2025-09-07

Wait, how many nodes?!?

My employer has been working through a IT security upgrade process, and recently performed a dry-run of an upcoming external audit. They report that they didn't find anything surprising or particularly worrying, but they took the opportunity to roll out new and updated employee agreements for just about everything computing related. Use of company network resources and email addresses, protection of company hardware, and so on. Including a new agreement for work-from-home.

That WFH agreement is the one that caught my eye. Buried in a lengthy bulleted list was a requirement to have anti-virus on "every other system on the network". We have—currently—one windows box, one antiquated mac, a networked Epson printer, a few linux systems, three phones, an e-book reader and a bushel (or at least a peck) of tablets. How does that mess fit in?

I run Clam AV on all the Linux devices (I have reason to think that will be considered sufficient). My wife's windows system has Windows defender, and I'm told that's okay. But what about the antique Mac (even if I only boot it occasionally), and those tablets, phones, and readers? And what about guests: we have a bunch of people who come to visit bringing phones, computers and tablets with them, and common hospitality requires that we offer them connectivity.

Then, as I started to think about it, I realized that this list was incomplete. Like, seriously, incomplete. I mean, the PlayStation 4 is just the beginning. Despite an disinterest in "Smart Home" stuff, we have a number of things that could reasonably be characterized as IoT devices.

So I launched into the hardware identification stage of a network security audit this morning.

We have two smart TVs; two other WiFI equipped appliances (though we have not configured their WiFi connections), and at least ten other WiFi connected nodes providing minor but useful services. That's circa thirty devices sharing a single network segment. And it got that way one, little choice at a time, without us really noticing.

My current thinking is that I need to segment the network to isolate guest and IoT devices from our primary computing resources and run at least some basic intrusion detection. Fun, eh?

No comments:

Post a Comment