IP networks get security at the edge

TCP/IP is the backbone of the vast majority of today's networks, including the Internet. It is flexible, powerful and has met networking needs well for decades. It is also easy to use and is well-understood. This is resulting in an explosion of network-connected products, traditional products like vending machines, industrial and building-control equipment and point-of-sale terminals, that are now being connected via Ethernet and TCP/IP.

As this trend continues and even more systems connect to the Internet, the requirements for network security will also grow. Demands for security will increase with growing public awareness of electronic threats-identity theft, hackers and computer viruses-and as more transactions occur on this ever-growing network. Adoption of network security technology in embedded systems will increase as traditional barriers are lowered. These barriers-reduced performance due to computationally intensive cryptography algorithms and significant memory requirements-are being overcome by the availability of software protocols designed specifically for embedded systems and by hardware acceleration techniques that give processors the ability to perform these cryptography algorithms quickly.

The Internet Protocol networks' public nature and IP packet-routing method combine to make TCP/IP networks vulnerable to security breaches. IP packet routing was not designed for security but to make routing as simple as possible, with the ability to handle an ever-expanding network. These characteristics have allowed TCP/IP to be quickly adopted and become widely prevalent. But they also pose security problems: IP's routing exposes a packet to anyone along its route who wishes to view the contents or the packet's origin and destination. In addition, since the packet has no definite route to its destination, a packet routed over the Internet can be picked up, rerouted or duplicated by virtually anyone connected to the Internet.

These problems limit the use of large IP networks for sensitive communications. To address TCP/IP's vulnerabilities, several protocols have been developed. The most common are IP Security (IPsec) and Secure Socket Layer (SSL). These protocols have been widely adopted in personal computers, high-end network servers, routing equipment and other systems.

As the number of network-connected embedded devices continues to increase, the need to add security to these nontraditional networked systems has emerged. To companies making such products as building control systems, remote-monitoring stations, point-of-sale terminals and other systems, the advantage of TCP/IP is clear. It lets users increase those systems' efficiency by giving them instant information from remote devices and allowing them to control those devices over a network. But outsiders can potentially access such networked equipment. To reduce that risk, security protocols originating in the networking equipment world, such as IPsec and SSL, are available, but their use in embedded systems has been limited. Implementations of these protocols need to be designed specifically for low-power, memory-constrained, embedded devices.

Designing security solutions for embedded systems is laced with difficulties. In particular, two key sets of challenges must be met: performance issues and memory issues. Network security protocols like IPsec and SSL involve complicated algorithms for encryption and authentication, such as Data Encryption Standard, Advanced Encryption Standard and Secure Hashing Algorithm. These algorithms protect data integrity and confidentiality and establish and ensure the identity of the originator of that data. But because these cryptography algorithms are computationally intensive, they can seriously impact the performance of an application running on low-power embedded microprocessors.

To address these performance issues, some vendors, such as ARC, are incorporating hardware instructions into their embedded-processor cores, which accelerate the execution of these algorithms. Likewise, Motorola, for example, has announced new families of PowerQuicc processors that integrate on-chip hardware acceleration of encryption and authentication algorithms.

The second major set of embedded security issues concerns memory. Simply put, the more software is added to an embedded system, the more memory the system requires. Security software was originally designed not for low-power, memory-constrained, embedded systems but for PCs and high-end network equipment. To embedded developers, this software is bulky and contains far more than they need. Although it is possible to port high-end security software to embedded processors and scale it down to the appropriate code size and feature set, this is a lengthy, difficult process.

Consequently, software stacks for protocols like IPsec and SSL are appearing that have been designed to keep memory usage to a minimum in embedded systems. This software is also designed to be scalable, allowing developers to choose the feature set they need for a particular application, and often supporting either client-side-only or server-side-only configurations, depending on the specific needs of the application.

The combination of network security protocol stacks designed for embedded systems and the integration of hardware acceleration into embedded processor cores gives embedded developers the environment they need to incorporate security into their network-connected applications. Hardware acceleration provides the performance boost required to process encryption algorithms and maintain a reasonable level of network performance without significantly impacting the processor's performance requirements. Security protocol stacks designed for embedded systems meet the small-footprint and scalability requirements characteristic of embedded-software applications.

Previously, an embedded developer's only choice for implementing network security while maintaining performance was a much faster, more expensive processor with significantly more memory, which in many cases is simply not an option. The emergence of on-chip hardware cyptography acceleration and network security software packages targeted at embedded processors is making it possible for developers to adopt network security for embedded devices on the edge of today's integrated networks.

See related chart