Extreme Defender for IoT: Securing Medical and other Connected Devices with Ease

Download PDF

The Internet of Things (IoT) is having a profound impact in every industry. According to survey data, 63% of IT organizations have witnessed a 50 % increase in the number of endpoint s that are connecting to the network. By 2020, Gartner estimates that 20.4 billion connected things will be in use by organizations worldwide. Although IoT growth is really being driven by 3 main subsectors: Smart Cities (26%), Industrial IoT (24%) and Connected Health (20 %), there really isn't a single vertical industry that isn't experiencing growth in the number of end points that are connecting to the network.

Although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for would be hackers.

Consider the Statistics:

  • Nearly 20 % of organizations have observed at least one IoT-based attack in the past three years.
  • IoT attacks increased 600% between 2016 and 2017 

The Challenge of Implementing IoT Security

Although the threat of attack is very real, there are many factors that make securing specific IoT devices a challenge. First, just the sheer number and diversity of endpoints, many of which might not be within IT's direct control. They might be owned by the facilitates management team, operational teams or clinician staff within a hospital. Furthermore, many of these devices were not originally designed to be Internet-connected and lack embedded security.

Some of the Specific Security Challenges of Connected Devices Include:

  • May contain older, non-supported operating systems such as Windows 95/ 98 and can no longer be patched.
  • Lack of personal firewall, anti-virus and encryption on many devices.
  • In some industries (ie. healthcare) devices must go through an expensive, time consuming recertification process to remain in compliance if a change is made to the device (ie. security patch).
  • In many cases, devices connecting to the wired network are more exposed. Specific issues include aging edge switches with feature disparity across the network.
"IoT security is becoming a major concern for our organization. At the same time, we are concerned that the nature of securing so many devices will be complex and expensive. The Extreme Defender for IoT solution will enhance our IoT security toolset without further complexity.
Ben Vickers
Director of IT (Promedica)

Securing Devices with Extreme Defender for IoT

Extreme Defender for IoT is a unique, award-winning solution, that delivers security for end point s which have limited or even no embedded security capabilities. It is especially targeted to aging wired devices, that need to roam around a room, a building or even a campus. It complement s a customer's existing security infrastructure by adding in-line defense directly at the IoT device it self. And it can be deployed over any network infrastructure to enable secure IoT management without significant network changes.

Extreme Defender Components

Extreme Defender consist s of the following components:

  • Defender Application: A user friendly application that enables the centralized creation of security profiles for groups of IoT devices. Once profiles are created, non-technical staff can securely on-board and move their devices. They can also monitor and track their asset s through intuitive dashboards and centralized inventory.
  • Defender Adapter (SA20 1) and the Extreme Wireless 3912i Indoor Access Point: Provides a proxy service for the Defender application to both manage and secure IoT devices. Their specific role is to monitor traffic flows ? with full Layer 2 to 7 visibility? to ensure that the device is operating according to it s expected behavior. The Defender Adapter is a single port device that sit s between the network and the IoT device providing in-line defense. The AP3912 is a multi-port unit that support s multiple devices in a single room.
  • ExtremeCloud Appliance: Available as a hardware based or virtual-appliance, the ExtremeCloud Appliance, is a premise-based solution that provides cloud-like management and controller functionality for Extreme Smart OmniEdge? (wired and wireless) solutions. With a full suite of rich APIs to customize applications, it is the supported platform for the Defender Application.

How Defender Secures Devices

Defender for IoT secures connected devices in a couple of ways:

  • Applies profiles directly at the IoT device that ensure that the device operates according to expected behavior
  • Controls IoT device attachment and access to the network
  • Isolates groups of IoT devices into secure zones or network segments

According to Gartner Research, "IoT devices cannot be trusted and must be separated from the network to reduce risk." Defender for IoT provides a simple and automated approach to creating isolated segments for devices and then provides further defense in-depth by filtering traffic flows to and from the devices. The next four sections describe the security functions of Defender for IoT.

Application of Centralized Profiles

Securing IoT devices start s with the creation of whitelist profiles. These profiles are created, managed and cataloged on the Defender Application. A single profile is typically created for each device type (i.e. IP security cameras) and then applied to all the devices that fit into that category. The profile provides a list of authorized devices and traffic flows to limit what the IoT device receives and transmit s, as well as who or what the device can communicate with. A completed profile contains a group access profile with security rules and network attachment settings.

The profiles are then pushed out to the Defender Adapter and/ or the AP3912 which police and monitor the traffic with full Layer 2 to 7 visibility. It ensures that traffic both to and from the IoT device is restricted to the rules contained within the profile. In doing so, the IoT device is protected and also prevented from launching an attack it self.

