It is a quiet evening. You are sitting in your home when you hear a faint, yet strange scratching noise that you can't quite place emanating from the far side of your house. You are familiar with the typical noises your home makes... this one is different. You stop what you are doing and lean in to listen, there it is again, making the hairs on your neck stand up. Adrenaline courses through your veins as you realize a stranger has broken in to your home and is invading your space!
As awful as this scenario sounds, in reality there is an ongoing attack on your home conducted every minute of every day that you cannot hear. Someone is probing your network for weaknesses as you read this. In the best of circumstances, barbarians are only at your gate. Every device you add to your network increases the chance of them getting in... if they are not already.
With developers rushing to bring IoT (Internet of Things) devices to market, security has become relegated to an afterthought. A recent study found it took only 20 minutes to break into a range of IoT devices. Recent news stories of everything from baby monitors to web cams, light bulbs, washing machines, door-locks, and even routers and switches have recently been completely compromised by hackers.
A criminal hacker can enter your home through your iPhone, computer, WiFi router, and your thermostat or even your fridge if it’s connected to the Internet. Once a device is compromised, it will be turned against you without you ever knowing it. Hackers use it as a beach head to gain access your finances by exploiting security flaws in your wireless and network connected devices.
As the Network Operations Chief for the 36th Infantry Division in the Texas Army National Guard, I have a great deal of experience with operating in highly secure IT environments. Unlike the smart home (IoT) environment, we are able to harden not only our routers and switches, but each of the individual devices on our networks. In addition to this, we run a Network Intrusion Detection Systems (NIDS), active network virus protection, and have a stateful firewall protecting all of our inbound and outbound traffic.
You don't not have the capability of doing this when designing residential and commercial networks because nearly every device you and your client place on your network can and should be assumed to have security vulnerabilities. This is a major problem as your end product is relying nearly 100% on your network performing reliably and securely. So how can you really secure your network?
If your first answer is a firewall, then you are on the right track. It is a good start, but the problem is, most residential and small business grade firewalls are garbage when it comes to network security. Worse yet, firewalls can also give a false sense of security. Even if a firewall is of very good quality, they can't protect the attack originating from within your network. When your friend comes over connects to your WiFi with their infected laptop, your child clicks on a link in an email delivering a Trojan horse, or spouse logs in with a compromised phone, your firewall is rendered helpless to contend.
In the military we call the device you need an adaptive security appliance or in the civilian world, a unified threat manager. These devices are the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting. They learn and adapt to their environmental changes, actively monitoring and blocking known threats and identifying potential new and unknown threats.
Your reputation and business success depends on reliable networks. You need to take the security of the networks you design and deploy very seriously, especially if you have high-net-worth clients, commercial clients, or clients that work from home.
A unified threat management system should always be a default part of your network security plan. Unfortunately, these typically require an experienced and competent network engineer with years of experience to deploy and configure properly. The good news is that FIREFX has a major announcement regarding this IoT security issue coming soon.