IoT Security Design

Hi All,

I built a IoT solution on a Ubuntu'd 18.4.3 Raspberry Pi that I am currently piloting at a restaurant that is semi half-baked.

The long and short of it is there is an agent that operates on the edge devices and a server in the office lab that processes agent payloads over a RESTful Go API and into our database. Since I have to query and update our database, I felt that the DB transactions should be brokered and API calls should be served over a secured tunnel so I employed an OpenSwan IKEv2 IPSec Tunnel to securely relay API calls as Go would need an interface IP that is external to consume messages on that IP. I tried opening the port on the Firewall but to no availability. It works within the subnet.

The Agent and VPN tunnel initiator each have dedicated systemd service units that restart upon failure. The Agent is also configured to 'want' the VPN service before it starts.

However the issue therein lies my OpenSwan Appliance where it will assign the same single IP to all clients. Causing my IoT agent(s) to fail. Furthermore, `charon-cmd` doesn't exit due to infinite CHILD_SA exchange so the service hangs as active. Programmatically I can instruct a reboot from within the agent if an API call would fail as this would mean the tunnel failed.

When I advise any infosec policy like database passwords need to be kept in the core, my most cost-effective solution is to host an EC2 HTTPS Go Server so I can configure the proper interface IP without having to use an VPN Tunnel. However I lose remote management to the Edge. This is going to suck as I also lose any code pipeline ability to automate building on the Edge since our GitLab is hosted internally. But passwords are also kept securely.

I'm probably over engineering this but if I can remotely manage the devices, then I don't need to develop an update service to check for possible updates.

For now to retain operability would anyone advise on hosting the server app locally on the device and eating a security risk of passwords exposed since the device is physically accessible until the VPN tunnel is fixed? Or does an EC2 instance and development around the Edge make more sense?