Introduction

Check Point Quantum IoT Protect Nano Agent is a lightweight software solution that delivers advanced security controls to safeguard IoT devices against cyber threats. Designed for embedded systems, it can operate as a standalone solution or be managed via Check Point Cloud. Device manufacturers can seamlessly integrate it into their products with minimal code modifications. With its low resource requirements, it acts as the first line of defense for securing IoT devices.

Operation Mode

IoT Nano Agent supports the following configuration deployment modes:

Standalone mode
Managed through the Quantum IoT Protect application in the Check Point Infinity Portal.

IoT Nano Agent Security Features

Access Control

Prerequisites

To configure Network Access Control, you must have one of these:

Linux iptables
Linux nftables

Overview

Network access control defines the policy for incoming traffic and outgoing traffic from the device. The policy can be predefined by the vendor or configured by the end users. Check Point provides a web service that runs on a device that allows users to configure access rules in JSON format. The rules allow to configure IP addresses, network addresses or domains as source/destination and specify whether they are allowed or blocked to communicate with the device.

For more information, see IoT Access Control Service.

Login Protection

IoT Nano Agent protects against unauthorized access to the device. It prevents automated brute force login attacks, one of the major attack vectors on IoT devices. This protection also prevents Distributed Denial of Service (DDoS) attacks on the device by identifying multiple login requests and blocking them. Nano Agent supports web and SSH protocols.

For more information, see IoT Embedded Configuration Service.

Workload Protection (WLP) and Hardening

Workload protection:

Involves safeguarding the processes, applications, and services running on the IoT device.
Ensures integrity, confidentiality, and availability of the workloads.
Prevents attacks such as bots, memory exploitations, remote command execution, and persistent threats in the device.

IoT Nano Agent monitors system commands, memory allocation, and disk operations to detect and prevent attacks in runtime. It provides Workload Protection with these plugins:

Plugin

Description

Command Injection Protection

Monitors all shell commands executed by protected processes. It analyzes them for malicious input to prevent system exploitation and device compromise.

File Monitor

Prevents adding or modifying files in the file system. It protects executables, scripts, config files, and ensures the trust of the file system.

Import-Table Protection ¹

An import table is a function-pointer table used by software to call functions from multiple libraries. This plugin ensures attackers cannot exploit these import tables.

Dynamic-Memory Protection ¹

Monitors dynamic memory allocation and writes to prevent exploitation by malicious actors. Available only on request.

Note - Enabling Dynamic-Memory protection may increase system resource consumption by approximately 5%.

(Optional) Control-Flow Integrity (CFI) ¹

Monitors the software’s flow and adjusts its runtime to ensure it runs as intended.

Notes:

Control-Flow integrity feature uses hash files compatible with the firmware, which may require updating when manufacturer creates a new firmware.
Enabling Control-Flow integrity feature may increase system resource consumption by up to 10%.
Available only for premium users.

¹ Support compiled C/C++ binaries

For more information on the WLP configuration file, see Workload Protection (WLP) Configuration File.

Privacy and User Data Protection

IoT devices hold sensitive information such as user data, footage, telemetry, and configuration. Check Point Quantum IoT Protect Nano Agent ensures that confidential data is stored securely and protects it from unauthorized access or usage. It manages cryptographic measures and enforces secure access to the data. The encrypted data remains unreadable to unauthorized parties.