The Network: Are You Safe From An IoT Device Hack?
As we’ve discussed so far, while IoT is clearly well on its way to ubiquity, there’s a lot to consider in deploying IoT solutions, especially with respect to security. We’ve previously discussed why basic security requirements and good practices also directly apply to IoT, and that IoT must fit into existing operational frameworks, with configuration a special concern at present.
This time we’ll look at what can be done on the network-infrastructure side to ensure that IoT is productive without endangering security.
Most network operations professionals have already put good security solutions in place, with the proviso that such is an ongoing process and not a static goal. Given that the I in IoT stands for Internet, common, proven, and effective Internet security techniques are therefore completely applicable to IoT – assuming the IoT devices in question include the necessary technologies and features.
But given that IoT evolution and security itself are still moving targets, networks require a degree of adaptability that has not historically, anyway, been common. Good news, though: the recent development of software-defined networking (SDN) and especially the software-defined LAN (SD-LAN) is changing this situation, and just in time for the rise of IoT.
As we’ve previously discussed, SD-LAN is an architectural strategy and set of capabilities that enable networks to grow, change, and adapt quickly and dynamically to new opportunities, like IoT, and new challenges, like IoT security. Here are a few examples of the strategic fit between SD-LAN and IoT:
- Device enabling – Unauthorized (blacklisted and/or not whitelisted) devices simply won’t be able to forward traffic or otherwise interact with the network. Unusual behaviors or traffic patterns will automatically trigger responses that neutralize threats before they can cause any harm at all.
- Private pre-shared keys – Rather than having a single security key per SSID, this technique enables multiple security keys deployed at the group, user, or even individual-device level. This makes it easy to revoke access should a given IoT device, um, misbehave.
- Policy-based adaptive firewalls – Firewalls and IDS/IPS capabilities can play a critical role in all aspects of security, and IoT presents no exception here. Using policy definition and implementation to control these elements adds the additional flexibility required to deal with changing operating conditions, including new threats, efficiently and effectively.
- Management integration – Recent advances in management systems, most notably with respect to application visibility and control (AVC), audit, and analytics provide the productivity boosts that perpetually-overburdened IT and network operations staffs need to keep up with the explosion of demand in IoT and elsewhere. Remember, not all IoT devices will be simple switches and lights. Some will generate time-bounded and even mission-critical traffic, and the additional volume of applications and overall traffic could become overwhelming without appropriate management-systems support. And, as we noted last time, management capabilities must include IoT device configuration – and SD-LAN will most certainly ease the arrival of this advance.
- Bandwidth management – Speaking of traffic, SD-LAN techniques can also aid in detecting DoS attacks (and, of course, much more) via deep-packet inspection and other techniques, with granular fine-tuning as required.
With respect to authentication, note that the wide variety of techniques embodied under 802.1X can address a similarly-wide range of IoT security implementations, although low-level OS support within IoT devices will be required (and is clearly desirable regardless).
Other more traditional capabilities such as secure boot, low-level hardware protection mechanisms found in many contemporary microprocessors, hardware data encryption support, mutual authentication, and more are all useful in addressing the IoT security challenge.
Again, there’s really no difference in security requirements from any other class of Internet-connected devices and services.
While we’ve outlined a good number of security requirements for the client-device side, there’s still plenty that infrastructure can do to ease the integration and utilization of secure IoT capabilities. Security, like so many other elements of networking and even IT overall, is becoming much more software-defined - and all aspects of security, including and perhaps even especially those related to IoT, will continue to benefit from this new and essential strategy.All Posts In This Series: