The Art of Network Engineering

Ep 138 - Navigating the Convergence of IoT Security in Network Engineering

A.J., Andy, Dan, and Tim Episode 138

Send us a text

This episode was recorded on September 28, 2023.

This episode is a warm blend of personal reflections and deep dives into the world of network engineering, where laughter and learning go hand in hand. 

The digital frontier is expanding, and with it, the universe of IoT devices that touch every corner of our lives. From tracking wayward pets to revolutionizing agriculture, we traverse the intricate balance between the allure of smart technology and the vigilance needed to secure it. Join us as we exchange tales from the front lines, illustrating how the convenience of connected gadgets intertwines with the pressing need to safeguard our digital homesteads. 

Our conversation takes a turn towards the pressing issues of IoT security and the burgeoning role of AI in monitoring these devices. Navigating the choppy waters of enterprise environments, we unpack the strategies to protect non-domain-joinable equipment and wrestle with the shadow IoT lurking in our networks. Plus, we delve into the ways AI is enhancing our capabilities to predict severe weather and monitor critical systems. Grab a cup of your favorite brew and settle in for a journey that’s as much about the heart of networking as it is about the hard-wiring.

Find everything AONE right here: https://linktr.ee/artofneteng

Speaker 1:

This is the Art of Network Engineering podcast. Welcome to the Art of Network Engineering. I am AJ Murray at no Blinky Blinky and I am so excited we're doing a round table tonight. There's no guest, it's just a guest. We haven't done this for a while. It feels good. It feels really good, Dan. How are you at Howdy Packet Dan? So good to see you.

Speaker 2:

It's good to see you, aj. I'm doing pretty good. Actually, I've been doing a lot of maintenance windows here lately, so I haven't had them in a while, and so I had to get my what was do in kind of thing. My maintenance windows comes in waves, it seems like.

Speaker 3:

I thought you were going to say soul searching. I thought you were going to say I've been doing a lot of soul searching.

Speaker 2:

You know, I feel like the second you reboot. You know your core switch you do a little bit of soul searching in that lot of reflection.

Speaker 1:

You're like was that what I do to get here?

Speaker 2:

You know that kind of stuff. So, yeah, yeah, I definitely did some of that.

Speaker 1:

I don't start soul, soul searching until it's been way too long and I'm not getting a response or Do you?

Speaker 3:

have to take this yeah good, do you count the ICMP timeouts before you freak out how many you've missed? And then well, hopefully, if you do everything right, don't miss them, we're going to turn this into an out of band commercial.

Speaker 1:

Yeah, kidding, nice, nice, tim Bertino at Tim Bertino Tim, good to see you again.

Speaker 3:

Good to see all you. I don't know the last time the four of us were on together. Yeah, so this is it's great to great to see you guys. Things are going good. I've got I know timelines are weird from when we record to release, but got an FD 33 coming up that I'm going to be going to again. So, thanks to Tom Hollingsworth and the team, it'll be great to get back out to Silicon Valley for another couple days of shows. It'll be good.

Speaker 2:

When is that? By the way, I want to catch that. Oh man, I just want to take screenshots of you, while when it like pans to your face.

Speaker 3:

I want to take screenshots oh yeah, you need more fodder, don't you? Yeah, I think it's. October 15th, 16th, I think.

Speaker 4:

Okay, gotcha, It'll be like three months before this episode comes out. You know you say that.

Speaker 1:

But then I just edited an episode with Josh Workup and media networking and everybody was commenting like oh, it's just after the 4th of July. And it's like, oh, wow. So for everybody listening, today is September 28th and you probably won't have this hit your ears until maybe around Christmas time.

Speaker 3:

If I had to, but I do got to correct myself, so Tom doesn't get mad at me when this does release in six months. It is October 25th and 26th of 2023.

Speaker 2:

Okay, sorry, tom, all right, it's appointed Gotcha.

Speaker 1:

And last but not least, Andy Lapteff. At Andy Lapteff.

Speaker 4:

Hi AJ.

Speaker 1:

How you doing.

Speaker 4:

I'm going to lie to you and say everything's great.

Speaker 1:

It's okay, I know the truth, it's fine.

Speaker 4:

Yeah, I got my. I got my Art of Net Eng jacket Stylin. I love it. I'm drinking out of my K-Tek Connect Pilsner what is this? Pine glass, pine glass, pilsner. And yeah, man, you know doing the thing right, navigating some transition, and you guys know all about it and my support system has been there for me, which has been great. So if you're going through any transition in your personal and professional life, make sure you have people, because the support I've been getting has been, has made all the difference in a very strange transition I find myself in. So getting getting grounded with my people has been like everything, because it's been it's been a disorienting few weeks. So, yeah, thank you, it's been nice, nice Anytime.

Speaker 4:

Yeah, but now I'm super thrilled to be here. I'm excited to talk about yeah.

Speaker 1:

Is that how chat GPT pronounced it when I read it back.

Speaker 3:

Must be a Philly thing.

Speaker 1:

Yeah.

Speaker 3:

Them E-at Jones, yeah Jones, thanks. Well, before we jump in what's new?

Speaker 4:

with AJ.

Speaker 1:

Oh, you know, it's fall here in Vermont.

Speaker 3:

Yes.

Speaker 1:

Lovely time of year. I'm very excited. The photographer in me is getting all my gear ready. I'm getting ready to get the drone airborne, take some beautiful shots of some fiery mountain sides, and I've been getting out doing some hiking in the morning before my work day starts. It's feeling good.

Speaker 3:

Nice, that's awesome.

