About Cloudflare Orbit
Orbit wraps IoT devices in their own private network that we update on the fly. Instead of relying on security only on the device, utilize the network as an additional layer of security and authentication.
Orbit has three main components:
- Security from the Edge - Utilizing Cloudflare’s firewall in the cloud, Orbit catches exploit attempts on the fly, protecting devices that are still running vulnerable code
- Mutual TLS Authentication - Orbit authenticates devices to determine that they actually belong to a user’s network and aren’t a malicious attacker trying to infiltrate the IoT infrastructure
- Customized Private Network - Orbit protects IoT devices at the network level so that each device is locked down as if it is running on its own private network, that secures it from potential attacks
Orbit additionally adds two extra benefits for IoT devices:
- Battery savings - the performance gains provided by Cloudflare's network (TLS session resumption and faster ciphers, header compression with HTTP2, Railgun, etc) mean that devices can spend more time on the shelf and waste less time waiting for internet connections to close.
- Cheaper, faster firmware updates - firmware updates from Cloudflare's cache are faster to download for devices, which means a better experience and less time waiting for the user, and saves battery for the device. Serving firmware updates from the cache is also less expensive because it saves on bandwidth from the origin server.
How do you add an IoT device to Cloudflare
- The IoT device boots up for the first time and tells the IoT cloud service it exists (via an api – cloud-api.suchconnecteddevices.com)
- The IoT cloud server makes a call to Cloudflare's DNS API to add a DNS record for that device's endpoint at the current device’s IP address.
- The IoT customer will configure its cloud and mobile apps to use a DNS lookup to find the IoT device instead of reaching the device directly at its IP.
- All traffic to the IoT device is now going through Cloudflare.
- IoT company can optionally configure their device to only talk to Cloudflare IP’s and reject all other inbound traffic.
- IoT company can optionally configure Cloudflare to block all connections to the device that do not present the company cloud, mobile app or web app's cert.
Security Settings for IoT
1. Authenticate devices to your network
Using TLS client certificate authentication, Cloudflare will validate that a client presents a client certificate signed by the company’s root CA certificate when establishing a connection between a client and Cloudflare. By validating this certificate on each request, access can be limited to authorized client connections. Documentation is available here.
2. Authenticate Cloudflare to your network
Use Authenticated Origin Pulls to have Cloudflare present a client certificate to the origin server during the TLS handshake, allowing the origin server to limit access to connections with Cloudflare certificates. Documentation is available here.
Prevent brute force attempts to crack device passwords with rate limiting. Documentation is available here.
In the Cloudflare dashboard firewall section, click on the Web Application Firewall tab, and click ON to enable the Web Application Firewall.
For IoT, we suggest enabling the OWASP ruleset and rules in the Cloudflare ruleset that are relevant to the technologies you use.
At first, enable rules in simulate mode, which means all requests return a 200 to the visitor, but requests that would otherwise be blocked are logged for your review. You can review these logs in the traffic section of the dashboard.
If you want to request a custom WAF rule, use the WAF Rule Request panel in the firewall section of the dashboard.
If you want to limit connection to your devices by network, IP or country, use access rules in the firewall section of the dashboard.
Settings for Optimization and Battery Savings for IoT
Enable HTTP2 for header compression and to transmit less data.
To cache partial dynamic content like JSON keys of API responses, install Railgun. Documentation is available here.
If your hardware permits, enable TLS 1.3 for 0-RTT TLS session resumption.
Settings for Firmware Updates
To ensure your firmware binaries are served from Cloudflare's cache, set a page rule to cache everything from the URL where you serve your firmware updates.