1457 Network Segmentation for IoT

1457.1 Network Segmentation for IoT Security

This chapter covers network architecture strategies for isolating IoT devices, including VLANs, firewall rules, micro-segmentation, and worked examples for industrial and healthcare environments.

1457.2 Learning Objectives

By the end of this chapter, you will be able to:

Design network segmentation architectures for IoT
Configure VLANs to isolate device categories
Write firewall rules following least privilege principles
Apply micro-segmentation for critical devices
Assess risk reduction from network isolation

1457.3 Why Network Segmentation Matters

The Casino Fish Tank Hack

In 2017, attackers compromised a casino’s network through an Internet-connected fish tank thermometer. Because the aquarium was on the same network as business systems, attackers pivoted from the thermometer to exfiltrate 10GB of high-roller customer data.

If network segmentation had been in place: The fish tank would have been on an isolated IoT VLAN with no access to customer databases.

1457.3.1 Flat Network vs Segmented Network

%% fig-alt: "Comparison of flat network where compromised IoT device can reach all systems (servers, workstations, databases) versus segmented network where IoT devices are isolated in separate VLAN with firewall rules blocking lateral movement to corporate systems."
%%{init: {'theme': 'base', 'themeVariables': {'primaryColor':'#2C3E50','primaryTextColor':'#fff','primaryBorderColor':'#16A085','lineColor':'#16A085','secondaryColor':'#E67E22','tertiaryColor':'#7F8C8D'}}}%%
flowchart TB
    subgraph flat["FLAT NETWORK (Dangerous)"]
        direction TB
        F1["IoT Device"]
        F2["Workstation"]
        F3["Server"]
        F4["Database"]
        F1 <--> F2 <--> F3 <--> F4
        F1 <--> F3
        F1 <--> F4
    end

    subgraph segmented["SEGMENTED NETWORK (Secure)"]
        direction TB
        subgraph iot["IoT VLAN"]
            S1["IoT Device"]
        end
        subgraph gw["Gateway Zone"]
            S2["IoT Gateway"]
            FW["Firewall"]
        end
        subgraph corp["Corporate VLAN"]
            S3["Workstation"]
            S4["Server"]
        end
        S1 --> S2
        S2 --> FW
        FW -->|"Limited Access"| S4
        S3 --> S4
    end

    style flat fill:#c0392b,stroke:#2C3E50,stroke-width:2px,color:#fff
    style segmented fill:#16A085,stroke:#2C3E50,stroke-width:2px,color:#fff

1457.4 Network Segmentation Architecture

1457.4.1 Segmentation Best Practices

Principle	Implementation	Rationale
Separate VLANs	Each device class in own VLAN	Limit lateral movement
Default Deny	Whitelist required connections only	Minimize attack surface
Gateway Isolation	IoT gateway in separate zone	Single point of control
Monitoring	IDS at zone boundaries	Detect anomalies early
No Direct Internet	All traffic through proxy/gateway	Prevent C2 communication

%%{init: {'theme': 'base', 'themeVariables': {'primaryColor': '#2C3E50', 'primaryTextColor': '#fff', 'primaryBorderColor': '#2C3E50', 'lineColor': '#16A085', 'secondaryColor': '#E67E22', 'tertiaryColor': '#f5f5f5'}}}%%
flowchart TB
    subgraph Internet["Internet"]
        Cloud[Cloud Services]
    end

    subgraph DMZ["DMZ Zone"]
        FW1[Firewall/IPS]
        Proxy[API Gateway]
    end

    subgraph Corporate["Corporate Network"]
        FW2[Internal Firewall]
        IDS[IDS Monitor]
        Servers[Business Systems]
    end

    subgraph IoT_Zone["IoT Zone - Isolated"]
        GW[IoT Gateway]
        VLAN1[VLAN 100: Sensors]
        VLAN2[VLAN 101: Actuators]
        VLAN3[VLAN 102: Cameras]
    end

    Cloud <--> FW1
    FW1 <--> Proxy
    Proxy <--> FW2
    FW2 <--> Servers
    FW2 <--> IDS
    FW2 <-->|"Limited Access"| GW
    GW --> VLAN1
    GW --> VLAN2
    GW --> VLAN3
    IDS -.->|"Monitor"| GW

    style Internet fill:#7F8C8D,color:#fff
    style DMZ fill:#E67E22,color:#fff
    style Corporate fill:#2C3E50,color:#fff
    style IoT_Zone fill:#16A085,color:#fff

