David, can you lay out again in laymens terms why IOT devices are not safe on a network if they are allowed free roam? Please be specific about ingoing and outbound rules. How did a fish tank monitor extract valuable info from a casinos network? Why do almost none of the baby monitor cameras use dns for their requests? Are manufacturers going to wise up and start using dns soon?
I am seeing not only the cameras using dnsless connections, but now also the apps to watch the footage are using dnsless connections for the stream as well.
Good question @nckrwlmn I will lay it out briefly here in terms of concepts.
The key principles in security is about offering least privileges while allowing real needs to be met. The motive is security, and sometimes convenience has to pay a little price, so here’s a practical approach to securing your network. Since tricks like NAT slipstreaming now make the the most permissive device policy the weakest link in the chain, you want to use network isolation where such high-risk devices live.
For example, it is common now to deploy an IoT [insecure] network segment/VLAN which has the express purpose of having permissive policies sufficient for IoT devices to make their DNS-less connections to the cloud. Broadly speaking, here are the steps:
- deploy a new network segment for IoT
- create rules and policies for the devices to use such a segment (the required rules are easy to create by observing logs and filtering by the device to see how it attempt to connect, and then allowing that)
- move IoT devices to this new segment
- make sure the IoT network segment cannot communicate to any other network segment
- take necessary steps to ensure the IoT network segment isn’t used by non-IoT devices (strategies like keeping WiFi access secret and not offering addresses via DHCP to unknown MAC addresses, even setting allow rules specific to only known devices, etc)
Any one of the above steps could be expounded on independently, but those are the broad concepts.
The fish tank camera story was possible for the simple reasons that (a) the network was a production business network and (b) it had no egress control, so it was able to reach out to the public Internet without any security protocol getting in the way.
As for baby monitors not using DNS, it’s an architectural decision on behalf of the software developers to not have traditional DNS issues impact their application. Many of them change their habits when they find out their approach isn’t going to work in a zero trust model. Sometimes just asking them is all it takes. LinkedIn, on their new app no longer uses DNSless connections, for example, neither does Signal