IoT Protect

IoT devices are often targeted by cyber criminals as these devices may have limited security features. Quantum Spark gateways provide IoT discovery which identifies IoT devices at the customer site and then protects these devices from being compromised.

The Access Policy > Firewall > IoT page shows the automatic policy enforcement for each IoT asset type. All connected devices are automatically displayed on the Home > Monitoring > Assets page. The IoT page shows only the IoT devices.

When you enable the IoT blade on the appliance, it recognizes each IoT device that connects to the Security GatewayClosed A dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and automatically enforces practices in the preconfigured IoT policy.

IoT is enabled by default.

You do not need to configure the policy for each IoT device that connects to your appliance.

General rules for IoT are preconfigured. For example, the appliance always allows traffic to some domains, and always blocks traffic to other domains. You can make some changes to the policy.

Getting Started

  1. Go to Access PolicyFirewallIoT.

  2. Move the IoT Protection slider to Enable.

  3. Optional: Configure advanced policy settings:

    1. Click Advanced policy settings.

    2. Configure the applicable options:

      • Monitor Mode - Move the slider to enable Monitor Mode for cleanup rule.

      • Newly discovered functions - Select the policy for newly discovered assets:

        • Always prevent

        • Always detect

        • Define IoT mode per function - You can define the policy per IoT type (function) instead of according to the recommended default.

          Note - The default setting for IP cameras and printers is to block traffic which is not part of the IoT policy. For other devices the default is monitor or Exclude from IoT policy (IoT policy is disabled).

      • DNS servers to trust - If the host uses a DNS server which is not the gateway or used by the gateway. Create DNS objects and select Trust custom DNS servers. You can also select Trust all DNS but this is less secure.

      • Update Practices Now - The IoTpractice refers to the policy established by the vendor for an IoT asset. When the vendor updates the policy, the user is notified as part of the periodic updates or can click here to receive an immediate update.

    3. Click Save.

  4. Connect the IoT device to your local network. The appliance automatically recognizes this IoT device and applies the IoT policy to its traffic.

Monitoring

If the user has multiple IoT devices, it may take a few minutes until the HomeMonitoring > Assets page shows all of the devices.

The same counters on the Assets page also appear on the HomeMonitoring >IoT page, with an additional graph for the policy and functions.

When you enable monitoring on an asset, the gateway pings the asset. If the ping fails during the set period of time (default is 2 minutes), a notification is sent.

The devices are grouped according to family. For each family, you can see the policy and drill down to see the vendors, domains, and other information. Click the Assets graph on the far right of the page and filter for type.

For example, an IP camera may show multiple assets from a number of different vendors. The policy details include:

  • Access from the internet - Domains that attempt to connect to your device. Options: Prevent, Monitor, Block, Exclude from IoT policy.

  • Access to the internet - Domains to which your device attempts to connect. Options: Prevent, Monitor, Block, Exclude from IoT policy. For IP cameras and printers, the default is Prevent but for other devices the default is Monitor. For some devices (for example, smart TV), access to the internet is disabled.

  • Approved destinations - To add a new destination to the approved list, enter a value and click the +.

  • Log traffic for this asset - Send logs for this device or not.

Configuring

The IoT rules appear on the Access Policy > Firewall Policy page. General rules for IoT are preconfigured. For example, there are some domains that are always allowed, and some domains that are always blocked. All attempts appear in the logs, and you can receive notifications of this activity.

The policy rules show which domains are allowed. A request to access a blocked domain is dropped. You can make these changes to the policy:

  • Add a custom destination to the allowed domain services. For example, if you want the printer to upload photos to Google Cloud, you can add this destination.

Limitations

  • Approved destinations in IoT support only a single IP address or a single domain. It is not possible to add an approved destination for a specific port or a service.

  • IoT Protect for SMB is not supported on Rugged models: 1570R, 1575R, and 1595R.Quantum Rugged supports IoT Protect for Enterprise (see the table below for comparison between the two IoT models).

  • If IoT is behind an Access Point (AP) or a Layer 3 device, configure it as a Layer 2 device. Otherwise, IoT policy is not applied on the hosts behind the Layer 3 device.

  • IoT policy is not enforced on IPv6 traffic.

Feature

IoT Protect for Enterprise (Centrally Managed)

IoT Protect for SMB (Locally Managed)
Supported gateways Quantum Force, Quantum Spark, Quantum Rugged Quantum Spark

IoT Device Discovery

Full

Full
OT Device Discovery Partial (Full using 3rd-party integration vendors) Partial
Medical Device Discovery No (Full using 3rd-party integration vendors) No
UI Infinity Portal Local Spark UI and SMP

Cost

Requires add-on license

(e.g. CPSB-IOTP-1575R-1Y)

Included with all SNBT service bundles
Policy Enforcement Yes Yes
3rd-Party Integrations Yes No

Minimum Version

R81.10.08

R81.10.10

Risk Analysis

Yes

No

Playblocks Integration

Yes

No