The idea of the pending influx of Internet of Things (IoT) devices just waiting to jump on my network is starting to give me heartburn. Sure, you could probably think of all the crazy thermostats and speakers and lightbulbs in your house right now. But what about enterprise or industrial IoT devices? Gas pumps. Badge readers. Healthcare devices like insulin pumps. Even the microwave in the break room!
The hardest thing about IoT is how dumb it really is. Sure, we bill these devices as “smart” when we sell them. But most IoT devices are about as unintelligent as they come. They have the most rudimentary chipsets possible to make them as cheap to manufacture as they can get. So most of them support bare-bones 802.11n chipsets in the 2.4GHz range and have very few additional security features built into the chipsets.
The way to secure IoT devices isn’t to make them smarter. Instead, we have to make our networks smarter and ensure that the right decisions are made by our infrastructure to keep things safe when the devices can’t do it themselves. That’s where Aruba is starting to make some great strides. During Aruba Atmosphere 2019 there was a great session on dynamically securing IoT devices with Aruba ClearPass and IntroSpect.
Dynamic Segmentation Solution
The dynamic segmentation process that Aruba has developed has a few key features that are very important for these unintelligent IoT devices. One example is MAC pinning. You’d think that keeping a device connected to a switch port authenticated would be easy, right? Except when that device is designed to be as unobtrusive as possible and does things like not responding to pings sent to verify the device is still alive on the other side of the link. Aruba has figured out how to pin the IoT device MAC address to the port so that it’s always authenticated until it’s unplugged or removed. And because the MAC address of the device is used to ensure authentication you can protect yourself from someone plugging in a different device and trying to hijack the port into more critical systems, like Electronic Medical Records (EMR), for example.
Profile Prowess
The other big key for IoT devices in your network is visibility, which comes from the discovery and profiling features that ClearPass offers. Aruba announced some significant enhancements to these capabilities at Atmosphere 2019 with a new member of the ClearPass family called ClearPass Device Insight. ClearPass Device Insight uses deep packet inspection and machine learning to intelligently identify the full-spectrum of devices connected to the network. On the enforcement side, if you have a device that answers calls to authenticate via a protocol like 802.1X, ClearPass will accept it. When the devices aren’t that smart, ClearPass will authenticate the devices using MAC authentication. But ClearPass can also work with IntroSpect to start profiling the traffic to ensure that the profiles built into the solution only allow the proper device traffic on the network.
Imagine, for example, that I’m in a hospital room with someone. I’m bored, so I decide to play around a little on the network. I notice an insulin pump plugged into the network but not in use right now. So I grab it and clone the MAC address for my laptop. I plug in and start doing a little recon work to figure out how far I can get. IntroSpect sees the insulin pump MAC address on the network and notices that my traffic profile is way out of line for what that device should be doing. Instead of talking to a server at a nurse’s station or reporting to another device, my formerly-trusted MAC address is reaching out to different subnets and sending the wrong kind of traffic. IntroSpect could then trigger ClearPass to perform a change of authorization for this particular IoT device and quarantine it until someone can figure out why an insulin pump is a port scanning the network.
Tunnel Ahead
The last important piece of dynamic segmentation is User-Based Tunnels through Aruba’s Policy Enforcement Firewall (PEF) technology. Just like the infrastructure in a mobility controller that tunnels user traffic back to to the device, so too can User-Based Tunneling send all the traffic from an IoT device back to PEF, built into the Mobility Controller – and this can be done over the wireless APs as well as the wired switches.
Why would you want to do that? Well, you could authenticate the traffic for one thing. You could also fingerprint devices with better accuracy than the edge switch. You could do deep packet inspection on the traffic coming from the device to ensure that it’s not being used as an attack vector. You could even firewall the traffic to ensure that things that aren’t supposed to be flooding your network are stopped close to the edge, like security cameras being used to launch a DDoS attack.
User-Based Tunnels are great for policy enforcement. When your user travels from one side of the campus to the other, the policies defined in ClearPass can follow them. When an IoT device moves from one side of the hospital to the other the same policies can follow it as well. That means that polices are sticky to devices and not to wiring closets. That’s a huge win for your network admins, as they will spend less time configuring edge cases on the edges of your network and more time on making sure your policies are in place to handle any kind of devices that they might find.
IoT doesn’t have to be scary. With the right infrastructure in place, you can easily handle any devices that pop up, from lightbulbs to blood pressure monitors. You can ensure they’re capable of communicating with the right locations in the network and only the right devices can do that communication. Dynamic segmentation ensures that the network as a whole is much more secure and more capable than ever of weathering the coming IoT storm.
Related Content
See Aruba CTO Partha Narasimhan talk about dynamic segmentation.
