In the last year or so, TCG members active in developing and supporting network equipment, such as switches, routers and firewalls, have been actively working to develop specific guidance and how-to for protecting these devices against attacks.

Why worry about network equipment, when endpoints and “things” seem the most vulnerable? In reality, a number of recent attacks, as CherryBlossom and Marai, have exposed some networks and data, resulting in significant data loss and impact to business.

Members in TCG’s network equipment group now have published a new guidance and an architects guide that offers specific recommendations and best practices to secure against compromise. The guidance includes how to use strong hardware security enabled by the Trusted Platform Module (TPM) ensures that equipment is tamper-resistant and protected against a variety of attacks.

How will manufacturers use this guidance? At the upcoming Mobile World Congress, a  demo will showcase TCG member Juniper Networks® SRX320 Services Gateway  protected with the Infineon OPTIGA™ TPM .

The TPM prevents physical and logical tampering of the router and securely stores an encrypted hash. If the router configuration is updated but not authorized, the router will not boot, thereby preventing a potential attack.

The companies also will discuss implementation of the guidance and TPM in a webcast on Feb. 21, 2018.

Of course, there have been some challenges in determining how to secure network equipment. TCG’s work recognizes that network equipment is shipped as a closed embedded system with security provided by the unit as a whole; equipment must boot and operate without manual intervention; and the equipment itself typically should not have the ability to hide or mask its own identity. As with many embedded and industrial systems, network equipment typically has a long life cycle. The guidance doc offers 12 use cases, of which the MWC demo is just one.

Recommendations offered by TCG and members include:

• Devices should use a TPM as a hardware-based root of trust
• Devices should provide a cryptographic device identity based on IEEE 802.1AR and use the TPM to protect keys. Cryptographic identity can provide a reliable way to identify remote devices for applications involving device management, configuration and authentication
• The TPM can be used to protect confidential data, such as VPN keys in network equipment
• TPM-based attestation can offer assurance to the integrity of software running on network equipment
• Use of the TPM’s random number generator can enhance the strength of cryptographic protocols by providing additional entropy

Learn more about how to increase network equipment security and design in foundational security: https://trustedcomputinggroup.org/work-groups/network-equipment/.