By 2030, the number of IoT devices on enterprise networks and the Internet is expected to reach 29 billion. This exponential growth inadvertently increases the attack surface.
Every connected device potentially creates new avenues for cyberattacks and security breaches. The Mirai botnet demonstrated this by launching massive DDoS attacks against critical internet infrastructure and popular websites using thousands of vulnerable IoT devices.
To effectively guard against the risks of IoT sprawl, continuous monitoring and absolute control are critical. However, this requires accurate identification of all IoT devices and operating systems (OS) within the corporate network.
Without this knowledge, IT and security teams lack the visibility and understanding necessary to effectively implement targeted security controls, monitor network activity, identify anomalies, and mitigate potential threats.
Understanding the Identity Dilemma of IoT
Typically, administrators can identify devices and operating systems through unique device IDs assigned by software agents running on network endpoints and collect device identification information. However, it may not be possible or feasible to install such agents on all operating systems, especially those used in embedded systems and IoT devices.
This is because IoT devices are designed to perform specific functions and often have limited resources (processing power, memory, and storage). They generally lack the ability to support any other software agent.
For these reasons, we need a passive identification method that does not involve software installation and is as effective as a system that is customized and streamlined to meet specific IoT device requirements. One of these approaches is network-based fingerprinting and passive operating system fingerprinting.
What is passive OS fingerprinting?
In practice, passive OS fingerprinting is like trying to analyze people based on how they look and behave without any direct interaction.
Likewise, the way a device interacts with a network reveals a lot about its identity, functionality, and potential risks. Passive OS fingerprinting does not require the installation of a software agent, but instead determines its operating system by analyzing the network traffic patterns and behavior generated by a device.
The approach relies on established techniques and fingerprint databases that store traffic patterns and behaviors specific to various operating systems. For example, specific options set in TCP headers or Dynamic Host Configuration Protocol (DHCP) requests may vary depending on the operating system.
OS fingerprinting essentially matches a device's network traffic patterns and attributes with known operating system profiles and classifies the traffic accordingly.
Several network protocols can be used for operating system fingerprinting:
MAC Address: A MAC (Media Access Control) address is a unique identifier assigned to a network device by the manufacturer. Each MAC address typically contains an organizationally unique identifier (OUI) unique to the manufacturer. For example, by examining the MAC address "88:66:5a:12:08:8E," an administrator can determine that Apple manufactured the device because the string "88:66:5a" is associated with Apple Inc. Likewise, IoT device traffic includes MAC addresses with device manufacturer-specific OUIs.
TCP/IP Parameters: The TCP and IP protocols have several fields in their respective packet header formats. Different operating systems implement TCP/IP properties differently, and TCP/IP fields may have unique values, such as initial time-to-live (TTL), Windows size, TCP flags, and so on. Administrators can analyze and compare these fields and identify the underlying operating system based on its specific TCP/IP implementation.
HTTP User-Agent String: When a network device (client) communicates with a server over the network using the HTTP protocol, the HTTP header contains the HTTP User-Agent field. This field can provide information such as the name and version of the client software, operating system, and other related information. Administrators can check this field and other fields in the HTTP header for device detection.
DHCP Request: DHCP is a network protocol used to automatically assign IP addresses. A DHCP request can contain certain fields that provide additional information about the client, such as host name, vendor class identifier, or operating system type. Due to customization and modification, DHCP requests may not be able to determine the underlying operating system, but they may still be useful for obtaining more granular information about the identity of the device.
Despite its limitations, analyzing the behavior and properties of multiple protocols across network layers can help accurately identify devices. Administrators can use operating system fingerprints to make informed decisions about access control and security policies.
Operating system fingerprinting across enterprise networks
Given the rapid expansion of IoT networks and the vulnerabilities they introduce, operating system fingerprinting facilitates passive device identification. However, manual operating system fingerprinting is a difficult task that requires extensive domain knowledge and expertise.
The main challenge is scalability. Manually mapping unique identifiers among the thousands of traffic flows across an enterprise network is impossible. To overcome this challenge, organizations can leverage the resources and scale of a cloud-based converged network and security stack. Cloud-native security stacks, such as SASE (Secure Access Service Edge) or SSE (Secure Service Edge), can access required resources and enable machine learning algorithms and statistical analysis to extract patterns and behaviors from large amounts of network traffic data.
Converged network and security capabilities can automatically collect and correlate network and security data from multiple sources, such as intrusion detection systems, firewall logs, and endpoint security solutions, to provide an overview of network activity and its relationship to operating systems and IoT devices .
Fusion helps automatically identify and classify customers based on their unique characteristics. Finally, a centralized management console can help streamline the identification and analysis process and allow immediate action on access control and security policies.