IoT best practices

RumorConsumer
Head in the Cloud

IoT best practices

Hey all

 

So I have a few IoT devices coming on - water level sensors, temp sensors, things like that that my facilities guys need to be able to access. My main VLAN contains about 20-30 devices, all mac or iOS. I have a couple synology servers which are as secure as they can be in terms of all best practices followed. I guess Im wondering if i should be at all worried about somebody somehow getting access to the IoT stuff. Id love to have it be easy for my guys to check all their sensors and things without having to jump on another SSID/VLAN combo. Is there something else you can do to somehow mitigate the chance that a device could be compromised? Most of them seem based on Espressif hw/sw solutions. They seem pretty legit. Anyways your thoughts welcome. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

What brand are the IoT sensors?

RumorConsumer
Head in the Cloud

@PhilipDAth 

 

Some Amazon stuff

 

Meross smart home AC outlets

 

Espressif makes an air quality sensor and a temperature sensor for a walk in fridge.

 

Some printers - brother and HP

 

Newport Media makes a sprinkler system controller called Hydrawise

"SHENZHEN FUZHI SOFTWARE"

 

Sonos

 

Wyze

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
KarstenI
Kind of a big deal
Kind of a big deal

The "S" in "IoT" stands for security ... 😉

I don't trust these devices at all and try to put them in a separate WLAN and VLAN if possible. For some devices where the controlling device needs to be in the same IP subnet as the IoT-device, I put them in the same VLAN, but control access on then WLAN itself. One of the MPSK-solution (both  with or without RADIUS) can be of great help here.

RumorConsumer
Head in the Cloud

@KarstenI in your opinion, whats the most likely threat posed at this point? I wont have enough to make a bot net to be DDOS'd inside my network, and everybody here uses Macs and iOS which is pretty solid as far a I understand in terms of attack surface. And then I have advanced security on my MX68.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
DarrenOC
Kind of a big deal
Kind of a big deal

The most likely threat.....?  What do you have on your network that needs protecting?  Sensitive data, financial data etc etc?

 

I would ensure that these IoT devices are segmented away so should the worst happen any lateral network movement can’t happen.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels