As part of our cyber security focus this month, we’ve asked our partners to address the areas within the cyber security lifecycle approach and provide their own perspective. Scott Montgomery, CTO Public Sector at McAfee specifically addresses network defense and the role of the next generation firewall.
Recently, Google spent $3.2 billion in cash on a company called NEST that makes Android-based home thermostats and home smoke detectors, both with very user-friendly interfaces. Did Google do this because they believe the thermostat and smoke detector markets are about to explode to 11 figures? Or did they do it because it gives them a really strong player in the consumer portion of the Internet of Things (IoT) taxonomy from which they can internet-enable a variety of different devices?
This purchase highlights one of the challenges that today’s information security practitioner is or will shortly be facing: How do you secure these internet-enabled devices that are consistently replacing their non-networked predecessors? Home appliances, HVAC, passenger and freight vehicles, pumps, valves, conveyors, vats, pipelines, motors, drives, signs, surgical equipment, monitors, meters and an increasing number of other devices are all releasing new internet-enabled versions of their traditional products. The number of devices is increasing as quickly as the variety of different manufacturers of the equipment.
With this influx of new devices onto organizations’ networks, the concerns about information security and privacy are real. One security option is to introduce host-based security onto the device itself, but this typically requires manufacturers to update their chip or real-time operating system (RTOS) level instructions – which even if they agree to do so could take months to years.
The other way to secure and separate the IoT devices away from your more typical devices is to use a next-generation firewall. Consider an ICS/SCADA network where the devices are running industrial equipment: What would the purpose be in allowing the industrial devices onto the production network? Utilizing a next-generation firewall would allow the network security practitioner to:
- Create a physical and virtual separation between the employees and the IoT devices
- Enable only the specific applications the IoT devices use to leave the IoT network
- Narrow the IoT traffic to the TCP and UDP ports those applications use
- Narrow the range of destinations to the specific ones required by the IoT device
- Ensure that what is allowed to go to the IoT device is appropriate for the device type, and is free from malware
Lastly, many next-generation firewalls have the ability to not only run in a physical form factor like an appliance, but also in a virtual machine. This flexibility will allow network practitioners to ensure that for remote, or very low, bandwidth networks, the cost of the protection isn’t prohibitive.
As the Internet of Things continues to add unexpected numbers of internet-enabled devices to organizations’ network footprint, it’s very clear that practitioners need a solid, repeatable, low-cost method for creating separation between their IoT devices and the production network. A next-generation firewall allows the separation and enables the business of the IoT device without adding undue cost or complexity.
COMMENTS