Home » Data Protection » Network Security

When Everything's Networked

You'll need a strategy for dealing with the hidden risks of Internet-connected air conditioners, door locks and forklifts.

First off, there is the extreme tack: Taher Elgamal, CTO of Securify, a network management software company, doesn't allow devices on his network at all. One reason is that he expects spammers to discover networked printers any day now and doesn't want to put his company in their sights. "Fax spam is bad enough," he says.

Mike Hrabik, CTO of security services provider Solutionary, on the other hand, was an early adopter of networked devices, including cameras, power supplies, air conditioners, generators and printers. According to Hrabik, Solutionary has used VoIP for four years, which is like having had e-mail for 20. His security solution was in its own way as extreme as Securify's: He connected the devices with their own IP network, with separate cabling.To Conquer, DivideHrabik's physically separate network is the belt-and-suspenders, come-hell-or-high-water solution. A less sweeping but still effective alternative is to separate the networks logically to limit which devices can talk to which. James took this approach at Secure Science, in part to control the risks of putting digital printers on his network.

Logical separation is based on the fact that every device on a network has two addresses. The first is defined by the manufacturer and embedded in the hardware; the second is assigned by the network. These are known as the MAC (Media Access Controller) and IP (Internet protocol) addresses, respectively. The latter might be thought of as the street address of a house; the former as the name of the person living in that house at the moment. Packets typically arrive in a network knowing the IP but not the MAC addresses of their destination. They learn the MAC address by polling the device belonging to that IP address; that is, they go to the house, knock and ask who lives there. The first step in logically separating the network is to make sure that the device does not give out the identity of its "inhabitants" to every Tom, Dick and Harry that shows up at the front door. The butler needs to be given a list that specifies whom the master will see. Everybody else gets the door shut in his face.

Separation is defined by building access control lists and enforced by encryption. S2 Security is a startup developing a product that integrates networked management of devicesfor example, video cameras, intercoms, sensors and door lockswith the idea of extending the reach of security personnel to multiple, remote-entry points. The company has two flavors of demo: a remotely controllable webcam accessible from its website, and private presentations it gives clients.