Bringing in IoT, Caution Applied
Internet of Things devices are proliferating on networks like bunnies, leaving network managers scrambling to head off potential disruptions due to exploits against these devices, as I mentioned in last week's post, "IoT Spells Opportunity... or Risk".
Every organization is different, just as are their needs; each business unit must assess what solution is best for it.
Web filters are popular with companies that want statistics on traffic volume and insight on where their employees spend their time online. However, these appliances can create issues for premises gear, especially for devices that must communicate with the cloud. In such cases, organizations can write rules that make exceptions for these devices.
Additionally, Web filters have a limited amount of memory and processing power, as is also true of firewalls deployed with content filtering subscriptions, gateway security, denial-of-service prevention, and other security features. These appliances demand proper consideration for sizing for handling the potential additional traffic that IoT devices bring to the network.
Not all these devices operate on the wired infrastructure, and they will add a layer of demand to the WLAN. But separation of traffic, VLANs, and rules to allow inter-VLAN communications will help minimize issues.
This added traffic might be hindered in some locations, especially if an organization hasn't prepared a heat map and hasn't done its due diligence in optimizing placement of wireless access points (WAPs). An organization also must test, and re-test, to determine whether or not consistent coverage is available for all devices, but especially those located in ceilings, closets, and out of the way or out of sight. Along with the re-testing is the adjustment of power levels, and even the addition or deletion of WAPs.
On the switching infrastructure, network managers may employ security to limit the number of MAC addresses that can ingress a port. However, this often becomes problematic in managing mechanical systems such as the chiller plants and automated building controls. These systems, deep within the building infrastructure, often are interconnected with some cabling and unmanaged switches but always need at least one or more LAN switch ports to allow access via a Web page or remote access using a VPN. When the gear is connected to switch ports with port security enabled, the numerous MAC addresses associated with management systems get blocked pretty quickly and knock out system visibility for building engineers.
What I didn't mention previously and is too often assumed is an issue related to ownership -- or lack thereof. When I begin a project, I always start with a site assessment regardless of the visit's purpose. When I can visibly see that the infrastructure housekeeping isn't in order and that an organization is ignoring cabling and installation best practices, I know that I'll discover that the organization receives too many computer, application, telephone, or network complaints. This translates to the lack of ownership.
When people fail to take ownership, systems, networks, and any technology will degrade and, eventually, fail in its usefulness to the organization. Letting vendors do whatever they want is never a good idea, and the same is true with employees. IoT isn't about letting the doors open and giving a blind eye to the deployment's impact on your infrastructure. If you don't own it, you will lose it!
Taking on IoT should be an exciting and challenging venture for anyone in IT. Exercise the right cautions and pay due diligence, but keep in mind that the purpose of what's being deployed doesn't always give proper consideration to security.
Follow Matt Brunk on Twitter!