Speaker 1:

That's a little breath of fresh air. There's a, there's a like a brook or not a brook. What do they call it? A reservoir? There it is Reservoir Not too far from where I live and there's a beautiful hike around it. It takes me about 45 minutes to do and it was just gorgeous this morning I did it. It was wonderful. It was a little fog on the reservoir and suns coming up on the other side there's a nice little bench.

Speaker 1:

I came, came across it and it's basking in the sunlight the early morning sun, and I was just like you know what? I'm going to take a minute, sit down here, do a little meditation and just get get in my groove for the day. It was a beautiful way to start the day and I look forward to doing it again tomorrow morning.

Speaker 4:

So isn't it so nice being outside. I used to work outside and. I miss it like certain times of the year.

Speaker 2:

I was going to say every day.

Speaker 4:

But the fall is a really nice time to be out and about. It's funny. I used to not like the fall because it meant going back to school and I didn't love school you know, but now it's. It just has a different kind of complexion to it. The pumpkin coffee and, like you said, just everything's pretty. The leaves are changing.

Speaker 2:

I didn't take you for a pumpkin pie, pumpkin spice, kind of kind of girl.

Speaker 3:

Danny going to let that go, buddy, sorry, yeah, you do, man.

Speaker 1:

I'm going to go ahead and say this and I'll going to edit it out later. Andy's a basic bitch, yeah.

Speaker 2:

With his pumpkin spice coffee. I was trying to get you know.

Speaker 4:

beat around that bush there All right, listen, I'm just trying to get in the fall mood with you. I drink my coffee dark and black, like my soul. I don't drink pumpkin, I he does?

Speaker 3:

He does wear Uggs though. Yeah, they're come see me.

Speaker 1:

No, I love, I love the fall, I love campfire season, right Like we've not had the summer up here. I don't know about where you guys have been. If you've had a good summer, it's just been super rainy humid not had.

Speaker 1:

There's only been like a handful of weekends where it's like, dan, this is good weather. So we've already had a campfire. We had a wonderful time with friends here at my place and it's great. I look forward to doing it again this weekend and hopefully every other weekend until it gets way too freaking cold to continue to do that.

Speaker 4:

We're going to fire up the fire pit soon. It's like the time of year, right? Yeah, absolutely.

Speaker 1:

Well, before we dive into this evening's topic, I want to remind our listeners that if you're looking to support the show, the best and easiest way to do that is to follow us on social media. Wherever you are we're. We're everywhere these days. We're TikTok, Instagram, twitter, facebook, anywhere that you want to find us. We are at Art of NetEng. Go ahead, give us a follow. Like our content.

Speaker 1:

We're doing the short form thing now so you can catch sneak peeks of our new episodes a week before they come out. Get y'all jazzed up about future content that we're about to release. We're doing some really fun content with some sponsors. Tim has been a one man band playing a few different parts and in some of our videos it's. It's been a lot of fun to edit those and release those in.

Speaker 1:

The response from you all has been fantastic and if you like what we're doing, please go to Spotify or Apple podcasts or wherever you get your podcasts like rate, subscribe, leave a comment, review whether it's good or bad. We want to hear it all. We want the feedback, but all of that stuff gives us some really nice mojo when it comes to, you know, finding the podcast, sharing it with fellow network engineers and all that good stuff. We thank you so much for your support of what we do here at the art of network engineering. Tonight we want to talk about IOT, the Internet of Things. It is something that's been around for a little bit now, but, man, it is not slowing down. There's just IoT stuff everywhere. I want to start by talking about IoT in the home, because I think that's the most common place you'll find it. But I guess, to really kick it off, let's define, for those who might not know, what the hell is IoT or EOFT.

Speaker 3:

I used to hate this acronym like with a passion, because I think the reason it was is because I thought it was just an acronym being made for acronym sake. Yes, because to me, when I heard about Internet of Things, I'm like, well, we've had devices that are connected to the Internet forever. What's so different about? Okay, now my fridge is on the Internet, now it's Internet of Things. So, yeah, go ahead and give us, give the listeners that definition, aj.

Speaker 1:

Well, you're right, it's the Internet of Things. There's lots of little devices out there that talk back to some home manufacturer and give some good reporting data. So I think probably the easiest examples are home thermostats, and I've got one, got a Nest thermostat, and I can control it from my smartphone wherever I am. We usually turn the heat down when we leave the house and when we're about 10 minutes out I like to flip open the smartphone app and get the heat cranked once again, especially on the really cold days.

Speaker 1:

But it's like a convenience thing, but it's also, you know, with IoT. With that convenience comes a little bit of a security risk. Some other popular ones are door locks I have seen window controls, the garage door openers, and then security cameras. I've got a couple of security cameras around my home as well, All outside. I don't have the ones inside. The inside ones kind of freak me out and skeed me out of the one.

Speaker 3:

Oh same, 100%, if you want to hack into my camera and see my driveway go for it.

Speaker 2:

I don't care, but I don't want you seeing me like sitting on the couch you know, in your underwear Exactly Eat Cheetos. It is beanbag chair. I'm playing Mario Kart.

Speaker 3:

You know, and it's the crazy thing is, someday it's probably going to be Internet of Humans too. I mean, I've been trying to microchip Dan for years now.

Speaker 1:

Well, I put one on him, just so he gets lost. If Dan wanders into a police station or a pound, they can scan his neck and you know they'll ship him back to me.

Speaker 3:

That's right, we did air tag. Yeah, I was going to say we did air tag, dan, in Knoxville, didn't we?

Speaker 4:

That's a good segue. So our dumb puppy ran away like a month after we got her. And we spent the better part of five hours driving all over the damn place and you know she came home, yeah. But after that we got an Apple air tag. You know my buddy's like listen, you can get an air tag put it on their collar. They have these little collar things. It's pretty amazing. So, like, when I think of IoT, I think of like sensor, right, like yeah, thermostat is.

