How to control the stealth IoT invasion

IoT devices are arriving at enterprises in increasing numbers, often driven by purchasers outside the IT department.

wifi stock

IoT devices are invading the enterprise, often by stealth.  Groups and departments are selecting devices such as door locks, air quality monitors, security and control systems which require connection to the enterprise WLAN and the Internet, but with no IT input into the purchase decision.  This creates headaches for the network engineer, but they are manageable:  a basic enterprise IoT management solution requires just a handful of functions.

IoT is one of the first systems built in the cloud era, and many – if not most – IoT devices are designed to work with Internet-based cloud services (the remainder will need network-specific configuration to connect to inside-the-firewall services).

After connecting to the WLAN, an IoT device will get an IP address, discover its cloud service over the Internet, then connect via some (hopefully) encrypted protocol.  At this point, the enterprise network will see only the MAC and IP addresses and an encrypted tunnel traversing the network to the Internet.  This over-the-top architecture means the network manager is often unaware of the devices and blind to their traffic.

Established networking companies and a crop of specialist startups are attacking this problem with four new functions.

First, identification.  It’s important to know the device’s make, model and software version, and more details, to ensure it is bona fide.  And network managers need an inventory list matching specific devices to locations and functions – if there are 100 air quality monitors on a campus, the location of each must be known.  The IoT cloud manager often gets this information from the installer, but installation reports are error-prone.  So on-site network engineers also need to know the specific location and function of each IoT device, to find it for servicing or reconfiguration.

Enterprise IoT management systems monitor WLAN authentication, DHCP, DNS and other traffic patterns to find each device’s signature and match it to a library of known IoT devices, while the WLAN identifies the location of each device.  With this information, if a security flaw is reported for a specific firmware level in a device, the IoT management system will show which devices are vulnerable and where they are located.

Second, traffic monitoring.  Most IoT traffic flows in encrypted tunnels between devices and the enterprise Internet gateway.  It does not interact with enterprise services.  But it would be unwise to take this on trust:  devices can be subverted or hijacked and are able to reach deep into the corporate network.  So it makes sense to “trust but verify”.  The modern way to achieve this is to monitor all LAN traffic through mirroring ports, and to derive a signature for the traffic stream from each device.  This is data-intensive and is often done by shipping the (compressed, anonymized) mirrored data to the cloud for analysis by machine-learning algorithms.  Analysis can identify unknown IoT device types, but more than that it can establish and check “normal” or “expected” traffic patterns and generate alerts on changes in behavior, if for instance a device suddenly starts to probe address ranges inside the enterprise network rather than the Internet.

These two functions provide some level of protection for the enterprise network when IoT devices are introduced.  Two further extensions to the architecture are emerging:  automatically-applied traffic restrictions and cross-enterprise data sets.

Traffic restrictions can be VLAN assignments, firewall rules or user-roles, applied in the WLAN or elsewhere.  When an IoT device is precisely identified and its “normal” traffic signature is known, a template can be applied to ensure it does not have access to any part of the network that is not required for operation.  With some training, such templates can be applied automatically via APIs between device discovery-classification systems and policy enforcement infrastructure.

The other extension is to share anonymized data across different customers and networks.  This is likely to be controversial – anonymity cannot be easily verified, and data leakage is bound to be a concern – but it is easy to do with cloud services and improves accuracy.  A cloud service for monitoring traffic signatures will pool data from different customers, and use the large data-set with machine-learning techniques to drive greater accuracy and better insights.  This allows an unidentified device at one customer to be matched with a known signature from another, or a pan-enterprise virus infection to be tracked and contained.

IoT devices are arriving at enterprises in increasing numbers, often driven by purchasers outside the IT department.  The basic set of functions allowing the network engineer to keep track of these devices and protect other networked assets is already established; over time it will be refined and extended.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10