Plan Your IoT Security Deployment Using Best Practices

Set goals for your IoT Security deployment. What will it provide as part of your network security strategy?
Examples:
Goal 1: Gain visibility into your IoT assets through a dynamically generated IoT device inventory
Goal 2: Protect your IoT devices and network resources from attack by reducing device vulnerabilities and by enforcing security policies
Define responsibilities.
Determine who will be responsible for addressing risks that IoT Security detects, who will require access to the IoT Security portal and the level of access they’ll need, and whether you’ll need a team for patching device software.
Foster cross-functional collaboration between your IT infrastructure and networking team and your IT security team.
These teams should work together during the design phase to determine whether the current firewall deployment is sufficient and, if not, where you’ll need to add firewalls to act as network traffic sensors and as potential policy enforcers.
Decide where to position firewalls.
Firewalls must see IoT device traffic and have DHCP traffic routed through them so that IoT Security can map device IP addresses to MAC addresses. Use the following list to determine where to put firewalls on your network.
Deploy one or more firewalls where they see traffic from IoT devices. IoT Security must collect data from network traffic for analysis. For example, because most IoT devices in enterprises connect to servers, you could place firewalls where they can see traffic from IoT devices to those servers, whether they're in private data centers or the cloud. Deploying more firewalls in the MDF (main distribution frame) and IDFs (intermediate distribution frames) can further maximize coverage. You might also need to add firewalls internally to see traffic behind NAT devices. You can deploy firewalls inline to collect data and enforce policy, or deploy them as sensors (inline or in tap mode) to function only as data collectors.
Ensure that DHCP traffic between DHCP relay agents or DHCP clients and the DHCP server flows through the firewall. Alternatively, use the firewall as a DHCP relay agent. DHCP traffic is essential for IoT Security to learn the MAC addresses of IoT devices because it uses them to track each device and learn its behavior.
When devices are behind a NAT device, put another firewall behind the NAT device to gain visibility into those devices.
Decide if you will perform a phased deployment (often necessary in a large network).
Set the level of granularity for Security policy enforcement that you want to achieve.
For example, put devices in groups sharing a specific attribute–category, profile, vendor, model, OS family, or OS version–or use a profile or category grouping. A next-generation firewall administrator can do the following:
Include multiple device objects in a single security policy under source or destination.
Create a single device object that has multiple attributes (for example, Category=Entertainment, Profile=Acme TV, and OS family=Acme OS).