Speaker 4:

IoT, and I'm not exactly sure why it the definition I saw I liked which IoT is an extension of the Internet into the physical world. Again, like you said, tim, it's kind of a silly acronym and like, okay, my fridge is now online, who really cares? But when I think of IoT, it's more like sensors for me. So like we have an alarm system in the house, I have water sensors, so if something leaks, if some pump overflows, if a washing machine does something bad, you know it'll let me know. I have door sensors that tell me if somebody's coming or going, and I do have that garage door up under you. It said, aj, that you know I can also do things with tells me if somebody's in the house or not.

Speaker 4:

Smoke CO2 sensors right in the house. I mean used to have alarms that would just scream, but now it notifies me, it notifies my monitoring system. It'll call the fire department if I'm not here. So when I think of IoT at home, I really just I think of the sensors in my house, like motion sensors. Somebody's walking around when I'm at home. Huh, that's kind of interesting. So it's it's gathering data, uploading it to some type of you know place. That can, I guess, do what did you like learning?

Speaker 4:

in AI like they can. Yeah, yeah, it does. It does like all kinds of compute. And then I guess, can you know, I was reading that they use fair mountain hospitals, which I kind of wanted to dig into. I know I'm like kind of jumping ahead, but yeah, I don't see the value in like an internet connected fridge, although they say like it can tell you when you're out of milk or out of eggs, like okay, I guess that's kind of useful. But I really dig my my home alarm system that just has all this sensor data that I can, that I can gather and do things with. You know, a camera on my doorbell, right? Somebody rings my doorbell. I can see who's there and talk to them that I haven't leave my desk. So it's, that's my IOTJ in the home.

Speaker 1:

Yeah, so I guess that's a good segue into to. You know, a lot of people have it in the home, it's available or also very marketed to the enterprise. I used to work for a company that was actually actively designing an IOT system. I used to work for a very large pump manufacturer and they were trying to build a monitoring system that we could retrofit to the existing pumps and then that would send information and data back to us and then we could proactively warn the customer like hey, it looks like it's time for maintenance. Or you know, based on what we're seeing, you might have some parts fail. So you know, let's get that pump out out of service and service it or whatever. And then you know a lot of common plays I see are like HVAC systems, all sorts of stuff. What are some examples? And, tim, I'm sure you know you've got a ton in the healthcare area, but I'm curious what other?

Speaker 1:

examples you guys have seen.

Speaker 3:

It's pervasive everywhere, and I think one is energy. Energy in agriculture, I think, are two big ones where you've got the need for both control and telemetry and intelligence remotely. So one big use case I can think of is I'm sure you've all noticed throughout the country over the years the amount of different types of alternative energy. So wind turbines, wind energy is a big one, and one of the craziest things is when it gets dark and there's just a ton of these things kind of across the countryside and you see the red flashing light all in unison, all at the same time across the landscape, how that's all being controlled, you know, remotely from these IoT devices and these sensors. And I think we're going to see a lot of some really cool advancements on the agriculture side too. I mean, you already see it today how farmers are starting to leverage drones to be able to look over their crops and see where you know I'm just guessing see where they need more irrigation here or there I'm sure there's, if there's not already there's going to be sensors in the irrigation pivots to be able to check water levels and that kind of thing. So there's going to be a lot of technological advancements.

Speaker 3:

But I keep coming back to, which is great, but I keep coming back to what AJ said a little bit ago. I mean, everything is a trade-off and to me, with IoT, the efficiencies and the technical benefits you get, you have to make sure that outweigh any potential security risks that you have. I mean, because that's the biggest thing I think of when it comes to IoT. Okay, iot, there's a lot of great stuff out there. Okay, what's the bad thing? And to me, it always seems to come back with potential security risk.

Speaker 1:

So I think one of the things that we should highlight about IoT is that typically it's something that you don't control right. It's a device made by another company, you don't control the updates to it, you just literally drop it on your network and let it do its thing, and its thing is typically controlled by the parent company, although there have been numerous examples of these kinds of devices getting hacked and reporting back to CNC type networks, and then I think they've been used a lot in massive DDoS attacks, and that's certainly not the kind of traffic you want to have on your network, especially your enterprise network, never mind your home network as well. So that's, I think, some of the big security risks. Do you guys recall any of the other stories or risks around having IoT devices on your network?

Speaker 2:

Yeah, I remember I think there was a story about it Someone got hacked through a fish tank sensor. I was just yeah, yeah, yeah, yeah, it was a casino, that's what it was.

Speaker 4:

Yeah, the attackers used a fish tank thermometer that was an IoT device to get a foothold in the network, and then they found the high roller database and pulled it across the network out of that thermostat and into the cloud Like that's nuts Right. So, the security. That's a problem.

Speaker 3:

Yeah, let's run through some of these. I found this really good article on TechTarget that walks through. There's like 12 different IoT security threats that they're kind of honing in on here and we'll just read some of them. First one is an expanded and expanding attack surface. So you can just think, okay, all the different types of devices, now you have attackers that have the ability to find these things and figure out how to, how to compromise you. We just talked about the fish tank thing, and Andy talked about all the different types of things in your home that are connected to the internet that need to be secured. And that's the tough thing, because a lot of these devices there's not a lot to them there's not necessarily a whole lot of intelligence and security baked in, so you're probably going to have to tackle that outside of the device itself, right?

