One of the more exciting developments in the normally staid world of networking has been the Internet of Things. (“IoT”) means different things to different people, but in essence, is the prospect of connecting everything digital to everything else digital. A digital representation of Jung’s collective subconscious perhaps.
The number of devices has been growing exponentially, and Gartner reckons that we could see over 21 Billion Internet of Things devices this year, 2020.
At a higher level, the Internet of Things provides an economical way of connecting disparate currently discrete systems and dramatically improving operational efficiencies.
Being able to connect anything to anything does have network implications, both in performance and security. The ability of IoT to join stuff up provides seemingly endless options for pushing IP network connectivity to boldly go to places where IP has never gone before.
Internet of Things and Networking
One characteristic of Internet of Things processing is the processing of vast numbers of transactions very quickly, for instance, in a driverless car. If they were to be processed centrally at the network core, they would place an excessive load on the network, need much larger bandwidth, and increase the potential points of failure.
Often these transactions can be adequately dealt with at the edge. Hence the emergence of Fog Computing where semi-independent network clouds exist at the edge of a network.
All of this comes at a price, mostly to do with security and performance. IT administrators now face new challenges is supporting devices not designed to be remotely managed and can often blow holes in any network security environment.
One option that is currently receiving considerable attention is that of network segmentation and monitoring to break a network into easily managed smaller networks.
Network segmentation has been around almost as long as IP itself. A network is divided into subnets, typically to improve performance by separating and directing traffic along preferred routes. Unless allowed to do so, traffic does not pass between (segments) subnets.
Subnets are used to improve security. In many WiFi implementations, user subnets support internal user access identical to that of a wired connection, and guest subnets provide only web access to guests and external users.
Bring Your Own Device
The use of Bring Your Own Device has brought considerable headaches to IT management. Using network segmentation to separate unknown or unrecognised devices from known or managed devices provides better security, and reduces the incidence of hosts and endpoints not managed by IT. This headache can only get worse as IoT supports connectivity to many more new and different devices.
In the example above, devices provisioned by IT operate on the internal network, while visitors and guests using their own devices and heading off to unknown and unregulated endpoints work on the guest segment which is kept strictly outside the firewall.
Keeping guests and others outside your core network in their dedicated segment means that your core network remains invisible to them. Besides, any security incidents stay outside and won’t affect your core resources.
Monitoring and Management
Returning explicitly to IoT, segmentation brings greater control, monitoring and management to the network. As discussed above, applications that generate or process vast numbers of transactions needing immediate processing are dealt with in their own segment.
Consider fly-by-wire aircraft or driverless vehicles. They continually scan the immediate environment and process the results of that scanning to make decisions. These decisions are sometimes life-critical in that a wrong or delayed decision could have a fatal consequence.
Processing these transactions in their own network segment significantly reduces the potential for delay or packet loss. It also reduces potential points of failure because there is no need to traverse the network to a central processor. Some implementations are already using dedicated clouds (Fog Computing) at the network edge to deliver this approach.
IoT security and monitoring are also significantly improved with network segmentation. Basically speaking, network segmentation restricts traffic moving between network zones. This enhances network monitoring by allowing managers to focus on particular segments of interest.
Improvements to threat detection and avoidance arise by being able to identify who is trying to access or already has access to what. They can then prevent common IoT threats, including malware, some DDoS attacks and other threats that rely on being able to move between devices easily.
New and different devices from outside the familiar networking stable often do not have an appreciation and need for network security built-in. As a result, they present vulnerabilities to the network. Segmentation allows you to quarantine these devices in their own segment and apply more detailed monitoring and control to them.
As IoT gains traction and the number of IoT connected devices continues to increase, the need for network security and monitoring will move from the major networks to all networks, including small business and home networks. Segmentation is an essential tool in the armoury.