NIST SPECIAL PUBLICATION 1800-15
Securing Small-Business and Home Internet of Things (IoT) Devices:
Securing Small-Business and Home Internet of Things (IoT) Devices:¶
Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); How-To Guides (C); and Functional Demonstration Results
Donna Dodson*
Douglas Montgomery
Tim Polk
Mudumbai Ranganathan
Murugiah Souppaya
NIST
Steve Johnson
Ashwini Kadam
Craig Pratt
Darshak Thakore
Mark Walker
CableLabs
Eliot Lear
Brian Weis
Cisco
William C. Barker
Dakota Consulting
Dean Coclin
Avesta Hojjati
Clint Wilson
DigiCert
Tim Jones
Forescout
Adnan Baykal
Global Cyber Alliance
Drew Cohen
Kevin Yeich
MasterPeace Solutions, Ltd.
Yemi Fashina
Parisa Grayeli
Joshua Harrington
Joshua Klosterman
Blaine Mulugeta
Susan Symington
The MITRE Corporation
Jaideep Singh
Molex
*Former employee; all work for this publication done while at employer.
FINAL
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.1800-15
Draft versions of this publication is available free of charge from: https://www.nccoe.nist.gov/library/securing-small-business-and-home-internet-things-iot-devices-mitigating-network-based
NIST SPECIAL PUBLICATION 1800-15
Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); How-To Guides (C); and Functional Demonstration Results (D)
Donna Dodson*
Douglas Montgomery
Tim Polk
Mudumbai Ranganathan
Murugiah Souppaya
NIST
Steve Johnson
Ashwini Kadam
Craig Pratt
Darshak Thakore
Mark Walker
CableLabs
William C. Barker
Dakota Consulting
Dean Coclin
Avesta Hojjati
Clint Wilson
DigiCert
Tim Jones
ForeScout
Adnan Baykal
Global Cyber Alliance
Drew Cohen
Kevin Yeich
MasterPeace Solutions, Ltd.
Yemi Fashina
Parisa Grayeli
Joshua Harrington
Joshua Klosterman
Blaine Mulugeta
Susan Symington
The MITRE Corporation
Jaideep Singh
Molex
*Former employee; all work for this publication done while at employer.
FINAL
May 2021
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
Dr. James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristic Analysis
- 6 Build 1
- 6.1 Collaborators
- 6.2 Technologies
- 6.3 Build Architecture
- 6.4 Functional Demonstration
- 6.5 Observations
- 7 Build 2
- 7.1 Collaborators
- 7.2 Technologies
- 7.2.1 MUD Manager
- 7.2.2 MUD File Server
- 7.2.3 MUD File
- 7.2.4 Signature File
- 7.2.5 DHCP Server
- 7.2.6 Router/Switch
- 7.2.7 Certificates
- 7.2.8 IoT Devices
- 7.2.9 Update Server
- 7.2.10 Unapproved Server
- 7.2.11 IoT Device Discovery, Categorization, and Traffic Policy Enforcement–Yikes! Cloud
- 7.2.12 Display and Configuration of Device Information and Traffic Policies–Yikes! Mobile Application
- 7.2.13 Threat Agent
- 7.2.14 Threat-Signaling MUD Manager
- 7.2.15 Threat-Signaling DNS Services
- 7.2.16 Threat-Signaling API
- 7.2.17 Threat MUD File Server
- 7.2.18 Threat MUD File
- 7.3 Build Architecture
- 7.4 Functional Demonstration
- 7.5 Observations
- 8 Build 3
- 8.1 Collaborators
- 8.2 Technologies
- 8.2.1 MUD Manager
- 8.2.2 MUD File Server
- 8.2.3 MUD File
- 8.2.4 Signature file
- 8.2.5 Router/Switch
- 8.2.6 Certificates
- 8.2.7 IoT Devices
- 8.2.8 Update Server
- 8.2.9 Unapproved Server
- 8.2.10 MUD Registry
- 8.2.11 SDN Controller
- 8.2.12 Onboarding Manager
- 8.2.13 User and Device Interface to the Onboarding Manager
- 8.2.14 Bootstrapping Interface to the Onboarding Manager
- 8.2.15 Network Onboarding Component
- 8.3 Build Architecture
- 8.4 Functional Demonstration
- 8.5 Observations
- 9 Build 4
- 9.1 Collaborators
- 9.2 Technologies
- 9.3 Build Architecture
- 9.4 Functional Demonstration
- 9.5 Observations
- 10 General Findings, Security Considerations, and Recommendations
- 11 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- 1 Introduction