Speaker 2:

Because what I think of is like on a like, let's say, if you have a Windows machine right, you can put you know whatever you know, like CrowdStrike or whatever your flavor is right of control on that, whereas some of these devices, a lot of them, are just some kind of open source and that you can't install some kind of you know antivirus, anti malware, anything like that. And so it's like how do you control that device at that point? Like it, I feel like in that responsibility seems to come back on the network side of things, right, like how do we segment that away from our good data and but still allow it to talk back home to its cloud service or whatever it talks back?

Speaker 4:

to right. And here's it. Here's an honest admission that I'm embarrassed to say as a network person, but I have no segmentation in my home network. Now, I'm not well, no, I'm not housing, you know government secrets here. But yeah, if you got into, I mean, it didn't sound like they had their fish tank IoT devices segmented because as soon as they got in they got into database information, right.

Speaker 4:

So I know that I should have, you know, a separate vlan and have some segmentation here, so nothing can talk to anything else. And it's in preparing for this episode I was actually thinking about today. I'm like man, I really got to do some like at least segmentation here.

Speaker 4:

Yeah, the security. Like so what I do? Just as an example like I have an insane password on my home alarm thing and I also have two factor authentication, like I figure it's the best I can do, right, and I guess I'll maybe cycle that password. I do not want people because there are an endless array of articles about people that can break into your home cameras and like start scaring your kids and stuff, right, Like that stuff is just terrifying to me.

Speaker 4:

Oh yeah, I'd rather not have a security system, that have some weirdo on the internet yelling at my kids through the camera. So I guess there's things you can do to secure them. And I'm guessing the fish tank example it was just default username and password, right, like I don't know if we'll get into that, but how do you? What are the best practices for securing an IoT device? I don't really know other than a really strong password.

Speaker 3:

Get the default username password off, right, yeah, and if you think it's I think with any, with anything security, andy. I think it comes back to defense in depth and you talk about, yeah, there's going to be best practices like that of no default creds, no unnecessary accounts, that kind of thing. But I think it also ties into what Dan was talking about, especially on the enterprise side. I mean, you talked about it at home, andy. It's much more difficult at home because you don't have an enterprise level gear and tools.

Speaker 3:

But in the enterprise, over the last I'll say, 10, probably plus years, the network infrastructure is becoming more and more a security sensor and a security point of enforcement. And so it's really got to tie into what's the best practices on the device, which I think more often than not, with IoT devices, you're probably going to have to. You may have to figure that out on your own because there may not be a whole lot of documentation and that kind of thing around it. And then, combined with, on the enterprise side, that segmentation we were talking about, I think it's become more the fact that of trying to stop every single breach. We're kind of past that from an industry perspective and it's accepting the fact that, okay, we're probably going to get breached. If we haven't already, how do we minimize that attack surface?

Speaker 2:

Yeah, and I think one thing, another thing that is starting to introduce, like how to handle this, is compliance is right, certain compliance is if you have multiple IoT devices in a certain zone, right, or a scope, whatever you want to call it, it makes compliance a lot more difficult. So, yeah, so I think so. When we first started dealing with IoT devices, our kind of default action was we'll throw that. Well, let me back up a little bit too, because a lot of IoT devices that I've dealt with are usually on the wireless right. Not as many are wired in, wired in. Our default go to, you know action has been thrown on the guest wireless and so that way it's already segmented away from our data center and anything like that and most of our users and whatnot.

Speaker 4:

But, um, you guess can't get to, just for maybe a listener who's not super sharp on this stuff. It's completely segmented and you can't hop, you can't get out against right?

Speaker 1:

Well, it should be.

Speaker 4:

It should be right If configured properly.

Speaker 2:

No, I think. I think what it the best way to describe that is a guest network is usually designed to where it can't access internal resources, can access the internet, and and that's about it, right. I do want to ask you guys what are some ways that you've dealt with with IoT devices in your environments, because when we first started out like I don't know eight, five, eight years ago or so on the whole IoT, that was kind of one of our first responses because we didn't have a whole lot at first. Right, like some of the big examples of IoT devices that I've seen are like digital signage, so aka TVs, essentially the printers that they try to join to the network for whatever reason, got to turn that off. But then another one, a big one, is like Alexis, like the echoes and the Google's Google's version of it and all that.

Speaker 1:

Do you deploy a lot of those in your business.

Speaker 2:

No, we don't deploy them, but people bring them in and they want to get to the internet so that they can listen to like their radios and stuff like that, and so it's one of those. Yeah, so we, but you know we can't let them join our corporate network, right? So right. But there's. There's also to go further into that. How do you stop that right, like if a user knows the password to your corporate Wi-Fi? How do you stop them from adding some of these devices on?

Speaker 1:

802.1x baby.

Speaker 2:

There you go, most of those.

Speaker 1:

IoT devices don't speak 802.1x for you to even try to do that.

Speaker 3:

Well, and I want to, I want to touch on that. Dan just mentioned that. You know, typically these IoT devices are more often than not, going to be wireless rather than wired Right, and I think that's something that, as infrastructure professionals, you need to consider, and this would be a great thing for a a ROL Dionysio to to weigh in on, because a lot of these IoT devices I'm saying in a broad generalization are on commodity hardware. They're low power devices and I've seen in cases where, like these device, some of these devices will only support 2.4 gigahertz wireless.

Speaker 3:

Yeah so, and you know, I think there's some, some organizations out there that are trying to get as far away from 2.4 as possible to be able to get more capacity, push people to 5 gigahertz and now 6 gigahertz, and because of some of these IoT devices, you have to be cognizant of that and you may still need to support 2.4 gigahertz because of that, and it's it's things that you wouldn't necessarily think about, because back in the day it was always we had consumer gear and we had enterprise clients in gear, and now not only do people just want to bring in their own stuff the whole BYOD movement but these IoT devices, which, I'll say aren't necessarily what I'd call enterprise class, are being sold to enterprises and need to integrate onto our production networks, and it's just things that you need to. You need to think about that you may not had to support in the past.

