Protecting your business network

IRJ

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

And what kind of setup is needed for that? I mean, do I have to manage each thing that's plugged in?

You don't have to manage anything, but the NAC will begin can identify devices by many different factors (ports, services, MAC addresses, etc). You can create rules to manage each device.

IRJ

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

coliver

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Depends on the business of course. They aren't cheap for sure and the value of the security would have to be determined by the business. For most SMBs I don't think a full on NAC is going to be worth the investment. For larger scale organizations, or highly secure ones, then yes it will be.

stacksofplates

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.

Dashrender

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

What is not exactly cheap? We talking $5K? no way that would be purchased here. Managing it via VLAN would definitely be the choice.

coliver

@stacksofplates said in Protecting your business network:

@IRJ said in Protecting your business network:

@Dashrender said in Protecting your business network:

@IRJ said in Protecting your business network:

A NAC could also automate what is done with different types of devices.

Yeah, at what kind of expense?

It's not exactly cheap, but the cost is worth the security.

Ya we run ISE. Its pretty nice as every machine is auto joined to the correct VLAN.

We use ISE here as well. Very nice tool. Not something I see small doctors offices or SMBs using very often.

stacksofplates

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

Dashrender

@stacksofplates said in Protecting your business network:

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

This is my plan.

I'm not even sure there is any network need to connect to them in most cases at all.

stacksofplates

@Dashrender said in Protecting your business network:

@stacksofplates said in Protecting your business network:

Why not just put them on a VLAN and limit what protocols they can use between VLANS?

This is my plan.

I'm not even sure there is any network need to connect to them in most cases at all.

That's even better. I have a foscam at home that doesn't get updates and all that jazz. Its on its own VLAN with no internet access and can't see anything else. Only the home VLAN can get to it.

Dashrender

This problem does relate to the current IOT nightmare that exists in home networks (and sadly, many business ones too).

The nightmare is that the production network does need access to the IOT network. An example is the Amazon Echo app. I think (though I haven't confirmed), you have to be on the same network to control the Echo. So even opening firewall ports probably won't work since the app finds the device via broadcasts and those of course wouldn't go to the other network normally. I'm not even sure there is a way to make a many to many solution for this type of problem.

scottalanmiller

@Dashrender said in Protecting your business network:

This problem does relate to the current IOT nightmare that exists in home networks (and sadly, many business ones too).

The nightmare is that the production network does need access to the IOT network. An example is the Amazon Echo app. I think (though I haven't confirmed), you have to be on the same network to control the Echo. So even opening firewall ports probably won't work since the app finds the device via broadcasts and those of course wouldn't go to the other network normally. I'm not even sure there is a way to make a many to many solution for this type of problem.

The issue is not IoT, though, just crappy products.

Dashrender

@scottalanmiller said in Protecting your business network:

@Dashrender said in Protecting your business network:

This problem does relate to the current IOT nightmare that exists in home networks (and sadly, many business ones too).

The nightmare is that the production network does need access to the IOT network. An example is the Amazon Echo app. I think (though I haven't confirmed), you have to be on the same network to control the Echo. So even opening firewall ports probably won't work since the app finds the device via broadcasts and those of course wouldn't go to the other network normally. I'm not even sure there is a way to make a many to many solution for this type of problem.

The issue is not IoT, though, just crappy products.

Oh, you're absolutely right! Sadly - medical equipment has been shown to be a crappy product!