Security challenges caused by network device management

For security professionals, data and equipment or power management networks mean physical isolation or the gateway is required between the two networks as a clear security control demarcation point. Integration means that the two security zones are physically merged into one, but they have to be logically isolated from each other. For most IT professionals, integrating networks is a good thing. However, the device network management system also brings new security problems to them.

Regardless of the implementation of integration, security professionals must understand how logical isolation should be maintained once physical isolation is ineffective. For example, the security team generally recommends assigning a dedicated VLAN to the voice in the voice network, so that security control can be performed through the specific intersection between the voice VLAN and the data VLAN.

When the security team is forgotten in network device management

When the company integrates its building management, environmental control, monitoring, and physical access networks connected to Ethernet, the previously isolated functions start to interact with each other. The security team must immediately take control measures to protect the new integrated network from Internet infections that breed Trojans and DoS attacks.

The problem is that security personnel are generally not invited to participate in network convergence, and they are often the last to know network convergence. The best reason is that security is not an early consideration, so they are notified very late. The worst reason is that they think they will refuse rather than invite them-this often happens.

In addition, some security and network teams still refuse to accept the reality, and they believe that their company will never migrate device management to Ethernet-even if this migration is now underway. The actual situation is that the energy and building management networks have been integrated into Ethernet, but the degree of integration is too small, so that no one has considered their security issues. For example, even if you do not have a wiz-bang building management system to control unit lights and air conditioners, you may also have a mechanical device system connected to an Ethernet data center. No one wants to tell you, But network convergence is there.

Unverified network device management systems may contain viruses and worms.

If your data center has a cooling system or UPS with reporting and monitoring capabilities, they will be connected to an Ethernet switch in most cases. Those control systems use some standard protocols and can manage them through software running on Windows or a Web interface. They may support protocols such as HTTP, HTTPS, SMNP, SMTP, SSH, and FTP, as well as system logging. To facilitate and reduce costs, those control systems may also adopt some out-of-the-box software, such as MySQL or MS-SQL databases, Apache or IIS Web servers, and a ready-made SNMP library. All of these vulnerabilities exist.

Surprisingly, your company may have spent millions of dollars to ensure that the data center has multiple redundant paths for power generation, cooling, and network connections, including independent primary and standby lines, backup UPS system and generator. For all redundancy, apart from the failure of both the independently designed and standby systems at the same time, SQL or HTTP worms can constitute a threat. Those control systems may be connected to a separate Ethernet to connect to each other and have the same vulnerability as those in a completely independent power supply. All redundancy has been integrated into a single fault point without any attention.

Edit recommendations]