Documents rus
Main page / KasperskyOS products / Kaspersky IoT Secure Gateway
Kaspersky IoT Secure Gateway

The market now offers numerous gateways and routers described as “secure” or “trusted”. These devices provide a wide range of technologies to protect against cyberthreats: antivirus scanners, network traffic checking, firewalls, etc. It’s important to understand that these technologies are designed to protect devices connected to the gateway, but no manufacturers are actually protecting the gateway itself. If it’s compromised, all the accompanying security technologies can be deactivated. So, if all those previous generation technologies are not enough, how do we secure the gateway?

Purpose

Kaspersky Lab’s offering – Kaspersky Secure Gateway – contains a range of technologies that allow you to take a qualitatively different approach to securing infrastructure for the industrial internet of things and smart home devices. And it can be done by using your existing hardware and your own custom firmware. Together with the best technologies for infrastructure security, it implements trusted technologies that guarantee the secure behavior of the gateway or router itself. We designed our solution to embed security modules and technologies in the device firmware so it can protect hardware with varying degrees of customization.

Kaspersky Secure Gateway provides you with the ability to implement the best security technologies and features listed below. Plus any other features or technologies that might be needed in your case.

Features

Root of Trust

This approach is based on a chain of trust. The initial point of trust is chosen depending on the level of guarantees required, and in the most extreme cases is set at the hardware level.

KasperskyOS

KasperskyOS is a secure operating system for embedded connected devices with specific cybersecurity requirements. KasperskyOS creates an environment where a vulnerability or bad code is no longer a big deal. Learn more about KasperskyOS

Kaspersky Security System

Kaspersky Security System (KSS) is a security policy verdict computation engine. It works in conjunction with KasperskyOS (or can be embedded into Linux-based firmware) that enforces KSS verdicts. Learn more about KSS for Linux

Kaspersky Security Network reputation service

Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. It delivers Kaspersky Lab’s security intelligence to every partner or customer connected to the internet, ensuring the quickest reaction times and the lowest false positive rate, while maintaining the highest level of protection.

Secure Boot

Secure Boot allows an IoT device to verify the integrity and authenticity of the firmware image before booting using cryptographic methods. It can utilize secure hardware key storage and detect whether the firmware image is damaged or altered. If signature or encryption checks fail, the image will not boot, and the device will automatically boot the previous “good” firmware or boot in maintenance mode. This means altered, modified, infected or damaged firmware will never start because it is not signed and encrypted with the authorized keys.

Secure Boot starts at the device boot stage before the operating system. Secure Boot checks the digital signature of the firmware to be booted. If the digital signature is correct (issued by a trusted source and the firmware is not modified), Secure Boot starts decrypting the firmware image. Successful decryption means the image was encrypted using the trusted key pair. If both steps were completed successfully, the firmware image will boot. If one of the steps fails, Secure Boot will try to boot the previous firmware image or switch to maintenance mode.

Secure Update

Secure Update allows the system to verify the integrity and authenticity of firmware updates using different cryptographic methods. The Secure Update feature works together with Secure Boot and ensures firmware is only updated from correctly signed and encrypted images from trusted sources.

It works as follows:

  1. Management console issues download command
  2. Update downloader retrieves update image
  3. Downloader stores the image in temporary update storage and seals it.
  4. Data from storage is passed to data verifier
  5. Verifier checks image and authorizes it if it passes check
  6. Authorized image goes to updater

The secure update procedure is then complete.

Secure Audit

Secure Audit is a Kaspersky OS feature called to recognize, record and store audit logs and provide guarantees that log entries cannot be altered. Secure Audit can utilize blockchain technology for distributed and secured log management.

Key features:

  • Auditable events are specified both at user level and independently at system level in the form of a security policy by means of KSS
  • Audit event source recognized by KasperskyOS in independent and trustworthy way to be included in audit log record
  • Secure Audit provides flexible and scalable audit log storage architecture
  • Audit log spoofing detection is implemented
  • Secure Audit complies with ISO/IEC 15408-2 requirements

Machine learning-based protection

To ensure customer networks are protected in the best possible way, we designed the Machine Learning (ML) protection mechanism, which can also be implemented on gateways or routers. ML is used to discover all network devices via passive and active analysis, understand their behavior, make a profile of each device and detect when something in the network is not functioning as intended. For example, ML can detect when a device has been hacked or is infected by malware and tries to send unusual data, or normal data to an unusual destination. ML technologies also make it possible to detect stealth malicious activity and data transfers concealed in normal traffic.

ML protection utilizes not only the gateway system resources but also uses Kaspersky Security Network Cloud ML to learn fast and make split-second decisions. The decisions are also based on the experience of other devices and services using Kaspersky Lab products.

ML asset discovery

ML-based asset discovery technology can discover, categorize and organize all the assets in the protected network automatically. Using special fingerprint technology, our solution detects the type of device, maker’s name and model (and even firmware version) by simply analyzing specific parts (metadata) of the network traffic.

ML device behavior analysis

Once assets in the network are discovered and categorized, a specific profile is created describing the overall (healthy) network behavior of the asset. Such profiles describe how a specific device with the current firmware is behaving in the customer’s network.

ML anomaly detection

Based on ML asset discovery and device profiling, any anomaly in IoT (or IIoT) device behavior can be detected. ML anomaly detection can detect malware and botnet activity, use of your device in DDoS attacks, firmware exploitation, miners, device control interception by hackers, etc.

Application Control

Before executing a new binary file, Application Control calculates its hash and connects to Kaspersky Security Network to receive the reputation trust level and security recommendations for the application. If the hash matches malicious code in KSN Database, Application Control will prevent the code from executing on the device. This technology can prevent infections of IoT devices with malware like Mirai or Bashlite.

IoT device scanner

IoT device scanner is a technology designed to discover all IoT devices in a customer’s network (e.g. IP cameras, TVs, media devices, etc.). After discovering devices, the solution scans them for vulnerabilities that can be exploited by malware or hackers. If vulnerabilities are found, special security recommendations are issued.

Web filter/parental control

Depending on the purpose of your device, web filtering (for enterprise and industrial devices) or parental control (for consumer devices) technology can be applied to your firmware with the Kaspersky Secure Gateway SDK.

Web filter

Kaspersky Web Filter is a technology which provides protection from phishing, malicious websites and inappropriate content.

With Kaspersky Web Filter you can classify websites according to dozens of pre-defined categories, allowing you to:

  • Protect users and the network by blocking phishing and malicious websites
  • Control web usage and reduce corporate traffic
  • Increase employee productivity: reduce the time spent on non-work-related activity by restricting access to non-productive sites such as social networks and online games
  • Enforce parental control for children by blocking inappropriate content

Parental control

With parental control installed, customers can monitor their kids’ online behavior, protect them from unwanted contacts, block their access to inappropriate content and games, manage app downloads, keep track of messages on social networks and prevent the family’s personal information from falling into the wrong hands.

Advantages

Secure by design system

 

Root of trust

 

Multi-level security model

 

Device hardening

 

Modular design

 

Technical requirements

  • Kaspersky Secure Gateway technologies are currently implemented in the Linux-based OS (firmware) running on devices with ARM, MIPS and x86 architectures.

Patents

US 7386885 B1, US 7730535 B1, US 8370918 B1, EP 2575318 A1, US 8522008 B2, US 20130333018 A1, US 8381282 B1, EP 2575317 A1, US 8370922 B1, EP 2575319 A1, US 9015797 B1, DE 202014104595 U1.

Documents