Chapter 4: How can IoT Network segmentation help set boundaries for a secure IoT framework?

As illustrated in the previous posts, defining an IoT framework that makes IoT network segmentation is a powerful concept with a growing number of real-life use cases. Connected devices are bringing automation to manual labor, solving complex logistics, keeping us safe, and protecting our assets. We are convinced that IoT will operate at the very center of strategic industries and their key processes, requiring an efficient and simple-to-operate IoT security platform.

We’ve explored the common vulnerabilities and threats surrounding IoT devices in previous articles leading to this one. It seems evident that these security risks should be addressed, and IoT network segmentation will be a central part of future IoT security Platforms.

Here’s what you can do to secure your network.

Keeping IoT devices within their boundaries

As a network administrator working for companies with many employees, partners, and third-party device users, you would want to welcome guests’ devices without asking too much of them in terms of security. But even though security checks would spoil the user experience, some fencing is more than necessary.

Especially in corporate environments, there is a pressing need to keep individual IoT devices within their IP boundaries. It would help IT managers do the following:

Control communication channels between IoT and the internet;
Protect their network against malicious inbound traffic;
Protect both internal and remote parties from corrupted IoTs.

The solution to this pressing need?

IoT identity management and access control

Whenever a new IoT tries to access the network, the device identification system detects and isolates the IoT from other devices. This is implemented with a zero-trust policy on both the ethernet (LAN) and the internet layer, meaning that all devices are considered untrustworthy by default.

The system automatically triggers an identification check, initiating a comprehensive IoT identity management instance for each new device from the IoT security platform. During this check, the system analyzes data from the device’s fingerprint to confirm its identity and possible intent. Then, it maps the device to a suitable security profile!

As depicted below, it seems clear that a single workflow embeds all possible use cases:

IoTs are identified automatically through fingerprinting and given a security profile. In this simple case, a single profile matches all IoTs. When more granularity is required, different fingerprinting results lead to various security profiles. Exception made to devices that do not correspond to a specific profile. These devices are then managed manually via a delegated administration interface and notification engine (e.g., e-mail).
Guests / Visitors' devices are on-boarded via the captive portal.
Devices that cannot be onboarded are left in quarantine. Quarantined devices are only permitted to use the internet with limited access to authorized internet addresses. The quarantine can be used as a walled garden for specific use cases, like onboarding into a Mobile Device Management system.
Unknown devices can be moved into the "denylist", where they might not even get an IP address assigned.

IoT device onboarding and management diagram - by Cloudi-fi — IoT device onboarding and management

‍

IoT identity management policies are crucial for fine-grained segmentation at the Internet layers. Devices can easily be separated from each other and given access to their internet security systems for patches and updates. On the lower layers, depending on the LAN configuration, there are a couple of ways to do that segmentation:

In a traditional mid-size Wi-Fi setup, the AP is blocked from forwarding frames to the radio link.
On the wired LAN, private-isolated VLANs are mapped to each device.
Some vendors implement fully automated provisioning for these frameworks, circumventing any risk of horizontal propagation in the event of a malware attack.

Benefits overview of IoT network segmentation

While IoT makes the network perimeters obsolete, IoT network segmentation reinstates the boundaries and fences that protect the network from corrupted devices and devices from corrupted networks. To be effective, it continues beyond the initial security checks. It monitors all devices within the network throughout their lifecycle, constantly monitoring them for new possible vulnerabilities.

Lan micro-segmentation for client isolation and private VLANs

‍

With initial and continual troubleshooting, IoT network segmentation solves a couple of fundamental problems:

It performs client isolation for potentially harmful IoTs, both new and existing, within the Local Area Network;
It enforces and controls outbound traffic so that cyber criminals can’t use IoT to attack remote parties;
It increases control of trusted cloud and remote services that can interact with the IoT.

That allows IoT ident to improve control in IoT environments that we use daily:

You can set device limitations with respect to inbound and outbound traffic. For example, CCTV cameras might record on local servers but access the internet for software and security updates;
Automation sensors must talk to their cloud platforms for complex computations such as heating control. IoT identity management and network segmentation best practices can ensure a trusted connection by monitoring sensors and the cloud;
Smart door locks are not supposed to talk to the outside world. If they are a part of a more significant household or corporate IoT network.

You must monitor every individual device and its ecosystem closely to make IoT secure. A bullet-proof IoT infrastructure requires strict identification and access control. That is the only way IoT devices can provide desirable user experiences without harming themselves and others.

Vulnerable devices and weak infrastructures are easy targets for various types of malicious operations, some incredibly harmful, like ransomware and DDoS attacks aimed at third parties. IoT identity and security management is highly complex and involves many closed-design devices, often with legacy flaws and insufficient computing power.

There’s a need for a user-friendly yet sophisticated IoT security platform to manage complex IoT frameworks that would enable frictionless connectivity of IoT devices and ensure that the network doesn’t become an open battlefield. We strongly believe that IoT network segmentation is an essential part of the answer.

On the one hand, having a single SSID for all devices and users makes things very easy to deploy and operate. On the other hand, we must control west-east connections or simply block these horizontal channels between uncontrolled devices. We are convinced that IoT Network segmentation at layer 2 is worth exploring to solve these identified vulnerabilities.

Cloudi-Fi team is working hard to architect an IoT security platform that defines and facilitates the operation of an ingenious IoT framework where IoT devices are automatically identified and provided with suitable connectivity profiles for their application. Cloudi-Fi IoT security platform will fence every unknown device into a quarantine, where the network admin will initiate a security check. The IoT device is either denied access or sorted into a dedicated IoT security profile, depending on the results, and integrated with the corporate security environment. This process guarantees an open and seamless networking environment where connectivity is easily accessible to all devices and users while unknown devices remain under strict control.

‍