Secure IoT Gateway, a unique LEGaTO use case

The Secure IoT Gateway is a special use case of the LEGaTO project. While the main goal of the other four use cases is energy efficiency, Secure IoT Gateway aims at simplifying the management of VPN secured connections of local devices to a network via the network cockpit, a user friendly web based GUI. The IoT network is abstracted in two network components: IoT bridges for connecting clients, and gateways as company sites entry points.

The network cockpit simplifies processes like setting up firewall rules between IoT bridges and configuring VPNs, and brings a broad and handy overview over the whole IoT network. At the moment, the network cockpit provides the user with CPU, RAM and traffic statistics of the network and a list of all connected devices, their configuration and detailed information. It is also possible to simply set up communication rules between bridges, which will be translated to proper firewall rules and applied on the devices. Access to the network cockpit is controlled by a user management system.

One of the core tasks of the Secure IoT Gateway to simplify the process of running an IoT network, is to provide services that do configuration and maintaining actions in the background without user interaction. LEGaTO’s Secure IoT Gateway achieves security in the network by establishing Virtual Private Networks to every network device. Properly setting up these VPNs can be a tough task for an unexperienced user, and time consuming for a widespread IoT network. Therefore, it is mostly not done. Fortunately, the network Cockpit is able to automatically generate configurations for each involved device, and furthermore, to set up these configurations on the devices. So, bringing a new device into the network is an easy process, which consists in plugging in the device into a provisioned bridge, connecting these to the network and choosing the desired gateway in the network cockpit. The network cockpit will then do all the work to set up VPN between bridge and gateway configure firewall rules and port sharing. This eliminates many security risks caused by typical admins in handcrafted configuration setups.

Of course, the network cockpit on its own would not be able to provide these services. The gateways and IoT bridges have to be smart enough to handle these tasks too. Therefore, each device comes with a set of scripts and programs, which allow communication with the network cockpit during the configuration processes. At the current state of development, these programs allow gateway and bridge to send statistic data, recent logs and contextual information about their location in the network on a regular base to the network cockpit. They are also able to receive and apply orders from the network cockpit, like configuration modifications, creating VPN servers/clients or firewall changes.

All those programs and pre-configurations obviously are not delivered with the hardware, but have to be put on the devices. To accelerate the provisioning process, a program was developed to automatically make all the steps needed for a delivery of a device to a customer. The provisioning program installs the base OS to a factory new mini router. Then it pre-configures firewall rules and assigns a network wide unique device ID which used by the network cockpit. It also configures an individual generated strong password that leaves the IoT bridge ready for integration into the customer’s network.