What is MUD?
Manufacturer Usage Description (MUD) is an IETF defined, embedded software standard that allows IoT device manufacturers to advertise device specifications, including the intended communication patterns for the device when it connects to the network. The network then can use this intent to author a context-specific access policy so that the IoT device can function only within those parameters. This way, MUD becomes the authoritative identifier and enforcer of policy for IoT devices on the network.
Manufacturer Usage Description consists of four components:
- A URL - Uniform Resource Locator, which is the address of a given unique page on the web:
- A MUD File - a thing a URL points to;
- The MUD File Server - where MUD file sits; and
- The MUD Manager - a new component that translates device manufacturer intent into specific instructions.
MUD Architecture
The MUD architecture enables IoT devices to operate only as intended by the manufacturers of these devices. This process is done by providing a standard way for manufacturers to point out the network communications that every device requires to perform its intended function. When MUD is used, the network automatically permits the IoT device to send and receive only this required traffic. Even when an IoT device gets compromised, MUD prevents it from being used in any cyberattack that would require the device to communicate with an authorized destination.
How Does MUD Work?
First, an IoT device sends out a pre-embedded MUD-URL to the network devices, through which the MUD-URL is received by the MUD controller (software). Then, per the specific MUD-URL, a matching MUD File is provided from the MUD File Server and translated into policy format through the MUD controller, then enforcing the device's access control list.
Benefits of MUD
Manufacturers and customers are two main variables in the MUD ecosystem. MUD provides different benefits for manufacturers and customers alike. Benefits to manufacturers include:
- Improved customer satisfaction and adoption due to reduced operational costs and security risks;
- Enhanced device security through standard-based onboarding procedure;
- Differentiated device offerings with embedded network-based device security feature; and
- Reduced product support costs to customers by following an easy-to-implement and straightforward process.
MUD generates a standard method for manufacturers to specify device identity and the recommended communication patterns for that device type. To put it simply, the device's manufacturer can embed a URL into the device itself, which is then picked up by a core MUD process when the device first connects to a network. Based on this URL, the MUD process classifies the device and collects its recommended communication patterns from an internet-available MUD File Server that the URL also points to. Such abstracted policy is then applied to the access point that the specific IoT device is connected to.
Benefits to customers are:
- Automated IoT device type identification that reduces operational costs;
- Simplified and scaled IoT device access management by automating the policy enforcement process;
- Reduced threat surface of exploding number of IoT devices by regulation of traffic and therefore avoiding lateral infections; and
- Secure network through the standard-based approach.
Finally, if you're interested in exploring the power of MUD on your IoT projects, GlobalPlatform introduced lately a MUD File Service which is available in a free betaservice. This service helps IoT device manufacturers publish, in a unique location, the MUD file library associated with their products to simplify the access from the network hosting these devices.
Imagine how much great things you could do if you couple this technology with FIDO Device Onboarding protocol to increase automation and security during IoT device onboarding.
If you wish to learn more aboutMUD and how to use it smartly to enhance your IoT architecture, get in touch with specialized experts.