The Internet of Things. (“IoT”) Is one of the more exciting developments in the normally staid world of networking. It means different things to different people, but in essence, is the prospect of connecting everything digital to everything else digital. A digital representation of Jung’s collective subconscious perhaps.
Gartner reckons that we saw over 21 Billion Internet of Things devices in 2020, with the number of devices continuing to grow exponentially.
At a higher level, the Internet of Things provides an economical way of connecting disparate currently discrete systems and dramatically improving operational efficiencies.
Performance and security both suffer from being able to connect anything to anything. The ability of IoT to join stuff up provides seemingly endless options for pushing IP network connectivity to boldly go to places where IP has never gone before.
One characteristic of Internet of Things processing is the processing of vast numbers of transactions very quickly, for instance, in a driverless car. If they were to be processed centrally, they would place an excessive load on the network, need a much larger bandwidth, and provide increased numbers of potential points of failure.
Often these transactions do not need transmission to a central server and can be adequately dealt with at the edge. Hence the emergence of FOG Computing where semi-independent network clouds exist at the edge of a network.
All of this comes at a price, mostly to do with security and performance. IT administrators now face new challenges in supporting devices that were never designed to be remotely managed and don’t fit into any network security environment.
One option that is currently receiving considerable attention is that of network segmentation and monitoring to break a network into easily managed smaller networks.
Network segmentation has been around almost as long as IP itself. Subnets, typically improve performance by separating and directing traffic along preferred routes. Unless allowed to do so, traffic does not pass between (segments) subnets.
Subnets are used to improve security. In many WiFi implementations, user networks support internal user access identical to that of a wired connection, and guest networks provide only web access to guests and external users.
The use of Bring Your Own Device has brought considerable headaches to IT management. Using network segmentation to separate unknown or unrecognised devices from known or managed devices provides better security, and reduces the incidence of hosts and endpoints not managed by IT. This headache can only get worse as IoT supports connectivity to many more new and different devices.
In the example above, devices provisioned by IT operate on the internal network, while visitors and guest using their own devices and heading off to unknown and unregulated endpoints work on the guest segment which is kept strictly outside the firewall. Separating authorised and guest users mean that your core network remains invisible to guests. Besides, any security incidents stay outside and won’t affect your core resources.
Returning explicitly to IoT, segmentation brings greater control, monitoring and management to the network. As discussed above, applications that generate or process vast numbers of transactions needing immediate processing are dealt with in their own segment.
Consider fly-by-wire aircraft or driverless vehicles. They continually scan the immediate environment and process the results of that scanning to make decisions. These decisions are sometimes life-critical in that a wrong or delayed decision could have a fatal consequence.
Processing these transactions in their own network segment significantly reduces the potential for delay or packet loss because of network congestion. It also reduces the number of potential points of failure because there is no need to traverse the network to a central processor. Some implementations are already using dedicated clouds (Fog Computing) at the network edge to deliver this approach.
IoT security and monitoring are also significantly improved with network segmentation. Simply speaking, network segmentation controls the traffic moving between network zones. This enhances network monitoring by allowing managers to focus on particular segments of interest.
Improvements to threat detection and avoidance arise by being able to identify who is trying to access or already has access to what. They can then prevent common IoT threats, including malware, some DDoS attacks and other threats that rely on being able to move between devices easily.
New and different devices from outside the familiar networking environment often do not have an appreciation and need for embedded network security. As a result, they present vulnerabilities to the network. Segmentation allows you to quarantine these devices in their own segment and apply more detailed monitoring and control to them.
As IoT gains traction and the number of IoT connected devices continues to increase, the need for network security and monitoring will move from the major networks to all networks, including small business and home networks. Segmentation is an essential tool in the armoury.