The various trades engaged in building projects increasingly need their gear to connect to the company network, but handing out IP addresses to anyone that wants one isn't exactly a best practice.
"Show me" has new meaning when dealing with some of these trade connections. You might think, for instance, that an international firm that manages power plants and HVAC systems would understand the need for system security. Think again. I recently worked with one that was using Web server port 80 to access and manage these wares -- not cool!
In fact, that was so uncool that I disabled the platform's assigned IP. Anyone sniffing public IPs could have landed on the platform’s splash page, complete with instructions for downloading the client software for managing the gear. Maybe the thinking was that transient visitors would never figure out "ADMIN" and the password -- but you know they would. Even if not, anybody who wanted to cause problems could do other things to stir the nest.
In two other surprising twists, I found that the password management software for a security/access control system and a unified communications system would not allow users to create passwords using special characters. Use of weak password mechanisms means these two systems aren't protected as well as they might be, and it makes me wonder about what other wares might get introduced to company networks without any questions or discernment.
Network managers should not be leaving these types of decisions up to those working on a building project. Rather, they need not only to question accessibility from the public side but also determine how to lock down access from within the company. This is when virtual LANs can prove really beneficial by prohibiting access from one VLAN to another -- you don't want employees stumbling on any of these systems, either.
Problems can crop up, too, when replacing landline phones in elevators with 2500 analog telephone adapters. ATAs, because they're dependent on the LAN and WAN, are vulnerable to network issues. But using cellular gateways can be worse. These are sometimes installed without adequate vetting, and the signal is often so weak that it's unreasonable to expect call completion within the core areas of some buildings. Needless to say, this can be a real safety issue.
Besides these problems, I've also noticed that the trades tend to adopt LAN switches and other IT gear really meant for use in home networking and among hobbyists. It's not enterprise class, in other words. Then many of these systems operate without power protection and battery backup.
Again, network managers must screen and scrutinize gear before allowing it to connect to networks. The network might be a utility, but it carries an important load that has significant business impact.
Follow Matt Brunk on Twitter and Google+!
@telecomworx
Matt Brunk on Google+