Speaker 1:

Yeah, I agree.

Speaker 1:

I mean, at manufacturing we we dealt with a lot of CNC machines and a lot of them were very old, running Windows NT and other things, and nothing that we could join to the domain and control with our security policies and stuff like that.

Speaker 1:

And then, you know, towards the end of my time at the manufacturing company, we were starting to explore 3D printers, which of course are network connected devices you send CAD files and stuff to to make your 3D printed part. So again, that device that you can't control. So you know, in the case of the 3D printer it's a little bit different, right, because they're, they're creating the files on the enterprise workstation to be able to send to that and it's now a part of the workflow. With a sensor or, you know, a camera or something like that, we created a separate, completely separate VLAN, completely, completely separate SSID and it was tied to the same gateway as our guest network, which was just a cheap commodity, consumer grade cable modem connection. It wasn't tied to the rest of the enterprise. And that way, you know, despite our best efforts to secure those devices, if they had ever become compromised and started sending out traffic, you know the IP that would get blacklisted would be the guest network, not our enterprise IPs.

Speaker 2:

That's good thinking, though yeah, it would tie it to a completely different IP there.

Speaker 1:

Yeah, I've worked for a company that got an email domain blacklisted and that was an absolute nightmare to work through getting off that list. I don't want to do that again.

Speaker 2:

So for the the printer situation, because I've I'm also into 3D printing and the printer I have has a cloud option where I can watch my print from remote, right, oh, that's cool. So one thing you can do there is put a firewall between that right and only allow traffic from, like, the enterprise side to that IoT device, right, and then that way, when that IoT device needs to reach out or something like that, you can you can allow the internet access, but not allow it to talk, like to my machine.

Speaker 1:

What are some other tactics you guys have seen or used to secure IoT, or what are some other tools in our toolboxes network engineers that we could use to secure these kinds of devices?

Speaker 3:

Hmm, I do. I do think you need, I do think you need to rely as much as we we may dislike it from being network engineers I think you need to rely on the network infrastructure because it's it's already sitting in the path of these packets anyway. So you need to either do your research to understand what traffic flows are necessary so hopefully that's documented or you need to have some enterprise grade system that can inspect traffic and build these baseline flows of what it it appears this device, so it's, it's fingerprinting devices, profiling devices and then pushing policy based on that. I don't know any other really good way to do that to try to make it dynamic, because I mean, who has time to figure out all this stuff? I mean, do you really want to be running packet captures and analyzing them to figure out baseline traffic flows of what should and should not be allowed if it's not documented?

Speaker 2:

Yeah, I think that's where, like tools, like you know, Palo Alto they have their app ID that they can, that they can run. So if you ran certain IoT devices through, that you could pick up on. You know the type of traffic that is if they have it in their database, right, but that I could see something like that that would go along with your packet inspection. If this IoT device is sending traffic, that is what it's supposed to be sending, that kind of thing versus if it's just Talking over a port but doing delicious traffic over that port, right yeah, trying to mask what it's doing, to get caught.

Speaker 3:

And back to some of these, some of these different IOT threats is Dan brought it up with the different user commodity devices like Amazon, alexa's and that kind of thing? You, you, we talk about shadow IT and Byo D. Well, shadow IOT is a thing to with bringing.

Speaker 2:

Yeah, devices. Yes, they're trying to join them to our corporate.

Speaker 3:

Exactly. Yeah, well, I know how to join that. I can just yes on there too.

Speaker 2:

Right and a user doesn't think that's bad right, like a lot of them. Just they're not educated on exactly.

Speaker 2:

Kind of stuff, and so they just that to them there. They just want to listen to their Pandora at their desk, right, and you can't blame them, like right? Or at least I don't, because we, because I think part of our job is to not hold Companies back, right? So if an IOT device makes sense in a certain area, you know, I think we have to make accommodations for that, but in the same, in the same breath, we have to figure out how to secure it properly, right? So I, yeah, so continue on where we're going down with that.

Speaker 3:

I don't know what you're talking about, dan. Accommodating people. We are the department of no.

Speaker 2:

And the community said no.

Speaker 3:

So something else on this list that I don't know, that I'd necessarily think about Right away, is something you want to Evaluate. If you can get out in front of these purchases of different IOT devices, is making sure that you Either stop or at least aware of devices that may be doing unencrypted data transmissions. And if there is any of that, I guess you need to figure out if, if that's okay or if you need to implement some, some further segmentation or some sort of tunneling mechanism to make sure that's that's not a big deal. And the next one AJ called out earlier about botnets. I mean, that's definitely a thing with IOT devices too. If they can be compromised, there's mean even if they don't have a lot of Computational power. There's certain things that if you get a whole bunch of IOT devices Together and can command to control them, they can wreak havoc too.

Speaker 2:

Yeah, that's a really good point that you brought up though, aj of Like, if, let's say, you had some IOT devices that were doing CNC type of tax and and then all of a sudden your public IP got blacklisted, I mean that could have serious effects on a, on a, a company there, right?

Speaker 1:

Oh yeah, for sure.

Speaker 2:

So, yeah, that that's a good, that's a good point of view right there.

Speaker 1:

Yeah, I think you know there's. There's the potential for the, the botnet, right, the hacking. But the other part of it that I recall is, as Some of these companies were training these devices to, you know, do more positive identification. So you know, security cameras come to mind right, like when they're trying to train the security cameras to Positively identify when a person is going by versus a car. So it's not just a motion notification, it's there's a person on camera versus a tree blowing or whatever.

