If you doubted that the Internet of Things is a security problem, doubt no more, since Cisco kicked off its Cisco Live! US with John Chambers talking up the Borg's IoT security capabilities.
There are announcements a-plenty, so The Register's networking desk is quite happy for Cisco's PR team to do its own talking. Instead, in conversation with Cisco Security's ANZ GM, Anthony Stitt, we decided to focus on the IoT aspects of the announcements.
Noting that the Internet of Things is already so broad the use-case is applicable to “just about everything” in the IT sector, Stitt said much of Cisco's attention at this stage is at how IoT applications interact with the enterprise systems it's already familiar with.
“One of the things that distinguishes the devices is the nature of the communications,” Stitt said. “Rather than coming back centrally where you can inspect it, some of the communications stay out in the field.”
In industrial or “smart city” applications, he explained, the IoT models now emerging assume a lot of device-to-device communications.
To deal with threats here, Stitt said, Cisco wants to push existing security capabilities out towards where those IoT communications are happening. That lies at least partly behind announcements like the virtualised version of Cisco's Adaptive Security Appliance (ASAv), and the ability to run FirePower services, on a broader range of platforms.
Getting security onto devices like Cisco ISR routers, and onto switches, is therefore an important part of the Cisco IoT security approach.
That fits into a strategy Cisco's calling “network as a sensor”. The second strand, Stitt said, is to make the network the enforcer.
“The network as a sensor is about taking data already collected by Cisco switches, routers and access points as Netflow data, and using that to give you a view of what that means from a security perspective.
“We're taking this information from devices in the field and applying security – what IPs are they connecting to? Is this a malware-like communication?
“That Netflow data provides a good way to look into activity on networks that don't necessarily have high-powered security devices on them. Tracing the precursors of [malicious] traffic patterns back to the edge is a critical component,” he said.
Enforcement, the second strand, means that even if the IoT device – say, a sensor running a crude and probably-insecure realtime operating system – is unsophisticated, “if there's a Cisco switch or router out there” it can act as the enforcer.
The network-as-enforcer capability is based around better integration between the Cisco Identity Services Engine and and the Lancope StealthWatch technology just announced; and on the new TrustSec / StealthWatch integration.
What this provides, Stitt said, is the ability to make network segmentation decisions on the basis of user, device, and application contexts.
The basic question is “What can connect to what else?” he said. The new solutions are designed to “enforce the segmentation logic in the field,” because the security group tagging is applied by the switch or the router connecting the “things”.
This “removes the need to configure manual firewall rules into the network,” he said. “You can set up what users or devices can connect to what services, and the network will enforce that.”
SCADA applications – notorious for bad security implementations – are a good fit for network-based enforcement, Stitt said, because they change relatively slowly, and generate fairly predictable traffic.
“A SCADA network is pretty static, as are its communications, so you can define and enforce which devices communicate with which others.”
The aim is to block malicious traffic out in the field, without the traffic needing to be pushed through a firewall or IPS.
But what about the SOHOpeless home?
That's fine for the managed context you'd see in something like a smart city project, but The Register is also concerned with the lax security evident in how smart devices are being pushed onto ordinary end users, for example as “connected home” devices connected to SOHOpeless routers.
“The average home user either doesn't patch, or can't patch,” Stitt said. “It's a huge problem. My home router is owned by the telco, and I don't even have the administrative rights to patch it.”
That puts the play onto the service provider play: “we have to embed the security technology into the carrier networks”, Stitt said.
“There are a raft of new carrier-class solutions that allow security to run on highly-scalable, high-connection-requirement environment that carriers demand.”
Those launches include the Cisco Firepower 9300 carrier-scale security platform, new orchestration capabilities, and new secure container features. ®