Learn more about how Dynamic Segmentation can support IoT.
About the Author
Tom Hollingsworth Blog Contributor
Tom Hollingsworth, CCIE #29213, is an event lead for the Tech Field Day events series. He also writes about networking and related technologies on his blog at http://networkingnerd.net. With over 10 years…
771027 901670My California Weight Loss diet invariably is an cost effective and versatile staying on your diet tv show made for individuals who find themselves preparing to drop extra pounds and furthermore ultimately keep a a lot healthier habits. la weight loss 575870
283848 468652I believe this web web site has got quite exceptional indited articles content . 176551
222080 284678Wow What excellent details. Thank you for the time you spent on this post. 424251
403824 667777Ive been absent for a even though, but now I remember why I used to enjoy this internet site. Thank you, I will try and check back much more often. How regularly you update your website? 694982
617601 582383You must participate in a contest for among the best blogs on the web. I will suggest this internet site! 171830
898119 171559so significantly great details on here, : D. 462682
45255 20463The other day, while I was at work, my cousin stole my iphone and tested to see if it can survive a 25 foot drop, just so she can be a youtube sensation. My iPad is now destroyed and she has 83 views. I know this is entirely off topic but I had to share it with someone! 589506
108856 835023really good publish, i certainly adore this web web site, carry on it 176058
45058 761127Naturally I like your web-site, even so you require to check the spelling on several of your posts. Several of them are rife with spelling issues and I locate it really silly to inform you. On the other hand I will certainly come again once again! 728497
89329 377044Aw, this became an incredibly nice post. In idea I would like to set up writing like that additionally – taking time and actual effort to create a great article but what / points I say I procrastinate alot by means of no indicates appear to get something completed. 87949
694635 428394The electronic cigarette uses a battery and a small heating component the vaporize the e-liquid. This vapor can then be inhaled and exhaled 696217
187831 417829TeenVogue? Looking for fashion advice, celebrity buzz or beauty trends? Uncover it all in Teen Vogue 738338
204478 282256I respect your piece of work, appreciate it for all the interesting content . 994267
776567 186599Exceptional weblog here! Additionally your site rather a lot up rapidly! What host are you the usage of? Can I get your affiliate link to your host? I wish my site loaded up as rapidly as yours lol 560664
395585 943595Cheapest player speeches and toasts, or perhaps toasts. continue to be brought about real estate . during evening reception tend to be likely to just be comic, witty and therefore instructive as well. best man speeches free of charge 133429
840842 756701Right after study a few of the blog posts on your own site now, we truly like your way of blogging. I bookmarked it to my bookmark internet internet site list and are checking back soon. Pls consider my web-site likewise and make me aware in the event you agree. 449553
398417 526467Oh my goodness! an exceptional post dude. Numerous thanks However We are experiencing issue with ur rss . Dont know why Not able to sign up to it. Could there be anybody getting identical rss dilemma? Anyone who knows kindly respond. Thnkx 101382
630572 578535Hey, are you having issues along with your hosting? I needed to refresh the page about million times to get the page to load. Just saying 150038
261471 910872educator, Sue. Although Sue had a list of discharge instructions in her hand, she paused and 296843
497312 1584I want reading by way of and I conceive this website got some actually utilitarian stuff on it! . 42809
250270 154591Very intriguing info !Perfect just what I was searching for! 910185
919440 909120Companion, this internet website will likely be fabolous, i merely like it 723639
235614 994883I discovered your weblog website internet web site on the internet and appearance some of your early posts. Continue to keep within the wonderful operate. I just now additional increase your Rss to my MSN News Reader. Seeking toward reading far much more from you discovering out at a later date! 479030
709195 985566Id need to consult you here. Which is not some thing It is my job to do! I spend time reading an write-up that could get people to think. Also, numerous thanks for permitting me to comment! 272483
900552 49768Excellent read, I just passed this onto a friend who was performing some research on that. And he truly bought me lunch since I discovered it for him smile So let me rephrase that: Thank you for lunch! 787297
936567 586898I was suggested this weblog by way of my cousin. Im no longer certain whether or not this put up is written by him as nobody else realize such detailed about my trouble. You are great! Thanks! 435006
375798 272308Woh I like your posts , saved to fav! . 920948
212969 517895Thank you for the auspicious writeup. It in fact was a amusement account it. Appear advanced to a lot more added agreeable from you! Nevertheless, how could we communicate? 867025
299368 715492Hi, Thanks for your page. I discovered your page via Bing and hope you keep providing more good articles. 450853
457637 927677Great post, thanks so significantly for sharing. Do you happen to have an RSS feed I can subscribe to? 907298