Speaker 1:

And to help train those they used a combination of AI and humans and you know the humans would look at the images and confirm whether or not there was a human in there. But when another human is looking at your either still images or video, you know stuff, stuff can happen, right, I vaguely recall you know an incident where a Security camera brand had people confirming these images to help train AI and the software algorithm for for these kinds of Identifications and they would find certain situations of their customers you know funny or whatever and they'd screenshot it and share it around in their enterprise I am and post it on reddit and all that and since it's like, well, that's, that's not even like bug or software bug or anything that's. That's just like human intervention and that's yeah that's another.

Speaker 1:

That's another piece of consideration when you're pulling in you know IoT devices onto your network.

Speaker 2:

Yeah, like Roomba's taking pictures of you on the toilet.

Speaker 3:

It's something that both Andy and in AJ brought up with you know these, these sensors is, or seeing IoT devices as sensors. So, aj, you just brought up AI, and we're kind of in the age now where any IT concept that comes up. We have to think about how AI is gonna change it or is already changing it. So, yeah from.

Speaker 3:

I'd like to get your guys's take from the aspect of IoT devices. I can see and I'm sure this is already happening for certain industries but I can see IoT devices because what are they doing? They're sending data back somewhere. So if you have a certain use case where you just need a whole bunch of different sensors that are feeding data into an engine, I mean there's got to be AI implications where they can take that data and do you know who knows what with it in very short period of time. So I that's where I see IoT tying into AI. What? What do you guys think?

Speaker 2:

Yeah, that's that's a Good thinking there. So like, if we have all these thermostats, if you notice Like it's super hot in your house, they might start sending you ads about, you know, like HVAC repairmen and that kind of thing.

Speaker 1:

We know you're running a lot. You should consider new insulated windows.

Speaker 2:

Yeah, exactly, so I'm your data.

Speaker 3:

I'm already paranoid that my phones listening to me. Now they're gonna take it a step further and just by the temperature in my house.

Speaker 4:

Well, I'm even thinking of the motion detectors in my house. So my, my system that uploads everything to the cloud knows, let's say, every time I'm in my kitchen. So you look at that over time and you know what times I'm in the kitchen. And then, yeah, you know. Oh, three o'clock starts sending Andy ads for food.

Speaker 2:

Yeah, and here's another thing They'll notice your ice cream goes really quick, and so they're gonna start sending you like cookie dough ads.

Speaker 1:

That's 11 59. Send Andy an ad for ice cream.

Speaker 2:

Yeah, andy, andy's a sucker for ice cream, so let's start, that's gonna be that's gonna be in the next Jason Bourne movie is that's?

Speaker 1:

how he's gonna get.

Speaker 3:

One of his targets Is that he's tapped into the home automation system, is watching the different motion sensors. Yeah, knows where he's at the house.

Speaker 1:

All right. So to kind of summarize Io T is great for convenience but brings a lot of potential security risks and issues. There's definitely no sign of it slowing down or going away. The, the convenience to Businesses and the value they bring is so far has outweighed the potential for threat, despite some of the things that have actually happened. So it's important for us as network engineers if we're not already dealing with IOT which I would be shocked if any listener wasn't kind of dealing with it in some capacity and in just knowing the tools available to us to Mitigate as best we can those potential threats that come with the Io T devices.

Speaker 1:

So network segmentation is a huge one, even down to ACLs right, like if you, if all you have is a router on a stick in your small business network Trying to mitigate, you know your enterprise devices from talking to the Io T and the Io T talking to anything but the internet as much as you can. You know private V lands. What might be a good way to solve that problem? To really Block those from talking to anything else other than the gateway and getting out Other thoughts. I mean, what do you guys think as far as the future of IOT? Like I said, I don't think it's slowing down, only it's going anywhere.

Speaker 1:

Yeah are you guys seeing any sort of adoption active adoption of my OT devices in your networks?

Speaker 2:

Oh yeah, yeah, so Don't like. One of the latest things is well, it's HVAC systems, right Like oh yeah they, so they have.

Speaker 2:

You know you have your thermostat is Linked up to some cloud. You know product that, that these thermostats are calling back home. You don't even have to call the HVAC company. They're gonna send someone there if it starts getting. You know errors or Anything like that, or they'll reach out. You know whatever you're saying. Hey, you guys seeing any issues. So I think the more we go down that path Well, and let me back up a little bit I think the whole AI thing is really cool. We've talked about AI, you know, in monitoring, like network monitoring, but also think about like environmental monitoring as well and how AI can help with that. But like what do you think about that, tim? Like the in IT in general, not just like network monitoring, but like environmental monitoring.

Speaker 3:

Yeah, I, I think there's. There's gonna be a lot Of use cases for stuff like that in a bunch of different industries, like you said, not just even IT related. When you start talking about environmental and I go back to the the use cases of energy to be able to anything that you need to monitor from an environmental perspective, to be able to get that data somewhere when it can be analyzed with, you know, cloud AI, I could see. You know there's a lot been a lot of talk of and I'm not gonna turn this into political, I promise but there's been a lot of talk recently of what's happening in the environment and the effects of global warming and that kind of stuff. So how can we leverage different types of IOT sensors to be able to better detect severe weather events and that kind of thing to be able to protect people and know faster when people may need to evacuate? I Can see different IOT sensors and devices having a big play there.

Speaker 3:

So I think it's just we're at the point where, from an infrastructure, professional perspective, it's not only coming, it's here. So we we have to kind of accept it. I think the the mentality of years past has been let's try to Set our standards and avoid the stuff that we don't want to have to support as much as we can. I think those days are over and, like you were saying, dan, you, you don't want IT to be seen as a barrier. You want it IT to be seen as a benefit to the organization and enabling business. We need to accept not only accept, but make these things, try to make these things better and and connect well, because there's a lot of benefits out there. We just need to make sure, as infrastructure professionals, that these things are connecting properly and securely.