- 2 Build 1 Product Installation Guides
- 2.1 Cisco MUD Manager
- 2.2 MUD File Server
- 2.3 Cisco Switch–Catalyst 3850-S
- 2.4 DigiCert Certificates
- 2.5 IoT Devices
- 2.6 Update Server
- 2.7 Unapproved Server
- 2.8 MQTT Broker Server
- 2.9 Forescout–IoT Device Discovery
- 3 Build 2 Product Installation Guides
- 3.1 Yikes! MUD Manager
- 3.2 MUD File Server
- 3.3 Yikes! DHCP Server
- 3.4 Yikes! Router
- 3.5 DigiCert Certificates
- 3.6 IoT Devices
- 3.7 Update Server
- 3.8 Unapproved Server
- 3.9 Yikes! IoT Device Discovery, Categorization, and Traffic Policy Enforcement (Yikes! Cloud and Yikes! Mobile Application)
- 3.10 GCA Quad9 Threat Signaling in Yikes! Router
- 4 Build 3 Product Installation Guides
- 4.1 Product Installation
- 4.1.1 DigiCert Certificates
- 4.1.2 MUD Manager
- 4.1.3 MUD File Server
- 4.1.4 Micronets Gateway
- 4.1.5 IoT Devices
- 4.1.6 Update Server
- 4.1.7 Unapproved Server
- 4.1.8 CableLabs MUD Registry
- 4.1.9 CableLabs Micronets Manager for SDN Control
- 4.1.10 Micronets Websocket Proxy
- 4.1.11 Micronets iPhone Application for Device Onboarding
- 4.1.12 MSO Portal Bootstrapping Interface to the Onboarding Manager
- 4.2 Product Integration and Operation
- 4.2.1 Adding an MSO Subscriber
- 4.2.2 Associating the Micronets Gateway with a Subscriber
- 4.2.3 Integrating Micronets Proto-Pi Device
- 4.2.4 Updating MUD Registry
- 4.2.5 Integrating the Micronets iPhone App with MSO Portal
- 4.2.6 Onboarding Micronets Proto-Pi to a Micronet
- 4.2.7 Interacting with Micronets Manager
- 4.2.8 Removing Micronets Proto-Pi from a Micronet
- 4.2.9 Removing an MSO Subscriber
- 4.1 Product Installation
- 5 Build 4 Product Installation Guides
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C Bibliography
- 1 Introduction
- 2 Build 1
- 2.1 Evaluation of MUD-Related Capabilities
- 2.1.1 Requirements
- 2.1.2 Test Cases
- 2.1.2.1 Test Case IoT-1-v4
- 2.1.2.2 Test Case IoT-2-v4
- 2.1.2.3 Test Case IoT-3-v4
- 2.1.2.4 Test Case IoT-4-v4
- 2.1.2.5 Test Case IoT-5-v4
- 2.1.2.6 Test Case IoT-6-v4
- 2.1.2.7 Test Case IoT-7-v4
- 2.1.2.8 Test Case IoT-8-v4
- 2.1.2.9 Test Case IoT-9-v4
- 2.1.2.10 Test Case IoT-10-v4
- 2.1.2.11 Test Case IoT-11-v4
- 2.1.3 MUD Files
- 2.2 Demonstration of Non-MUD-Related Capabilities
- 2.1 Evaluation of MUD-Related Capabilities
- 3 Build 2
- 3.1 Evaluation of MUD-Related Capabilities
- 3.1.1 Requirements
- 3.1.2 Test Cases
- 3.1.2.1 Test Case IoT-1-v4
- 3.1.2.2 Test Case IoT-2-v4
- 3.1.2.3 Test Case IoT-3-v4
- 3.1.2.4 Test Case IoT-4-v4
- 3.1.2.5 Test Case IoT-5-v4
- 3.1.2.6 Test Case IoT-6-v4
- 3.1.2.7 Test Case IoT-7-v4
- 3.1.2.8 Test Case IoT-8-v4
- 3.1.2.9 Test Case IoT-9-v4
- 3.1.2.10 Test Case IoT-10-v4
- 3.1.2.11 Test Case IoT-11-v4
- 3.1.3 MUD Files
- 3.2 Demonstration of Non-MUD-Related Capabilities
- 3.1 Evaluation of MUD-Related Capabilities
- 4 Build 3
- 4.1 Evaluation of MUD-Related Capabilities
- 4.1.1 Requirements
- 4.1.2 Test Cases
- 4.1.3 MUD Files
- 4.1.3.1 nist-model-fe_northsouth.json
- 4.1.3.2 nist-model-fe_mycontroller.json
- 4.1.3.3 nist-model-fe_controller_anyport.json
- 4.1.3.4 nist-model-fe_expiredcert.json
- 4.1.3.5 nist-model-fe_invalidsig.json
- 4.1.3.6 nist-model-fe_manufacturer1.json
- 4.1.3.7 nist-model-fe_manufacturer2.json
- 4.1.3.8 nist-model-fe_manufacturer-from.json
- 4.1.3.9 nist-model-fe_manufacturer-to.json
- 4.1.3.10 nist-model-fe_samemanufacturer.json
- 4.1.3.11 nist-model-fe_samemanufacturer-to.json
- 4.1.3.12 nist-model-fe_samemanufacturer-from.json
- 4.1.3.13 nist-model-fe_localnetwork_anyport.json
- 4.2 Demonstration of Non-MUD-Related Capabilities
- 4.1 Evaluation of MUD-Related Capabilities
- 5 Build 4