Figure 1457.1: Network Segmentation Architecture: Internet, DMZ, Corporate, and Isolated IoT Zones

Tradeoff: Network Segmentation vs Flat Network

Factor	Network Segmentation (VLANs/Zones)	Flat Network
Lateral Movement	Blocked (attackers confined to segment)	Unrestricted (one device compromise exposes all)
Configuration Complexity	Higher (firewall rules, routing, ACLs)	Lower (plug and play)
Cost	$15K-50K for enterprise switches/firewalls	Minimal (existing infrastructure)
Visibility	Better (traffic crosses monitored boundaries)	Harder (all traffic is “internal”)
Device Communication	Explicit allow-list required	Implicit trust between devices
Incident Containment	Faster (isolate affected segment)	Difficult (threat spreads rapidly)

Default recommendation: Always implement network segmentation for production IoT deployments.

1457.5 Worked Example: Designing Firewall Rules for Smart Building IoT Network

Scenario: A commercial building deploys 200 IoT devices including HVAC sensors, lighting controllers, security cameras, and access control panels. The security team must design firewall rules that allow necessary communications while preventing lateral movement attacks.

Given: - Corporate network: 192.168.1.0/24 (servers, workstations) - IoT VLAN 100 (HVAC): 10.100.100.0/24 (50 temperature sensors, 20 actuators) - IoT VLAN 101 (Lighting): 10.100.101.0/24 (80 smart switches) - IoT VLAN 102 (Security): 10.100.102.0/24 (30 cameras, 20 access panels) - IoT Gateway: 10.100.200.1 (central data collector) - Building Management System (BMS): 192.168.1.50 (admin interface) - External NTP server: 129.6.15.28 (NIST time server) - Required ports: MQTT-TLS (8883), HTTPS (443), NTP (123), RTSP (554 for cameras)

Step 1: Establish default deny policy (zero trust baseline):

# Default rule - deny all inter-VLAN traffic
deny ip any any log

# This ensures only explicitly permitted traffic flows

Step 2: Allow IoT devices to reach gateway for telemetry upload:

# HVAC sensors → Gateway: MQTT-TLS only
allow tcp 10.100.100.0/24 10.100.200.1 port 8883

# Lighting controllers → Gateway: MQTT-TLS only
allow tcp 10.100.101.0/24 10.100.200.1 port 8883

# Security devices → Gateway: MQTT-TLS + RTSP
allow tcp 10.100.102.0/24 10.100.200.1 port 8883
allow tcp 10.100.102.0/24 10.100.200.1 port 554

Step 3: Allow time synchronization (required for certificate validation):

# All IoT VLANs → External NTP server
allow udp 10.100.100.0/24 129.6.15.28 port 123
allow udp 10.100.101.0/24 129.6.15.28 port 123
allow udp 10.100.102.0/24 129.6.15.28 port 123

Step 4: Allow BMS admin access to gateway (not directly to devices):

# BMS → Gateway: HTTPS for management
allow tcp 192.168.1.50 10.100.200.1 port 443

# Block BMS direct access to IoT devices
deny ip 192.168.1.0/24 10.100.100.0/24
deny ip 192.168.1.0/24 10.100.101.0/24
deny ip 192.168.1.0/24 10.100.102.0/24

Step 5: Block inter-device communication within each VLAN:

# Prevent compromised device from attacking peers
deny ip 10.100.100.0/24 10.100.100.0/24
deny ip 10.100.101.0/24 10.100.101.0/24
deny ip 10.100.102.0/24 10.100.102.0/24

Result: - Attack surface reduction: 200 devices reduced to 1 gateway as external interface - Lateral movement blocked: Compromised HVAC sensor cannot reach cameras or access panels - Audit capability: All inter-VLAN traffic logged with deny ... log rules - Rule count: 18 explicit rules (vs. 40,000+ possible device-to-device paths blocked)

1457.6 Worked Example: Network Segmentation Security Assessment

Scenario: A manufacturing facility has 500 IoT sensors on the same network as corporate workstations. After a phishing attack compromises one workstation, you must assess the risk and design network segmentation.