Speaker 1:

Yeah, well said, tim. I I agree. You know there's there are a lot of benefits to what these tools can do and a lot of them are becoming essential to business. You know Stubb area 51 mentioned he helped power organization deploy smart meters. I mean that's, that's just an absolute critical piece To the business, especially for our power company, so that you can't, as an infrastructure professional, you can't say nope, we're not gonna put those in our network.

Speaker 3:

Well, that's how we're gonna build people, so that's a fantastic use case. I remember when I was growing up the gas company Would have people that would drive around so they drive, you know, kind of like a Mail truck, drive at the end of the road and they get out and they pass out the mail to everybody's mailbox Gas company. Somebody would have to come up and physically look at the meter to see how much you use that month.

Speaker 4:

That's not a thing anymore. Yeah, it's great.

Speaker 1:

This is been years ago.

Speaker 3:

But I mean, you just think about that kind of stuff that is, it's all automated now, yeah, and it's these types of IoT devices, these sensors, that, that enable that and look at vehicles.

Speaker 2:

Nowadays, even vehicles are starting to become an IoT device.

Speaker 1:

Oh yeah.

Speaker 2:

They have cellular connections and they can get their updates. They can. You know what's the on-star and stuff like that it's. It's funny when I look at like so on some of our APs we can do like rogue AP detection, right or or SSID. We can see all the different SSIDs that drive by and I see so many my Chevy or Nissan or whatever they, whatever they have and it's. It's kind of funny, but it's, it's. It's a thing now, right, like you just see so many of these devices around your networks.

Speaker 1:

Yeah, and the convenience is it's kind of neat, but you, you know, sometimes you forget that that's a security threat, right, like I, I've got a Chevrolet, I've got, you know, on-star and I get a monthly report on my vehicle, on my wife's vehicle, like here, here's the health status and oh, yeah, you should buy a data plan and All that stuff. But yeah, and I know that there's been reports of those things being hacked. But you know, my, my hope is that you know the LTE radio doesn't connect to the ECM, like.

Speaker 1:

Yeah, but you know it must, because I I can, I can send a remote command to start the vehicle. So there's there's probably a lot more control there than I care to think about or want to know about.

Speaker 3:

Right. I think a big thing here is to Just try to make sure that yourself and others are educated, because I mean you can buy Any and every damn thing you want on places like Amazon, different, different stores on the internet. It's to try to do and I know it's easy to just go oh, I need a A, a new doorbell, or I need a new security camera or door locks. Even it's easy to just go on and buy the thing that looks like it'll work in them, the least expensive thing. But it's it's trying to educate yourself and others to do a little bit of research, try to find out who, who the manufacturer is, what kind of reviews they have, how legitimate they seem. That stuff to me is important. So you to try to protect yourself from running into these things when some of these systems may not be, have the most secure firmware and and may have back doors and that kind of thing. It's really just trying to do what you can to to protect yourself.

Speaker 2:

Yeah, and and also educate on how, how their call home kind of works. Right, like security systems are a good example. The 3d printer thing, that's a good example. Right, a lot of them have a cloud that they call. That cloud can be hacked. I mean, let's just be honest. And then now they have connection to whatever that iot device is to do whatever they want to do with it. So you just got to have, you have to keep that kind of stuff in mind, like I think a good example is With camera systems. There's an argument out there in some camera groups about Should you allow that camera to talk back to its cloud service or do you set up a vpn where you vpn into your home network to view your cameras remotely?

Speaker 1:

right.

Speaker 2:

Uh, so how to handle, cert you know, whatever the situation is. If you do some reading on how that device connects back, then that will make you more educated on how to handle securing that device right.

Speaker 3:

Yeah, and, and I think there's going to be less and less of those kinds of technologies, dan, where that's even an option. I think, as we get further down the road, it's going to be you. You're not just buying a device anymore, you're buying a solution.

Speaker 3:

Yeah part of that solution is your. Your data is getting sent to another location and I think it's going to be harder and harder to find Some of those. You know internet connected but standalone systems to where you have full control over. I think at some point it's going to be harder to find that kind of stuff.

Speaker 2:

Yeah, like you, hat your force to use their solution, if you because that's the only thing that exists. Yeah right, yeah, makes sense.

Speaker 4:

I think, like anything you have to do, you know? Uh, what is it called like? Not a risk benefit analysis? There's some fancy term for it, but yeah, risk analysis.

Speaker 4:

Yeah, if your doctor's going to give you medicine, you're giving you the medicine because the risks associated with it, the side effects, are less than the benefits you're going to gain from it. So just to you know, to make it relevant here, I mean I was, I was very against those home assistant, you know, whatever the Alexas and series and all that, like the Amazon Echo is an example, right, because I know they're listening all the time they have to to hear the trigger word, right, and it was just super creepy to me and I didn't want it. And my son is a very curious guy and he asks a lot of questions all day, every day, and at one point I thought wouldn't it be great if I could just get him one of those things and he could ask that?

Speaker 2:

Well, that's parenting right there.

