The idea of the pending influx of Internet of Things (IoT) devices just waiting to jump on my network is starting to give me heartburn. Sure, you could probably think of all the crazy thermostats and speakers and lightbulbs in your house right now. But what about enterprise or industrial IoT devices? Gas pumps. Badge readers. Healthcare devices like insulin pumps. Even the microwave in the break room!
The hardest thing about IoT is how dumb it really is. Sure, we bill these devices as “smart” when we sell them. But most IoT devices are about as unintelligent as they come. They have the most rudimentary chipsets possible to make them as cheap to manufacture as they can get. So most of them support bare-bones 802.11n chipsets in the 2.4GHz range and have very few additional security features built into the chipsets.
The way to secure IoT devices isn’t to make them smarter. Instead, we have to make our networks smarter and ensure that the right decisions are made by our infrastructure to keep things safe when the devices can’t do it themselves. That’s where Aruba is starting to make some great strides. During Aruba Atmosphere 2019 there was a great session on dynamically securing IoT devices with Aruba ClearPass and IntroSpect.
Dynamic Segmentation Solution
The dynamic segmentation process that Aruba has developed has a few key features that are very important for these unintelligent IoT devices. One example is MAC pinning. You’d think that keeping a device connected to a switch port authenticated would be easy, right? Except when that device is designed to be as unobtrusive as possible and does things like not responding to pings sent to verify the device is still alive on the other side of the link. Aruba has figured out how to pin the IoT device MAC address to the port so that it’s always authenticated until it’s unplugged or removed. And because the MAC address of the device is used to ensure authentication you can protect yourself from someone plugging in a different device and trying to hijack the port into more critical systems, like Electronic Medical Records (EMR), for example.
The other big key for IoT devices in your network is visibility, which comes from the discovery and profiling features that ClearPass offers. Aruba announced some significant enhancements to these capabilities at Atmosphere 2019 with a new member of the ClearPass family called ClearPass Device Insight. ClearPass Device Insight uses deep packet inspection and machine learning to intelligently identify the full-spectrum of devices connected to the network. On the enforcement side, if you have a device that answers calls to authenticate via a protocol like 802.1X, ClearPass will accept it. When the devices aren’t that smart, ClearPass will authenticate the devices using MAC authentication. But ClearPass can also work with IntroSpect to start profiling the traffic to ensure that the profiles built into the solution only allow the proper device traffic on the network.
Imagine, for example, that I’m in a hospital room with someone. I’m bored, so I decide to play around a little on the network. I notice an insulin pump plugged into the network but not in use right now. So I grab it and clone the MAC address for my laptop. I plug in and start doing a little recon work to figure out how far I can get. IntroSpect sees the insulin pump MAC address on the network and notices that my traffic profile is way out of line for what that device should be doing. Instead of talking to a server at a nurse’s station or reporting to another device, my formerly-trusted MAC address is reaching out to different subnets and sending the wrong kind of traffic. IntroSpect could then trigger ClearPass to perform a change of authorization for this particular IoT device and quarantine it until someone can figure out why an insulin pump is a port scanning the network.
The last important piece of dynamic segmentation is User-Based Tunnels through Aruba’s Policy Enforcement Firewall (PEF) technology. Just like the infrastructure in a mobility controller that tunnels user traffic back to to the device, so too can User-Based Tunneling send all the traffic from an IoT device back to PEF, built into the Mobility Controller – and this can be done over the wireless APs as well as the wired switches.
Why would you want to do that? Well, you could authenticate the traffic for one thing. You could also fingerprint devices with better accuracy than the edge switch. You could do deep packet inspection on the traffic coming from the device to ensure that it’s not being used as an attack vector. You could even firewall the traffic to ensure that things that aren’t supposed to be flooding your network are stopped close to the edge, like security cameras being used to launch a DDoS attack.
User-Based Tunnels are great for policy enforcement. When your user travels from one side of the campus to the other, the policies defined in ClearPass can follow them. When an IoT device moves from one side of the hospital to the other the same policies can follow it as well. That means that polices are sticky to devices and not to wiring closets. That’s a huge win for your network admins, as they will spend less time configuring edge cases on the edges of your network and more time on making sure your policies are in place to handle any kind of devices that they might find.
IoT doesn’t have to be scary. With the right infrastructure in place, you can easily handle any devices that pop up, from lightbulbs to blood pressure monitors. You can ensure they’re capable of communicating with the right locations in the network and only the right devices can do that communication. Dynamic segmentation ensures that the network as a whole is much more secure and more capable than ever of weathering the coming IoT storm.
About the Author
Tom Hollingsworth, CCIE #29213, is an event lead for the Tech Field Day events series. He also writes about networking and related technologies on his blog at http://networkingnerd.net. With over 10 years…