Securing the IoT with Modern Network Access Control

Derek Holmes

By this point, it’s almost impossible not to have heard about the Internet of Things (IoT) but what does that mean for IT and security professionals? IoT has become a popular buzzword in the IT industry, bringing with it all kinds of exciting possibilities and a load of new headaches for IT administrators. Everywhere you look, there are new devices, control systems, and sensors popping up, connecting to our networks, and bringing new and innovative capabilities to our lives.

Unfortunately, they are also bringing a multitude of new vulnerabilities and attack vectors for those looking to exploit them. Oftentimes, IoT devices lack adequate security mechanisms and don’t integrate easily, or at all, with our existing security solutions. For many of us, securing those endpoints is a matter of regulatory compliance. Some security experts say to just keep those devices off the network, but I like to take a different approach and plan for a plethora of devices on the network.

We don’t invest in all of these IT services to restrict our capabilities. We want to deliver a breadth of services to our customers, to treat IT as an enabler, and to quickly provide support and new capabilities to our users. If we too often tell our customers that we can’t support their new projects or initiatives, they’ll stop coming to us and, instead, look for ways to work around us. This creates a counter-intuitive approach to security, leading to shadow IT and an organizational culture of us versus them. So how can we secure our ever-expanding IoT?

Related: Understanding the Internet of Things Security Vulnerabilities and Challenges

The Shortcomings of Traditional Network Access Controls

Traditional Network Access Control solutions and methodologies just don’t scale well for the IoT. IEEE 802.1X implementations are often difficult to manage or nearly impossible to integrate with IoT devices. And MAC Authentication Bypass (MAB) is vulnerable to spoofing and lacks the sophistication required to provide adequate security in today’s landscape.

But modern Network Access Control solutions, such as Cisco’s Identity Services Engine (ISE), ForeScout CounterACT, and Bradford Networks’ Network Sentry (recently acquired by Fortinet), have evolved significantly to offer a much more robust set of features. They perform configuration and security assessments, policy enforcement, and traffic analysis. These solutions no longer just provide secure authentication for corporate managed assets, but allow for fingerprinting of both known and unknown devices, and are able to enforce differentiated services. They also provide a deep visibility into what types of devices are connecting to the network, where they’re connecting at, and who is using the device.

The Advantages of Modern Network Access Control

Modern Network Access Control provides centralized inventory of devices on the network and how they’re connecting. From here, we can enforce different security policies based on type of device, user role, location, time of day, and almost any other variable that an administrator can imagine. For our corporate-managed devices, we can restrict access to printers or medical devices differently than we would our workstations and restrict BYOD endpoints to only our guest network. And using these same methods, we can lock down our IoT devices, helping to enforce a policy of least privilege.

Many new solutions are also offering a deeper traffic analytics component, either as a standalone, separate-but-augmentative solution, or integrated as part of a more holistic Network Access Control solution (such as Cloudpost in the Medical market, which integrates via API with Cisco ISE). These tools offer that sophistication that MAB alone lacks, ensuring a connected device is what it appears to be, and can even offer continuous post-authentication monitoring of an endpoint. By analyzing traffic flows from IoT devices and establishing a baseline of normal activity, these additional tools can monitor for deviations and alerting on suspicious activity. Configured properly, these systems can also integrate into the Network Access Control solution to trigger a response, such as quarantine or restricted access, as well as alerting to the appropriate staff.

With all these different offerings and capabilities, there’s a modern Network Access Control solution out there for every enterprise. So, don’t let IoT be a bad word in your organization. Look at some of the different Network Access Control offerings Connection has, request a demo, and consider performing a Proof of Concept (PoC) to evaluate a solution.

Derek Holmes is a Senior Systems Engineer for TSG Security at Connection. His area of knowledge includes Network and Systems Architecture Design, Network Access Control and Policy Enforcement, VMware virtualization and Virtual Desktop Infrastructure solutions, and product and service delivery. Derek is also a Cisco Certified Network Associate and has CompTIA Security+ and VMware VCP5-DV certification. In his spare time, Derek is a big fan of science fiction and fantasy in all its myriad forms and enjoys spending his free time with his family and pets.