Last month, I presented a webinar on the Internet of Things and I want to share the highlight of my presentation with you. The Internet of Things (IoT), I said, is rapidly moving from a futuristic vision to a real-world concern for network managers and administrators.
To use just my home as an example, my thermostat and smoke alarm need to connect through the Internet to Nest so that I can turn my heat or air conditioning off when I inevitably forget to do so before leaving the house. My digital video recorder needs to talk to TiVo to make sure I’ve paid my monthly bill, to see whether I want to record anything new, and to download new TV schedules and code. And my car—even my car!—wants to create a VPN back to the manufacturer to download updates.
The sorts of “things” enterprises are deploying boast an even wider variety of access requirements: security systems monitored by third parties, cafeteria cash registers uploading sales data to concessionaires, and remotely managed HVAC systems.
Last year, Infoblox commissioned a survey of network managers and administrators on the Internet of Things. Our suspicion was that enterprises were already introducing these non-traditional devices to their networks, and we wondered where and how they were connecting them.
Well, our suspicions were confirmed: We learned that businesses certainly are connecting things to their networks—a whopping 75 percent of those surveyed reported adding things in the general category of “office equipment” to their networks, and 70 percent said they’d added “security” things.
However, one finding of the survey that I found alarming was the increasing tendency to connect these things to guest wireless networks: 46 percent of respondents said they were simply connecting devices to their corporate networks, and ensuing in-person conversations revealed that many use existing guest wireless networks. On the one hand, that trend is understandable: Many of these devices support 802.11 wireless, and many also require connectivity to the Internet to work. Guest wireless networks generally support both.
But in many ways, guest wireless networks aren’t at all suitable for IoT devices. In addition to requiring Internet connectivity, some devices need access to internal resources. For example, a security thing such as a badge reader might need access to a domain controller to authenticate users, and permitting that will probably require poking a hole or two in your firewall. But you probably don’t want to allow just any old device on your guest wireless network access to a domain controller.
Guest wireless networks are, after all, used by a wide variety of users and devices. By definition, most of those users aren’t employees (who presumably have access to your production wireless network). Simply knowing that you use a particular type of thing and understanding this kind of device requires access to an internal server might induce a bad guy to search for a way through your firewall. Even if firewall reconfiguration isn’t necessary, are you sure the traffic your things send back to home base is encrypted? Does that traffic need prioritization? What effect would a misbehaving guest device have on your wireless network, and therefore your things’ ability to phone home?
The alternative, though it may sound onerous, is to create separate logical or physical networks for Internet of Things devices and traffic. These networks can support different authentication requirements from guest wireless networks and can support the access and prioritization requirements of IoT devices. Unfortunately, our survey showed that only 30 percent of respondents planned to implement separate IoT networks.
This gets trickier when different species of devices have very different access requirements and can’t easily or securely be mixed on the same network. For example, a third party might require remote access to one type of thing, while another type of device might need to communicate with an internal database server to function—but you might not trust the third party to access that database server. How you handle that scenario is up to you, but you might consider creating different Internet of Things networks based on patterns of access: Things that need to access the Internet, things that need access to internal resources, things that third parties on the Internet need access to, and so on.
Providing appropriate network access to the things on your network is far from the only security challenge you’ll face as we deploy the Internet of Things—there are the limited security features of some things, the need to manage them and keep them upgraded—but at least you can use the networking tools you have at your disposal to address the problem.