Given: - 500 IoT sensors (temperature, pressure, vibration monitors) - 200 corporate workstations - 1 compromised workstation with network access - All devices currently on single flat network (192.168.1.0/24) - IoT sensors communicate with local SCADA server and cloud dashboard

Step 1: Calculate Current Attack Surface

On a flat network, the compromised workstation can reach: - All 500 IoT sensors (potential lateral movement) - All 199 other workstations - SCADA server (critical infrastructure)

Attack Surface = 500 + 199 + 1 = 700 reachable targets

Step 2: Design Segmented Network

VLAN	Subnet	Devices	Purpose
VLAN 10	10.10.10.0/24	IoT Sensors	Sensor data only
VLAN 20	10.10.20.0/24	SCADA Server	Process control
VLAN 30	10.10.30.0/24	Workstations	Corporate IT
VLAN 40	10.10.40.0/24	Cloud Gateway	External comms

Step 3: Define Firewall Rules (Least Privilege)

# VLAN 10 (IoT) -> VLAN 20 (SCADA): ALLOW port 502 (Modbus)
# VLAN 10 (IoT) -> VLAN 40 (Gateway): ALLOW port 8883 (MQTTS)
# VLAN 10 (IoT) -> VLAN 30 (Workstations): DENY ALL
# VLAN 30 (Workstations) -> VLAN 10 (IoT): DENY ALL
# VLAN 30 (Workstations) -> VLAN 20 (SCADA): ALLOW port 443 (HTTPS dashboard)

Step 4: Calculate New Attack Surface

With segmentation, the compromised workstation (VLAN 30) can only reach: - 199 other workstations in VLAN 30 - SCADA dashboard (port 443 only, read-only view)

New Attack Surface = 199 + 1 = 200 reachable targets

Step 5: Quantify Risk Reduction

Metric	Before	After	Improvement
Reachable Targets	700	200	71% reduction
IoT Sensors at Risk	500	0	100% protected
Lateral Movement Paths	Unlimited	1 (dashboard only)	Critical reduction
Blast Radius	Entire facility	Single VLAN	Contained

Result: Network segmentation reduces attack surface by 71% and completely isolates IoT sensors from corporate compromise.

1457.7 Worked Example: Network Segmentation for Hospital IoT

Scenario: A 300-bed hospital needs to segment its network to isolate medical IoT devices (infusion pumps, patient monitors) from administrative systems while meeting HIPAA requirements.

Design:

VLAN 10: Administrative (172.16.10.0/24) - 254 hosts
    - Workstations, printers, admin servers

VLAN 20: Clinical Systems (172.16.20.0/24) - 254 hosts
    - EHR servers, clinical workstations

VLAN 30: Medical Devices - Critical (172.16.30.0/23) - 510 hosts
    - Life-critical: Ventilators, infusion pumps, monitors
    - Requires 99.999% availability

VLAN 40: Medical Devices - Imaging (172.16.40.0/24) - 254 hosts
    - CT, MRI, X-ray (high bandwidth, less time-critical)

VLAN 50: Biomedical Engineering (172.16.50.0/24) - 254 hosts
    - Device management workstations

VLAN 100: Guest Wi-Fi (172.16.100.0/22) - 1022 hosts
    - Completely isolated, internet-only access

Firewall Rules:

# Medical Devices → Clinical Systems: HL7/FHIR only
allow tcp 172.16.30.0/23 172.16.20.0/24 port 2575  # HL7 MLLP
allow tcp 172.16.30.0/23 172.16.20.0/24 port 443   # FHIR over HTTPS

# Biomedical Engineering → Medical Devices: Full access
allow ip 172.16.50.0/24 172.16.30.0/23
allow ip 172.16.50.0/24 172.16.40.0/24

# Guest Wi-Fi → Anything internal: DENY ALL
deny ip 172.16.100.0/22 172.16.0.0/16
allow ip 172.16.100.0/22 0.0.0.0/0  # Internet only

Result: - HIPAA compliance: PHI-handling systems isolated from guest and administrative traffic - Attack containment: Compromised guest device cannot reach any medical system - Operational continuity: Biomedical engineering retains full access for maintenance

1457.8 Summary

This chapter covered network segmentation for IoT:

VLANs: Isolate device categories into separate broadcast domains
Firewall Rules: Default-deny with explicit allow-lists
Micro-segmentation: Device-level isolation for critical assets
Risk Quantification: Measure attack surface reduction from segmentation
Compliance: Meet regulatory requirements through documented network architecture

1457.9 What’s Next

The next chapter explores Common IoT Security Mistakes including real-world attack scenarios, security pitfalls, and best practices for avoiding breaches.

Continue to Common Security Mistakes →