Review of IoT Framework

[Princess369]

Sometimes IoT devices may have duplicate MAC addresses if not manufactured by only one manufacturer (assembled in parts). The controls assume a unique MAC address per device? How the issue of duplicate address is handled?

[pbjason9]

@Princess369 We probably shouldn't have controls that do any validation based on MAC address.

It looks like we have control SAP-13: Map Media Access Control (MAC) addresses of each device to IP addresses and enforce network access control based on MAC address. In the additional column, we note that MAC addresses can be spoofed, but this is at least another layer of protection.

@scriptingxss any thoughts on whether we should either update the wording of the control or delete it entirely?

Thanks, Brian

[scriptingxss]

Anecdotally, networking manufacturers provide various MAC based solutions with customized policies (using 802.1x for example) to ensure trusted devices are allowed on the network as part of rogue device security control requirements. Im aware of Port Security (Cisco) and SecureConnect (Cisco Meraki).

Perhaps we should add more emphasis on the layered protection bit since MAC based protections themselves might not be sufficient though enterprise ("grade") networking devices do provide solutions that fulfill this control and more.