Creation of Profiles with Ease

Because traffic profiles can be complex to manually create, the Defender for IoT solution automates this process using an ?Auto Policy Generator." The Defender for IoT solution enables adapters to mirror traffic to the Defender Application where the Auto Policy Generator can create a traffic profile for the IoT device. The IoT device operates normally with the Defender Application cataloging the traffic so the solution can learn what the expected normal behavior of the device is. When adequate time has passed in this mode (dependent on IoT device operation), mirroring can be stopped and the resultant traffic profile can be applied to the IoT device to secure it s communication to the network.

Secure Device Mobility Without IT Involvement

With Defender, wired devices can be automatically moved from one network port to another. If a device needs to be relocated, a technician can simply unplug the Adapter from a room wall jack port, move the device and Adapter to a new location and plug the Adapter into a new port. When the Adapter is unplugged, it loses it s profile and network services are disabled on the old switch port. When the Adapter is reconnected, it contact s the ExtremeCloud Appliance to retrieve it s profile and request s the services to be provisioned on the new port. Within a couple of minutes, the IoT device is functioning in it s new location and the move has been completed quickly and safely, without network IT involvement.

Network Segmentation/ Secure Zones

In addition to the policies, Defender also enables like devices to be placed in their own isolated secure zone or clinical segment. According to Gartner research only 5% of IoT devices deployed today are virtually segmented; however, by 20 2160 % will be5. Creating secure zones reduces the attack surface and mitigates ill-intended lateral movement toward sensitive areas of the network. Defender enables the creation of secure zones with a Fabric Connect network or over third-part y IP Networks.

Secure Zones with Fabric Connect

Extreme Defender is optimized for use with Extreme Fabric Connect, Extreme's Campus Fabric solution. One of the main benefit s of Fabric Connect is it s ability to quickly and easily create secure zones at scale. Rather than complex configuration, these secure zones can be deployed very quickly and easily at the network edges. In addition, on a Fabric Connect infrastructure, an auto-attach protocol called Fabric Attach is supported on the Defender Adapter and the AP3912. This enables dynamic automatic attachment of end point s as well as full network service automation so that the end to end secure zone is created dynamically as the device is on-boarded. 

Secure Zones Over Third Party Networks

Extreme Defender can also be deployed on traditional IP-based networks (Extreme and third part y), enabling customers to securely deploy IoT without having to make any significant network changes. The secure zones or network segment s are set up using secure IPSec tunnels that segment IoT traffic from the device, across the infrastructure, to the Defender Application on the ExtremeCloud Appliance.

Automated Onboarding and Inventory Management

In addition to securing each IoT device, the sheer number of IoT devices that need to be onboarded, as well centrally tracked, can be a huge burden to already taxed IT teams. Extreme Defender simplifies securing, onboarding, and moving these devices, enabling companies to save valuable operational cost s.

Specifically, the Defender Application:

  • Has a streamlined User Interface that has been created to support common workflows. This makes it easy for non-technical staff and others out side the IT organization to easily on-board and apply profiles to their devices.
  • Simple device on-boarding through QR codes and uploading capabilities that register devices to a centralized inventory tracking system.
  • Single pane-of-glass status display of all IoT devices via their assigned APs /Adapters across all department s. It also includes location and roaming information for asset tracking purposes
  • Provides a customizable dashboard view of statistics for devices which can be useful for determining IoT device utilization and availability data.

According to research, conducted by Ponemon Institute and Shared Assessment s, only 12% of organizations have a centralized inventory of all the devices connecting to the network With the Defender Application, this centralized view is now possible regardless of where the IoT device resides and what department (facilities, clinician, IT, etc.) owns and manages it.

Summary: Realize the Vision of IoT with Extreme Networks

As organizations continue to connect new devices and embrace IoT, the Extreme Networks Defender for IoT solution can help:

Secure IoT devices with a multi-layered approach consisting of secure on-boarding and attachment, traffic monitoring and filtering and the creation of end to end secure zones for isolation and protection of groups of devices and to significantly reduce the attack surface.

Achieve Greater Efficiency and Lower Cost s with an automated approach to creating policies (via the learning mode) and with a simple User-Interface and small in-line device which will enable your non-technical staff to on-board and move their own devices once the profile has been created. The ability for the solution to work over any network infrastructure means that IoT security needs can be addressed without a time consuming and expensive network refresh.

For more information on Extreme Defender for IoT, please contact your Extreme representative.

Ordering Information

Ordering overview for the Defender for IoT solution:

  • Activation of the Defender Application requires ordering a license for the number of protected devices being supported, as well as, ordering the desired service and subscription offer.
  • The ExtremeCloud Appliance must also be ordered in advance or in conjunction with the Extreme Defender for IoT solution.
  • The appropriate access hardware (the Defender Adapter (SA20 1) or the AP3912 ) must be ordered with the solution.