Plan Your IoT Security Deployment Using Best Practices
Set goals and responsibilities and determine the design
for your IoT Security deployment.
Consider the following best practices when
preparing an IoT Security deployment.
Set goals for your IoT Security deployment. What
will it provide as part of your network security strategy?
Goal 1: Gain visibility into your IoT assets through
a dynamically generated IoT device inventory
Goal 2: Protect your IoT devices and network resources from
attack by reducing device vulnerabilities and by enforcing security
Determine who will be responsible for addressing risks
that IoT Security detects, who will require access to the IoT Security
portal and the level of access they’ll need, and whether you’ll
need a team for patching device software.
Foster cross-functional collaboration between your IT
infrastructure and networking team and your IT security team.
These teams should work together during the design phase
to determine whether the current firewall deployment is sufficient
and, if not, where you’ll need to add firewalls to act as network
traffic sensors and as potential policy enforcers.
Decide where to position firewalls.
Firewalls must see IoT device traffic and have DHCP traffic
routed through them so that IoT Security can map device IP addresses
to MAC addresses. Use the following list to determine where to put
firewalls on your network.
Deploy one or more firewalls
where they see traffic from IoT devices. IoT Security must collect
data from network traffic for analysis. For example, because most
IoT devices in enterprises connect to servers, you could place firewalls
where they can see traffic from IoT devices to those servers, whether
they're in private data centers or the cloud. Deploying more firewalls
in the MDF (main distribution frame) and IDFs (intermediate distribution frames)
can further maximize coverage. You might also need to add firewalls
internally to see traffic behind NAT devices. You can deploy firewalls
inline to collect data and enforce policy, or deploy them as sensors
(inline or in tap mode) to function only as data collectors.
Ensure that DHCP traffic between DHCP relay agents or DHCP
clients and the DHCP server flows through the firewall. Alternatively,
use the firewall as a DHCP relay agent. DHCP traffic is essential
for IoT Security to learn the MAC addresses of IoT devices because
it uses them to track each device and learn its behavior.
When devices are behind a NAT device, put another firewall
behind the NAT device to gain visibility into those devices.
Decide if you will perform a phased deployment (often
necessary in a large network).
Set the level of granularity for Security policy enforcement
that you want to achieve.
For example, put devices in groups sharing a specific attribute–category,
profile, vendor, model, OS family, or OS version–or use a profile
or category grouping. A next-generation firewall administrator can
do the following:
Include multiple device objects in a single security
policy under source or destination.
Create a single device object that has multiple attributes
(for example, Category=Entertainment, Profile=Acme TV, and OS family=Acme