Speaker 4:

But here's the thing the poor guy would ask me so many questions and I get frustrated and I do not have eternal patience. And so now he asks about the score of the baseball game or what's the fastest bird, or like I mean whatever questions he has, and it's an unending torrent. So for me, okay, it's a CYOT device, it's listening. It's creepy, maybe they're selling my data, but it helps my kid learn and to take some of that burden off of me. Another example is a security system at our house. I've heard creepy things that these companies are doing with the data. Right, maybe it's advertising or something. And you know, yeah, somebody could hack my system and start talking to my kids in the middle of the night, which is super creepy. I have CO2 monitors in my house that if they detect CO2 in the house and I'm unconscious and can't hear the alarm and go save myself, it's gonna autonomously call out for help, call the fire department, get people. I mean it could save our lives, right, will it? I don't know, but it's one possible benefit that I'm weighing the risk with, you know, and with water monitors too. I have water monitors in a couple of places in my house. I know people who have had their houses destroyed by a water leak when they're out on vacation, you don't know. It just keeps destroying everything and then you get home and you're like, oh my God, it's gonna cost a million dollars to save this place. So you know again, there's benefits, there's risks and you kind of gotta walk that line.

Speaker 4:

The last one I'll share is my father-in-law has had type two diabetes for a really long time and he really wasn't managing it all that well. You're supposed to prick your finger and it hurts and it doesn't want to and it's annoying and blah, blah, blah. Right Now he wears that continuous glucose monitor. It's a thing that you pop on your arm and I think it lasts a week or two. It's constantly monitoring his blood sugar. It talks to his phone via Bluetooth. If he goes too high or too low, it not only notifies him, but if he doesn't respond to it, next amount of time it calls out to a nurse hotline saying, hey, this guy's in critical, you know levels and he's not responding. It has really helped him manage his diabetes better because he's constantly aware of the thing and he doesn't have to prick himself every time. You know one prick every two weeks on his arm as opposed to seven a day in his finger forever.

Speaker 4:

So you know, I've seen some real benefits, these IoT devices, personally, you know, and in my extended family. But yeah, there's a lot of security concerns, like we talked about, and this is all personal stuff. For me, I've never had to manage IoT in the production environment and but you know the good news, like you guys have shared, you have all the intrusion prevention, detection, heuristic modeling you can see what the baseline should be and these software you know options, I guess can tell you like, hey, there's some weird stuff happening, like why is the fish tank thermostat talking to a database as an example right.

Speaker 4:

So it seems like at the enterprise level, we have a lot of tools at our disposal to keep it, you know, secure. So I don't know, man, it's not going away. Like you said, aj, I think it's just gonna proliferate. There's so many benefits to all this monitoring and all these things out in the world that can tell you things. I mean, hvac is pretty important, dan. Right, if your data center starts warming up, it'd be good to have some sensors around to tell you what's going on.

Speaker 2:

Yeah, and that's a like you were talking about water sensors, like we've got water sensors in our data centers, stuff like that around, like AC units and all that jazz. So yeah, I mean I think environmental monitoring at like a data center or closets, you know, idf, mdfs, that kind of thing. I think there's a lot of benefit there.

Speaker 4:

Where your house. There's some creeper walking around your yard in the middle of the night and you know, my cat or your data center, or your data center.

Speaker 1:

Well, right, exactly.

Speaker 4:

It's security, it's environmental it's. I mean, I'm all about it.

Speaker 2:

It needs to know if it's me or for real creep, you know.

Speaker 1:

Just stand during the maintenance window.

Speaker 2:

Yeah, yeah, nice nice.

Speaker 1:

Awesome, all right, last minute thoughts. Closing arguments.

Speaker 3:

It's just like with anything and everything there's going to be trade-offs. Andy brought up some fantastic use cases right at the end there. That glucose monitoring thing that's huge right. That's a life-changing thing. It helps you manage something that is directly related to your health. So, yeah, there's with it, just like anything. So I mean this isn't isolated to just IoT. With anything, from a technical perspective, there's going to be trade-offs and you just need to make sure you know how to manage those trade-offs.

Speaker 2:

Right, and this is just another phase of it, right? Exactly what you're saying there, tim. It's just another phase of the trade-offs.

Speaker 1:

Well, guys, this has been a fun conversation. I want to remind everybody that we have a new podcast out. It's called Cables to Clouds. If you're doing any sort of cloud networking or making the transition from on-premises to the cloud, you can join Tim, chris and Alex. Every other week they release an episode on the off weeks that we do not and they're having some fun conversations, talking to some fun people and all about their journey, as well as others, into cloud networking. So grab your favorite podcatcher and check out Cables to Clouds. And again, I want to remind everyone we are on TikTok. I'm still trying to figure out how to do TikTok.

Speaker 2:

Or, as Andy calls it, tickie Talk.

Speaker 1:

Tickie Talk. Is it Tickie Talk or Tickie Talkie? I can't remember what. Andy calls it. Tickie Talk, it's good, it's good, excellent, well, secure IoT devices. One last thought I had is I hope to see and I haven't touched consumer stuff, I've had Cisco Maraki.

Speaker 1:

I did the Cisco Maraki training and I got a full stack, so I've had that in my home for a while, so I have enterprise-ish grade equipment, certainly a step up from the consumer stuff. I wonder if consumer-grade equipment is going to adapt any sort of provisioning for IoT devices and keep that on a separate network for kind of automatically for other consumers to help secure their home network. So it'd be interesting to see if they do that.

Speaker 1:

But, thanks so much for joining us and we'll see you next time on another episode of the Art of Network Engineering Podcast.

Speaker 4:

Hey everyone, this is Andy. If you like what you heard today, then please subscribe to our podcast and your favorite podcatcher. Click that bell icon to get notified of all of our future episodes. Also follow us on Twitter and Instagram. We are at Art of NetEng. That's Art of NetEng. You can also find us on the web at artofnetworkengineeringcom, where we post all of our show notes, blog articles and general networking nerdery. You can also see our pretty faces on our YouTube channel named the Art of Network Engineering. Thanks for listening.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Cables2Clouds Artwork

Cables2Clouds

The Art of Network Engineering