The Internet of Things (IoT) is having a profound impact
in every industry. According to survey data, 63% of IT
organizations have witnessed a 50 % increase in the
number of endpoint s that are connecting to the network.
By 2020, Gartner estimates that 20.4 billion connected
things will be in use by organizations worldwide. Although
IoT growth is really being driven by 3 main subsectors:
Smart Cities (26%), Industrial IoT (24%) and Connected
Health (20 %), there really isn't a single vertical industry
that isn't experiencing growth in the number of end points
that are connecting to the network.
Although IoT holds great promise in increasing efficiencies, driving down costs and enhancing customer service, these devices also widen the network attack surface, creating more routes to entry for would be hackers.
Consider the Statistics:
The Challenge of Implementing IoT Security
Although the threat of attack is very real, there are many factors that make securing specific IoT devices a challenge. First, just the sheer number and diversity of endpoints, many of which might not be within IT's direct control. They might be owned by the facilitates management team, operational teams or clinician staff within a hospital. Furthermore, many of these devices were not originally designed to be Internet-connected and lack embedded security.
Some of the Specific Security Challenges of Connected Devices Include:
Securing Devices with Extreme Defender for IoT
Extreme Defender for IoT is a unique, award-winning solution, that delivers security for end point s which have limited or even no embedded security capabilities. It is especially targeted to aging wired devices, that need to roam around a room, a building or even a campus. It complement s a customer's existing security infrastructure by adding in-line defense directly at the IoT device it self. And it can be deployed over any network infrastructure to enable secure IoT management without significant network changes.
Extreme Defender Components
Extreme Defender consist s of the following components:
How Defender Secures Devices
Defender for IoT secures connected devices in a couple of ways:
According to Gartner Research, "IoT devices cannot be trusted and must be separated from the network to reduce risk." Defender for IoT provides a simple and automated approach to creating isolated segments for devices and then provides further defense in-depth by filtering traffic flows to and from the devices. The next four sections describe the security functions of Defender for IoT.
Application of Centralized Profiles
Securing IoT devices start s with the creation of whitelist profiles. These profiles are created, managed and cataloged on the Defender Application. A single profile is typically created for each device type (i.e. IP security cameras) and then applied to all the devices that fit into that category. The profile provides a list of authorized devices and traffic flows to limit what the IoT device receives and transmit s, as well as who or what the device can communicate with. A completed profile contains a group access profile with security rules and network attachment settings.
The profiles are then pushed out to the Defender Adapter and/ or the AP3912 which police and monitor the traffic with full Layer 2 to 7 visibility. It ensures that traffic both to and from the IoT device is restricted to the rules contained within the profile. In doing so, the IoT device is protected and also prevented from launching an attack it self.
Creation of Profiles with Ease
Because traffic profiles can be complex to manually create, the Defender for IoT solution automates this process using an ?Auto Policy Generator." The Defender for IoT solution enables adapters to mirror traffic to the Defender Application where the Auto Policy Generator can create a traffic profile for the IoT device. The IoT device operates normally with the Defender Application cataloging the traffic so the solution can learn what the expected normal behavior of the device is. When adequate time has passed in this mode (dependent on IoT device operation), mirroring can be stopped and the resultant traffic profile can be applied to the IoT device to secure it s communication to the network.
Secure Device Mobility Without IT Involvement
With Defender, wired devices can be automatically moved from one network port to another. If a device needs to be relocated, a technician can simply unplug the Adapter from a room wall jack port, move the device and Adapter to a new location and plug the Adapter into a new port. When the Adapter is unplugged, it loses it s profile and network services are disabled on the old switch port. When the Adapter is reconnected, it contact s the ExtremeCloud Appliance to retrieve it s profile and request s the services to be provisioned on the new port. Within a couple of minutes, the IoT device is functioning in it s new location and the move has been completed quickly and safely, without network IT involvement.
Network Segmentation/ Secure Zones
In addition to the policies, Defender also enables like devices to be placed in their own isolated secure zone or clinical segment. According to Gartner research only 5% of IoT devices deployed today are virtually segmented; however, by 20 2160 % will be5. Creating secure zones reduces the attack surface and mitigates ill-intended lateral movement toward sensitive areas of the network. Defender enables the creation of secure zones with a Fabric Connect network or over third-part y IP Networks.
Secure Zones with Fabric Connect
Extreme Defender is optimized for use with Extreme Fabric Connect, Extreme's Campus Fabric solution. One of the main benefit s of Fabric Connect is it s ability to quickly and easily create secure zones at scale. Rather than complex configuration, these secure zones can be deployed very quickly and easily at the network edges. In addition, on a Fabric Connect infrastructure, an auto-attach protocol called Fabric Attach is supported on the Defender Adapter and the AP3912. This enables dynamic automatic attachment of end point s as well as full network service automation so that the end to end secure zone is created dynamically as the device is on-boarded.
Secure Zones Over Third Party Networks
Extreme Defender can also be deployed on traditional IP-based networks (Extreme and third part y), enabling customers to securely deploy IoT without having to make any significant network changes. The secure zones or network segment s are set up using secure IPSec tunnels that segment IoT traffic from the device, across the infrastructure, to the Defender Application on the ExtremeCloud Appliance.
Automated Onboarding and Inventory Management
In addition to securing each IoT device, the sheer number of IoT devices that need to be onboarded, as well centrally tracked, can be a huge burden to already taxed IT teams. Extreme Defender simplifies securing, onboarding, and moving these devices, enabling companies to save valuable operational cost s.
Specifically, the Defender Application:
According to research, conducted by Ponemon Institute and Shared Assessment s, only 12% of organizations have a centralized inventory of all the devices connecting to the network With the Defender Application, this centralized view is now possible regardless of where the IoT device resides and what department (facilities, clinician, IT, etc.) owns and manages it.
Summary: Realize the Vision of IoT with Extreme Networks
As organizations continue to connect new devices and embrace IoT, the Extreme Networks Defender for IoT solution can help:
Secure IoT devices with a multi-layered approach consisting of secure on-boarding and attachment, traffic monitoring and filtering and the creation of end to end secure zones for isolation and protection of groups of devices and to significantly reduce the attack surface.
Achieve Greater Efficiency and Lower Cost s with an automated approach to creating policies (via the learning mode) and with a simple User-Interface and small in-line device which will enable your non-technical staff to on-board and move their own devices once the profile has been created. The ability for the solution to work over any network infrastructure means that IoT security needs can be addressed without a time consuming and expensive network refresh.
For more information on Extreme Defender for IoT, please contact your Extreme representative.
Ordering overview for the Defender for IoT solution: