Meraki

Community

IoT best practices

RumorConsumer
Head in the Cloud
‎Jul 2 2021 1:16 PM
‎Jul 2 2021 1:16 PM

IoT best practices

Hey all

 

So I have a few IoT devices coming on - water level sensors, temp sensors, things like that that my facilities guys need to be able to access. My main VLAN contains about 20-30 devices, all mac or iOS. I have a couple synology servers which are as secure as they can be in terms of all best practices followed. I guess Im wondering if i should be at all worried about somebody somehow getting access to the IoT stuff. Id love to have it be easy for my guys to check all their sensors and things without having to jump on another SSID/VLAN combo. Is there something else you can do to somehow mitigate the chance that a device could be compromised? Most of them seem based on Espressif hw/sw solutions. They seem pretty legit. Anyways your thoughts welcome. 

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 2 2021 5:05 PM
‎Jul 2 2021 5:05 PM

What brand are the IoT sensors?

In response to PhilipDAth
RumorConsumer
Head in the Cloud
‎Jul 3 2021 10:57 AM
‎Jul 3 2021 10:57 AM

@PhilipDAth 

 

Some Amazon stuff

 

Meross smart home AC outlets

 

Espressif makes an air quality sensor and a temperature sensor for a walk in fridge.

 

Some printers - brother and HP

 

Newport Media makes a sprinkler system controller called Hydrawise

"SHENZHEN FUZHI SOFTWARE"

 

Sonos

 

Wyze

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Jul 3 2021 5:56 AM
‎Jul 3 2021 5:56 AM

The "S" in "IoT" stands for security ... 😉

I don't trust these devices at all and try to put them in a separate WLAN and VLAN if possible. For some devices where the controlling device needs to be in the same IP subnet as the IoT-device, I put them in the same VLAN, but control access on then WLAN itself. One of the MPSK-solution (both  with or without RADIUS) can be of great help here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
RumorConsumer
Head in the Cloud
‎Jul 3 2021 10:54 AM
‎Jul 3 2021 10:54 AM

@KarstenI in your opinion, whats the most likely threat posed at this point? I wont have enough to make a bot net to be DDOS'd inside my network, and everybody here uses Macs and iOS which is pretty solid as far a I understand in terms of attack surface. And then I have advanced security on my MX68.

Networking geek since high school where I got half of a CCNA. Played Marathon II and Infinity over localtalk.
Made many a network over the years, now de facto admin of a retreat center with some of this fine Meraki hardware.
Fortune 100 Tech veteran/refugee.
0 Kudos
In response to RumorConsumer
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 3 2021 2:18 PM
‎Jul 3 2021 2:18 PM

The most likely threat.....?  What do you have on your network that needs protecting?  Sensitive data, financial data etc etc?

 

I would ensure that these IoT devices are segmented away so should the worst happen any lateral network movement can’t happen.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.