Organisations connecting to Janet are required to implement three policies: the Eligibility Policy determines who may be given access to the network; the Security Policy sets out responsibilities for protecting the security of the network and its users; the Acceptable Use Policy identifies a small number of activities that are not permitted on the network. For years we’ve been applying those policies to connecting people to Janet: more recently questions have arisen about connecting devices, often referred to as the Internet of Things (IoT).
Whether connecting people or things, the responsibilities of organisations remain the same, broadly:
- ensure that only members and guests can gain access to Janet (Eligibility Policy 15-19);
- ensure that insecure devices and users don’t pose a threat to other users of Janet (Security Policy 9);
- ensure that any complaints can be investigated and dealt with effectively (Security Policy 8; Acceptable Use Policy 19).
How to do that depends very much on what the device in question is and does: all things are not alike. Many will use the Internet as clients, connecting to servers but not running any services of their own. For example we’ve been asked about connecting exercise machines that store their users’ fitness plans on a remote, cloud-based, server. Here traditional firewalls can be used to block inbound access to the machine, and possibly also to limit the protocols and servers it can use outbound. Patching is known to be a challenge for IoT devices – many will pass their entire life without a software update – so network-based measures may well be their main, or only, defence against attacks. Protecting IoT networks with tools such as virtual networks, firewalls, proxies and intrusion protection systems should be seen as essential deployment practice, not just policy compliance.
Where devices connect to wireless, rather than wired networks, organisations will need to ensure that they can only connect to the intended, local, network. If using a common SSID such as eduroam the device must be configured to present authentication credentials that will only work on the owning site’s wireless network, not on any neighbour’s network that may not provide the protection it needs. The local network should be configured to recognise the account as belonging to a potentially vulnerable “thing” and connect it to an appropriately configured and protected network segment; well-separated from those used for visiting laptops etc.
A device without users may be less likely to breach the Acceptable Use Policy, but it’s not impossible. There have been a number of reports of compromised “things” being recruited into botnets. Recently the largest ever denial of service attack has been reported, apparently generated using insecure webcams with unrestricted internet connections. It seems likely that pictures from all those cameras were openly viewable too. Organisations need to be able to detect incidents and respond to complaints relating to connected devices, so it’s important to know where they are and who is responsible for them.
Devices that do (or may) have human users will also need controls to ensure that only authorised individuals can access them. If a user of the device will thereby gain access to Janet then some measure will be needed to ensure that only members or guests of the organisation can do so. If this isn’t possible then the device will need to be treated as providing public access and separate internet connectivity arranged. If the device itself doesn’t support authentication the necessary control could instead be achieved by limiting physical access, signing out individual devices, using an authenticating gateway to gain network access, etc. Humans are likely to make wider use of the network than an automated device, so are more likely to give rise to complaints. Some way of dealing with misbehaviour will be needed, either by warning individual users to stop, or by removing or restricting the problematic access from the device as a whole.
Connecting things isn’t so different to connecting people, though it may involve a shift in the kinds of precautions that are used. Preventive, rather than responsive, controls may well be more appropriate, especially where devices such as cameras or building controls interact with the physical world.