Protecting your business network

Dashrender

That's just it.. they require access to the internet.

dafyre

@Dashrender said in Protecting your business network:

That's just it.. they require access to the internet.

Eww... Guess you'd have to allow that. Do any of your PCs need access to the devices?

scottalanmiller

@Dashrender said in Protecting your business network:

That's just it.. they require access to the internet.

Not really an issue. Once they don't give you the option to secure them, they aren't yours to secure. If they get hacked, not your concern.

dafyre

@scottalanmiller said in Protecting your business network:

1. Get LANless.
2. Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
3. Get LANless. You should not be depending on the LAN barriers for security.

LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.

Dashrender

@dafyre said in Protecting your business network:

@scottalanmiller said in Protecting your business network:

1. Get LANless.
2. Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
3. Get LANless. You should not be depending on the LAN barriers for security.

LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.

Exactly...

It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...

scottalanmiller

@Dashrender said in Protecting your business network:

@dafyre said in Protecting your business network:

@scottalanmiller said in Protecting your business network:

1. Get LANless.
2. Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
3. Get LANless. You should not be depending on the LAN barriers for security.

LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.

Exactly...

It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...

So are they secure or not? That's the big question If they are really secure, why do we fear the IoT devices?

Dashrender

@scottalanmiller said in Protecting your business network:

@Dashrender said in Protecting your business network:

@dafyre said in Protecting your business network:

@scottalanmiller said in Protecting your business network:

1. Get LANless.
2. Make a VLAN, but just for the insecure devices. Put the "reckless" devices together, off of your unsecured LAN.
3. Get LANless. You should not be depending on the LAN barriers for security.

LANless is a lofty goal for any business with file servers that have been well established. In the medical world, I don't see that happening any time soon.

Exactly...

It's not that Windows file servers don't have security, it's just that the IOT crap has a foothold inside the LAN that they can use to attack the file servers, etc. And I'm sure there are other services that are traversing our network that aren't encrypted...

So are they secure or not? That's the big question If they are really secure, why do we fear the IoT devices?

I wasn't talking about the IOT things, I'm talking about my production network.

For example, printers aren't talking over a secure connection.

IRJ

A NAC could also automate what is done with different types of devices.

Dashrender

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

Dashrender

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

And what kind of setup is needed for that? I mean, do I have to manage each thing that's plugged in? OK things on this port can get the internet, but no where else, i.e. can't talk to printers, or other PCs or servers, etc.

IRJ

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

And what kind of setup is needed for that? I mean, do I have to manage each thing that's plugged in?

You don't have to manage anything, but the NAC will begin can identify devices by many different factors (ports, services, MAC addresses, etc). You can create rules to manage each device.

IRJ

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

coliver

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Depends on the business of course. They aren't cheap for sure and the value of the security would have to be determined by the business. For most SMBs I don't think a full on NAC is going to be worth the investment. For larger scale organizations, or highly secure ones, then yes it will be.

stacksofplates

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.

Dashrender

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

What is not exactly cheap? We talking $5K? no way that would be purchased here. Managing it via VLAN would definitely be the choice.

coliver

@stacksofplates said in Protecting your business network:

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.

We use ISE here as well. Very nice tool. Not something I see small doctors offices or SMBs using very often.

stacksofplates

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

Dashrender

@stacksofplates said in Protecting your business network:

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

This is my plan.

I'm not even sure there is any network need to connect to them in most cases at all.

stacksofplates

@Dashrender said in Protecting your business network:

@stacksofplates said in Protecting your business network:

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

This is my plan.

I'm not even sure there is any network need to connect to them in most cases at all.

That's even better. I have a foscam at home that doesn't get updates and all that jazz. Its on its own VLAN with no internet access and can't see anything else. Only the home VLAN can get to it.

Dashrender

This problem does relate to the current IOT nightmare that exists in home networks (and sadly, many business ones too).

The nightmare is that the production network does need access to the IOT network. An example is the Amazon Echo app. I think (though I haven't confirmed), you have to be on the same network to control the Echo. So even opening firewall ports probably won't work since the app finds the device via broadcasts and those of course wouldn't go to the other network normally. I'm not even sure there is a way to make a many to many solution for this type of problem.