Avaya Surge protects the Internet of Things

Using Open Network Adapter, Surge profiles IoT devices and assigns them to secure zones

Avaya Surge protects the Internet of Things
Credit: Thinkstock

The Internet of Things (IoT) is hitting a tipping point. While there has been a fair amount of IoT chatter and hype over the past few years, deployments have been limited to the traditional machine to machine (M2M) verticals such as oil and gas, mining and manufacturing. Over the past couple of years, though, more verticals have been looking to connect more non-traditional IoT devices.

The reason I think we’re at this tipping point is because businesses aren’t referring to these deployments as “IoT” but rather it’s becoming normal operations to connect more and more devices. 

+ Also on Network World: The Internet of Things security threat +

Healthcare has rapidly been connecting patient devices, retailers are making point-of-sale systems “smart,” hotels are looking to improve the guest experience, and sports and entertainment venues are connecting more devices. While these verticals may seem different, the commonality of IoT initiatives is that when everything is connected, you can change the way the business interacts with customers, students, patients, patrons, employees or other constituents that interact with the organization. 

As transformational as IoT is, it does introduce new security challenges. One risk is that most IoT devices, defined as non-traditional IT devices, have no security capabilities at all. If the device gets breached, the bad guys could have unfettered access to the rest of the company network. Also, because operational technology teams often deploy IoT devices, many IT teams have no idea what devices are actually on the network, making it difficult to secure devices you don’t know are there. Not only that, but many IoT devices run old operating systems, such as Windows 95, that have significant security holes. 

Avaya Surge allows elastic, agile IoT device security 

Today at Avaya’s Engage conference, the company announced Avaya Surge, which is an extension of its SDN Fx Healthcare Architecture into other verticals. While SDN Fx Healthcare required an Avaya network, Surge runs as a pure overlay, meaning it can run on top of a Cisco, HP or any other network. 

The solution uses something called an Open Network Adapter (ONA), which is an Open vSwitch server with two Ethernet jacks on it. A customer would plug the IoT device into one port on the ONA and then connect the other port to the network. Once plugged into the network, the ONA connects to the HyperSec Gateway via a secure connection, which is managed by a separate IoT controller. Based on the profile of the device, it will be placed in a secure zone. For example, a retailer could put all its point-of-sale devices in one secure zone, HVAC endpoints in another, and digital signs in a third. With Surge, the devices are in completely secure zones that are in an overlay network to the actual physical network. 

Once a device has been assigned to a zone, the policy becomes elastic and agile. So if a device changes locations, once it plugs back in it will automatically be placed in the original zone. Traditional ACLs and VLANs would require the network to be reconfigured every time a device moves, making them neither agile nor elastic. With Surge, the policies always follow the device, taking the all manual configuration out of the mix. 

How Avaya Surge profiles IoT devices

A device can be profiled two ways. Many devices provide information on what it is, operating system, etc. Almost all medical devices are automatically “profileable,” which is one reason why Avaya started with healthcare. In other verticals, there is a wide mix of devices that expose profile information and ones that do not. If they don’t, Avaya will study the network information coming off the device and build a “normal” profile for it. Any kind of deviation from this could lead to the device being dropped, blocked, alerted on or what ever action the customer wants to take. For example, if a water pump talked only to a controller for its normal profile and one day it was accessing Bit Torrent, this could indicate the IP address was hijacked. 

In the future, it would make sense for Avaya to offer the ONA as a pure software workload so it can run directly on the device instead of as a separate device. This would give customers the choice of running a physical adapter for older devices or embedding it on the endpoint for a more modern one.

The shift to an overlay model was the right one for Avaya. While SDN Fx was a great solution, the barrier to entry was high because it required customers swap out their current network vendor for Avaya. By running as an overlay, Avaya can bring the solution to specifically solve IoT security and then look to expand its footprint once its established itself as trusted vendor.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10