Aerohive Extends SD-LAN to IoT

The Internet of Things (IoT) is a wonderful development. Thanks to IoT mania we have smart buildings, smart cars, smart appliances... smart anything you can think up. Over the next five years we will literally see billions of new devices connected to our networks, allowing us to work, live, and learn in ways previously unimaginable. IoT makes everyone's life better -- unless you're a network manager.

A recent ZK Research survey found that 50% of network professionals have little to no confidence that they know all of the IoT devices connected to their company networks. I suspect many of the other 50% think they know what devices are network-attached, but actually don't. Why is this? While IT runs the network, the operational technology (OT) group handles IoT endpoint deployment (see related post, "Don't Leave IoT to IT").

Security is another challenge for network managers with respect to IoT. The 2016 ZK Research Network Purchase Intention Study found that security remains the single biggest inhibitor to broader IoT adoption. Since everything is connected in an IoT world, a breach of an IoT environment could lead to the hacking of many other systems. Adding to this concern is that many IoT devices were never meant to be part of a bigger network so can be easy to hack -- they have no inherit on-board security capabilities. This security challenge, combined with not knowing what devices are on the network, creates a real nightmare for network managers -- a grim reminder of which we saw in recent Mirai IoT distributed denial-of-service (DDoS) attack, which impacted millions of users by hacking IoT devices. This attack showed how vulnerable the entire "thing" ecosystem is.

Security at the Edge
Aerohive Networks, an open mobility platform vendor, is looking to help network managers address this problem with an IoT security solution for Wi-Fi and wired networks. Last week the company announced that it has extended its "software-defined LAN" (SD-LAN) solution to help network managers better deal with and secure IoT devices using private pre-shared key (PPSK) authentication, application visibility, and control and management through a cloud portal. By integrating the security into the edge of the network (access point or edge switch), network managers can apply IoT security at the first point of contact with the company network.

Many IoT devices don't support 802.1X, instead relying on passwords shared across multiple devices, making onboarding easy but opening the door to the possibility of massive breaches, like Mirai. Aerohive's PPSK implementation enables secure IoT authentication by leveraging the benefits of 802.1X-based network access control without the downside associated with certificate authentication or specialized client configurations. PPSK creates and revokes thousands of unique keys for devices on the same SSID, effectively giving each device an individual password. This allows each device to be uniquely identified and secured, and prevents devices from joining the network without the knowledge of the network operations team.

Deep packet inspection (DPI) at the edge of the network enables the SD-LAN solution to prioritize and isolate IoT traffic. And, should a breach occur, the DPI mechanism will throttle the bandwidth or quarantine the device to contain the incident from impacting the broader network. Consider a WiFi-connected thermostat. These use very little bandwidth, so if the device was compromised with something like a DDoS attack, the flood of traffic would indicate that something was wrong. The thermostat could be isolated for further inspection and no harm would be done.

Contextual access policies help enhance security. Network managers can set granular policies, by user or device, and place controls to limit what systems a device can access, by time of day and location, and on VLAN containment, application rights, and bandwidth usage. Companies could set a policy that enables IoT devices to only talk to other IoT devices, so a hijacked device can't be used to go infiltrate other parts of the network.

Management Via the Cloud
What's more, network managers can centrally manage the entire network of wireless access points and wired switches through Aerohive's cloud-based HiveManager NG network management system. From the HiveManager NG cloud portal, administrators can create, deploy, and monitor policies. This management tool takes a bit longer to learn than some competitive products I've used, but the depth of configuration capabilities is the best among them. Every vendor's products allow for basic functions like setting up of guest networks and naming SSIDs, but HiveManager NG goes far beyond that by enabling network managers to perform any management task from the portal instead from a command line.

IoT is coming, and fast. In its press release, Aerohive stated that that by 2020 more than 25 billion IoT devices will be accessing networks. I believe this number to be low. Once the momentum starts, the ramp-up will be very fast -- and my estimate is for at least twice as many IoT endpoints. The IoT impact will be far bigger than was the Internet's, and the security stakes are so much higher. Security needs to shift to the edge of the network for protection at the point of entry.

In addition, automation is an absolute must today. I know the "A" word often gives network executives the heebie-jeebies, as automation takes control out of the hands of the engineers. But no one, no matter how fast on the keyboard, can work at digital speeds. Hackers automate the spread of malware, and we need to fight fire with fire by automating security processes. With automated discovery and quarantining, Aerohive's SD-LAN technology can help ease concerns that a breach might take down the corporate network as the company moves forward with IoT.

Follow Zeus Kerravala on Twitter and Google+!
@zkerravala
Zeus Kerravala on Google+