How many wireless IoT gizmos do you have in your home? I have a few, including a couple of Nest thermostats. This does not include the plethora of smartphones, tablets, e-readers, and network printers that also use my local Wi-Fi network. I also have four servers running. I like lots of backup. The system is complex compared to the typical home network, since most of the servers are running a collection of virtual machines. It is probably overkill for even a small business.
My attempts to lock things down include very long root passwords and only using root access to manage the system versus regular access. The Linux servers run SELinux, and even SSHD does not allow root login. Automatic updates are turned off, but I keep a calendar reminder for manual updates on a regular basis. I have even tinkered with TripWire and AIDE, two intrusion detection systems (IDSs) for servers. I also run IDS software on my network gateway. I was paranoid even before Edward Snowden’s revelations.
I have been trying to follow best practices for an in-depth defense of the network as well as the individual devices I have control over. That does not really include the IoT devices other than controlling how they connect to the Internet and the local network.
My network gateway plugs into my Verizon router, which has its own firewall and wireless access point but is located in our ranch house where it can provide limited support to the rest of the house. I have three other access points (APs) on my local network. Unfortunately, most of the IoT devices in the house need to use those APs. The APs run the open-source DD-WRT software that actually support VLANs and virtual access point support, making it possible to have an SSID for the wireless IoT devices to gain Internet access through a VLAN to my gateway. This at least isolates the remaining LAN from the IoT devices.
Does it sound complicated? It is even possible to get more complicated by having multiple AP/VLANs for different collections of devices. It is not something I would recommend to anyone without a lot of time, a network certification, or a lot of network experience. It requires multiple logical DHCP services for each VLAN. I have not tried hooking up these VLANs with ones for my virtual servers. Adding this AP/VLAN support to the mix potentially improves network security depth and it’s something I could do without modifying the devices.
What I am hopefully highlighting here is the need for security in depth within IoT devices and their frameworks (see “Engineering Essentials: IoT Standards and Frameworks” on electronicdesign.com). An enterprise may have the ability to lock down, partition, and track the security of its network, but it will be impossible for the average consumer or user to even come close.
These days it should be standard practice to have different security checks for actions like over-the-wire updates, Web-based management, and command authentication. Passwords or keys should never be stored as cleartext, and security should not be an add-on or a simple firewall.
So consider why someone might want VPN or VLAN support on their IoT or network device. A hacked IoT device or application can be a gateway into a network of devices if those devices assume they are secured by a third-party firewall.