As the CTO of NIC Partners, I frequently consult with our customers to evaluate their network and security practices. One critical topic often discussed is the segmentation of IoT devices within the network. Unsecured IoT devices can be exploited by attackers to gain access to the internal network, so proper segmentation is essential.
When I ask how IoT devices are segmented, the common response is that these devices are placed in a separate VLAN. However, upon further investigation, it often becomes clear that no additional security measures are in place beyond VLAN segmentation.
Placing devices in their own VLAN is a good starting point, but it’s not the whole story. VLANs segment traffic at layer 2 (Ethernet, MAC address), which helps to constrain broadcasts and multicasts. For devices to communicate outside their VLAN, they need to use TCP/IP. Devices with IP addresses will have a default gateway, which is typically the IP address associated with the VLAN on the campus core or distribution-layer switch.
To summarize, devices within a VLAN use TCP/IP to hit the default gateway, which then routes traffic to the rest of the network. The problem is this: without any further protection mechanisms, the path between the IoT VLAN and the rest of the network is wide open. In this way, VLANs alone cannot enforce proper segmentation.
So, how does one properly segment devices in a campus environment? There are several options available, which vary in efficacy and cost.
Access Control Lists (ACLs): Access control lists can be found in different forms and may not be supported by all manufacturers or device types. Static ACLs are easy to create and apply but need regular review and updates to maintain efficacy. Static ACLs are difficult to keep synchronized across large networks without scripting or automation. Here are some examples of ACLs that may be available to use:Figure 1: Example of Cisco's SD-Access segmentation
Isolated Networks: This is an extreme solution, but one that is effective at preventing specific equipment—such as IoT devices—from accessing the rest of your network. The idea is to place the isolated devices on their own network infrastructure with a separate Internet connection and firewall. A VPN can be used to remotely manage the equipment. For many organizations, this solution is not practical or worth the added expense, but critical infrastructure organizations like utility companies, municipalities, and healthcare can and do make use of this technique.
As we can see, there are several options for segmenting traffic within a campus network, but VLANs alone are insufficient. There must be another mechanism in place to permit or deny traffic between your VLANs. While the various solutions represent trade-offs in security, cost, and complexity, it is my opinion that any solution is better than no solution. History has shown that IoT devices are susceptible to attacks due to lack of firmware updates or zero-day vulnerabilities, and if your network allows free access from your IoT VLAN to the rest of the network, then it’s just a matter of time before a breach occurs.