalls?

• 

  Alan Grau

  Well, I think part of it is just the development of the ecosystem. So, one of the things that we're actively doing is working with our partners to enable them to provide this as part of their solution. So, we work with companies, you know, two in particular are Green Hills who is one of the large real-time operating system providers across industries but they're very, very strong in the automotive space. Another is Mentor, who is a division of Siemens that provides technology for the specific thing that they are the most, or that we're working with them on anyway, I should say, is a platform called Auto SAR which has a technology standard for building certain automotive ECUs and in both cases, enabling them to build an embedded firewall into their product that they are then selling into the automotive space because it's a large fragment of diverse space and, you know, the way these solutions are going to get deployed is as part of a platform. Right. So, you're not gonna go add one after the fact. Like, you know, you buy a PC you can add antivirus after the fact.

• 

  Tim Callan

  Right.

• 

  Alan Grau

  It's going to come with your PC now, but you could change and update it. You know, with a car it has to be baked into the system and so working with those companies is a big part of it.

• 

  Jason Soroko

  Alan, uh, very quickly, you know, to tie this back to PKI and identity, you've mentioned auto SAR and some other real-time operating systems that work on embedded systems. There's a lot of software here, a lot of key software. I'm thinking if I'm the bad guy one of my points of, maybe not bypassing, but trying to modify the firewall would be to do things such as interfere with the firmware at the root level of a device. So, what I'm thinking is perhaps we have to have another podcast on how to protect the whole ecosystem of those electronic control units on a car which includes technologies such as Secure Boot and others that maybe we should have a, like I say, another podcast to go off and explain what some of those are, but can you very quickly wrap up where identity and PKI fits in here.

• 

  Alan Grau

  Yeah, absolutely. As with any system, you know, there's no single, you know, security magic bullet that you add this one capability and your security problems are solved. Right? You have to have defense in depth. You have to have protection against all of the various attack vectors that someone can exploit when trying to hack into a vehicle. So yeah, if I'm in charge of building an automotive system and I'm in charge of security I'm going to look at making sure that I've got Secure Boot implemented. I'm going to make sure that I've got secure firmware updates implemented and I want to make sure that my baseline operating system doesn't have security vulnerabilities in the operating system itself. And then as I look at communication, right, you want to use protocols like TLS that offer strong security on the protocol level and that's enabled by PKI. Right? So, if you're doing a TLS session, you have to have an ability to identify who the other party is that you're talking about which requires certificates aka, PKI.

• 

  Tim Callan

  Yeah. So again, I think in future podcast, we should talk about this further but I'll just touch on it now, which is, you know, specific industrial protocols such as CAN Bus in automotive. How does this all fit? Maybe just a sentence or two in terms of what is a rule that I can put into an embedded firewall that would help me the most? What's my lowest hanging fruit of a rule I can put in that would stop an attack on CAN Bus protocol?

• 

  Alan Grau

  So, the CAN Bus, that's actually a pretty interesting topic and again, something again there's probably no, you know, here's the one simple little easy thing that we do to address that but CAN Bus is another, um, and another communication bus within a vehicle. So ,you can have ethernet communication within a vehicle, you can have IP-based communication, you know, TCPIP or UDP on top of IP traffic within the vehicle or from the vehicle to external systems and most of what we've been talking about on the firewall side is addressing the question of communicating external to the vehicle through a gateway ECU which is typically IP-based traffic. So, an IP firewall. So, one of the other things that we have is a firewall for the CAN protocol or for the CAN Bus. So that's a different product that allows filtering of CAN messages so that you can again have a set of rules, have a set of expected behavior so that there is traffic that is in violation of the rules or is anomalous that you can detect and block that as well. So, it's, another, again, fairly significant topic in and of itself and provides another layer of protection. So, in an ideal solution, you'd have an IP firewall on your gateway ECU for communication, external to the device. You may have other ECUs within the car that have IP communications. So, there may be an endpoint firewall and more than one ECU in the car and then where you're doing CAN messaging you could have a firewall that's filtering the CAN packets as well to make sure that they're following the, you know, the expected traffic behaviors.

• 

  Jason Soroko

  Tim, you better stop us. We could do this all day.

• 

  Tim Callan

  We could. That is actually probably a great place to leave it. Thank you very much, Alan. I always enjoy talking to you and thank you, Jay. I always enjoy talking to you as well.

• 

  Jason Soroko

  Thank you, Tim.

• 

  Alan Grau

  Thanks, Jason.

• 

  Tim Callan

  Thanks everybody. This has been Root Causes.