A couple of decades ago, only computers had IP numbers. Then printers were connected to networks so they needed IP numbers. Before long, people wanted to browse the Internet with their smartphones, so… you guessed it, they needed IP numbers too. Today almost everything is connected to the Internet, and this is called the “Internet of Things” (or IoT): thermostats, security cameras, the beer cooler at the office (what, you don’t have one?!?!), the fish tank, your fit watch, your car’s audio system, your stereo, the Apple AirTag on your luggage, and so much more… All of these devices are now chained together into a worldwide “Internet of Things.”

What does this mean for us? Well, a chain is only as strong as it’s weakest link. We tend to trust our computers to be secure; Microsoft Windows; MacOS, Linux, and the hardware they run on are updated pretty often and patched regularly. Even Android and iOS, and the Samsung and Apple devices they run on are fairly robust, secure and reliable.

But what about that fish tank? How much security did the manufacturer build into its thermostat? Or what about the security camera in the hallways at work?

I’ve recorded Chinese-made Hikvision cameras try to connect hundreds of times a day to a server in China. This connection wasn’t anything they were programmed to do; it was something baked into their firmware from the factory. But the client chose them because they were the cheapest cameras on the market.

Are you OK with China using facial recognition software to create a catalog of everyone who works at or visits your location? Before you answer that question, ask yourself what you think they might be doing—or might want to do—with that knowledge.

If you’re still OK with it, you shouldn’t be. In 2013, criminals hacked an HVAC system, essentially an office thermostat, in the head office of US retail giant Target. That was all the bridgehead they needed to steal 40 million credit and debit card records. It cost Target $18.5M to settle the lawsuits and another $200M to secure their systems and regain customer trust. Earnings fell 46% in the quarter following the attack.

In 2017, a similar story involved a fish tank. An IoT fish tank can monitor and report on temperature, salinity, oxygen levels and so many other things to keep fish happy. Hackers, gaining access to a fish tank in a very well-known and exclusive Las Vegas hotel and casino, stole over 10 Gb of customer and business data, exfiltrating it through a proxy server in Finland on its way to wherever. The casino naturally paid a lot of money to both cover up the incident and keep its actual name out of the news.

So what can we do? Fortunately there is a great solution that isn’t all that expensive and really breaks up the Internet of Things to protect our businesses. They are called “Virtual Networks.”

Introducing Virtual Networks

To understand the idea of Virtual Networks, let’s image you’re going to a party, a very large party.

You show up and introduce yourself to the host. The host welcomes you and then takes you into a large room. They introduce you to a group of people that you probably have a connection with. Maybe you know each other from school; perhaps you work in the same industry. For whatever reason, its a small cluster that you are introduced to in an otherwise very large room filled with background din of multiple conversations happening at the same time.

No as long as your conversation is interesting, you’ll have a good time telling jokes, sharing stories, getting to know each other. The fact that there is a room full of other people having their own conversations doesn’t concern you. You can’t make out what other groups are talking about. Perhaps they’re even talking different languages.

Virtual Networks, also known as VLANS, are similar to this. The existing wiring, devices, and even wireless routers in your office are like the large party space; everything is connected to the same physical space. But we’re going to break all the devices into virtual conversations so they can only talk with the other devices we want them to:

• Work computers can access the internet, the file server, and print to any network printers; except the computers in the HR department and Senior management can only print to the printers in their own departments
• Visitors using the Guest Wi-Fi can only go out to the internet. They can’t access any printers or fish tanks, and we’ll throttle their access down so they don’t sit in your parking lot streaming Netflix all night.
• Hikvision cameras can only talk to the on-premise Milestone Security Server; they can’t ever send traffic to the internet.
• Thermostats can only talk to furnaces (and maybe to Honeywell to get software updates if we let them).

Best of all, we don’t need any new wiring in the building to set up Virtual Networks which makes the cost and time to implement a secure network economic and fast.

From the diagram above, we can see that this business is broken into 6 VLANs, one for each department. Each VLAN is represented by its own colour. The purple boxes are network appliances: switches, and routers. But notice that all the devices are physically connected to a single network so there’s no extra hardware or redundancy.

Here’s where our party analogy breaks down a bit. In our party, you have to be physically in the same small cluster as the other people to carry on a conversation. If the conversation is boring you, or someone is taking over the conversation to talk about them, you need to walk away and find another cluster in the room to join a different group.

Notice that the IT Department VLAN (Green) is spread across four different branches of the network. Those devices can be anywhere in the organization—even in a different building or across the world and still be connected to the correct VLAN for their department.

No electrician is required to pull cable to move a computer. Switching a device from one VLAN to another is a simple configuration change to the network.

What Does it Take to have VLANs?

If you’re running your business with just the router box provided by your ISP (the one provided by Telus, Shaw, Rogers, Bell or whoever you buy your internet access from), then you need some network upgrades.

At a minimum you need a real Firewall (your ISP might even call its little router “Firewall” but think of it more as a screen door). And depending on your network size, you’ll need at least 1 Level 2 switch. If you use WiFi, we’ll need to upgrade those access points as well.

The point is that it’s a fairly easy, straightforward makeover that will go a long way to making sure your fish tank looks after your fish and doesn’t send your customer data to Eastern Europe.

Interested to learn more? Download our Networking Resource Kit to learn more.

Or ask us for a free consultation here.