Visibility Layer
Passive discovery and device profiling using Arista streaming telemetry and network traffic analysis.
Network Security Architecture
IoT and Unmanaged Device Security Through Network Controls
Every enterprise network carries a growing population of devices that cannot run endpoint agents, authenticate with certificates, or be patched on normal cycles. These devices create specific operational risks that standard security architectures cannot address.
IVI designs and deploys network security architectures for IoT and unmanaged device environments — using layered visibility, segmentation, and detection controls at the network layer where consistent enforcement is possible.
Network-layer security architecture for devices that cannot be secured at the endpoint.
The Challenge
Unmanaged devices create risks that standard security architectures cannot address
In manufacturing, healthcare, retail, and distributed enterprise environments, thousands of devices operate on networks without endpoint security capabilities.
The Operational Reality
Every enterprise network carries devices that cannot run endpoint agents, authenticate with certificates, or be patched on normal cycles. They communicate on the same network segments as user workstations and servers — and security teams often maintain only partial visibility into what these devices are and where they operate.
Cannot be patched on normal cycles, accumulating known vulnerabilities
Cannot authenticate, depending on network placement for trust
Remain invisible to endpoint security tools
Attacks originating from these devices evade detection until propagation
Network-Layer Security Architecture
IVI addresses IoT and unmanaged device security through layered network architecture: discover what operates on the network; enforce segmentation that limits device communication scope; monitor traffic to detect anomalous behavior.
Segmentation Layer
NAC implementation and dedicated network segments with Palo Alto Networks NGFW enforcement.
Detection Layer
Traffic monitoring and anomaly detection integrated with Aegis incident response.
Implementation Process
Five-phase approach from discovery through operational monitoring.
1
IoT Discovery Assessment
Deploy passive discovery tooling and analyze streaming telemetry to build complete device inventories with communication patterns.
2
Segmentation Architecture Design
Design IoT segmentation architecture with communication matrix, NAC policy, and firewall rule framework.
3
NAC and Enforcement Implementation
Implement 802.1X authentication, MAB-based device profiling, VLAN segmentation, and Palo Alto Networks firewall enforcement.
Key Capabilities
Six core capabilities that constitute the security architecture for unmanaged devices.
IoT Device Discovery and Inventory
Passive network discovery using Arista streaming telemetry to build comprehensive device inventories with type, manufacturer, and communication patterns.
Network Access Control (NAC)
802.1X authentication for managed devices and MAC Authentication Bypass with device profiling for unmanaged devices.
IoT Network Segmentation Design
Dedicated network segments organized by device type and function with Palo Alto Networks NGFW enforcement at boundaries.
OT/IT Network Boundary Architecture
Formal boundary between OT and IT networks with perimeter firewall policy and unidirectional security gateways where required.
Network Traffic Monitoring
IoT device segments integrated into Aegis monitoring with alert configurations that reflect expected device behavior.
Vulnerability Management
Software lifecycle register tracking firmware versions and CVE exposure with compensating controls for unpatchable vulnerabilities.
Outcomes
- Complete operational visibility into every device on your network
- IoT devices on dedicated segments with enforced communication policies
- 802.1X authentication for managed devices with unknown device quarantine
- Anomalous IoT behavior detected before it becomes an incident
- Attack surface reduced through network-layer enforcement
- Compliance support for frameworks addressing unmanaged device risk
Ideal Fit
- Manufacturing, healthcare, retail, or distributed enterprise environments with large IoT populations
- Flat or inadequately segmented networks where IoT devices can reach critical systems
- Compliance requirements addressing unmanaged device security (HIPAA, IEC 62443, PCI DSS)
- Organizations that have experienced security incidents originating from unmanaged devices
Industry Applications
Vertical-specific IoT security challenges and architecture approaches
Recommendation: keep to one or two short sentences.
Manufacturing (OT/IT Convergence)
Industrial control systems, PLCs, HMIs, and SCADA infrastructure with IEC 62443-compliant segmentation design.
Best Fit
Organizations with industrial infrastructure where compromised devices can halt production.
Healthcare (Medical Device Security)
Medical device network segments with enforcement limiting communication to functional requirements.
Best Fit
Healthcare organizations with medical devices that cannot be patched without vendor involvement.
Retail and Multi-Site Enterprise
POS terminals, digital signage, and building automation with PCI DSS CDE isolation requirements.
Best Fit
Retail environments requiring consistent enforcement across multiple locations.
Higher Education
Research equipment, building automation, and student IoT devices with flexible segmentation models.
Best Fit
University campuses with extraordinary diversity in connected devices.
Why IVI
Architecture expertise across the technologies and verticals where IoT security matters most
Integrated Technology Stack
Arista campus switching expertise for telemetry and NAC, Palo Alto Networks expertise for enforcement, and Aegis operations for ongoing management.
Arista Campus Expertise
Streaming telemetry, 802.1X-capable access ports, and device visibility capabilities.
Palo Alto Networks Integration
App-ID and threat prevention enforcement at IoT segment boundaries.
Aegis Operations
Co-managed operations ensuring segmentation and monitoring architecture continues to function over time.
Vertical Experience
Operational experience across manufacturing, healthcare, retail, and higher education where IoT security challenges are most complex.
Manufacturing OT/IT Boundaries
IEC 62443 compliance and change control constraints in industrial environments.
Healthcare Medical Device Security
Biomed team coordination and FDA-regulated device considerations.
Retail PCI DSS Compliance
Cardholder data environment isolation across distributed locations.
Related Resources
Related Resources
Review related solution pages, supporting materials, and additional resources that help explain where this solution fits and how it can be applied.
FAQs
Frequently Asked Questions
Common questions about IoT and unmanaged device security architecture.
We have thousands of IoT devices and no inventory. Where do we start?
Discovery first, always. We deploy passive monitoring and analyze network telemetry to build the device inventory from network behavior — without touching the devices. The discovery phase typically takes 2-4 weeks and produces the inventory and communication pattern data that drives segmentation design.
Some of our OT devices operate on flat networks with no segmentation at all. Does this require rip-and-replace?
Not necessarily. In most OT environments, the migration to segmented architecture is executed gradually — starting with the highest-risk devices and most critical enforcement boundaries. We design a phased segmentation approach that moves toward the target architecture incrementally, with each phase producing security improvement without requiring a complete network redesign.
Our biomed team controls our medical devices and will not allow network changes without their involvement. How do you handle that?
This is standard for healthcare environments. We engage biomed as a stakeholder in the segmentation design — documenting communication requirements for each device type with their input, reviewing enforcement policy before implementation, and coordinating testing with biomed staff to confirm device functionality is preserved post-segmentation.
We operate a mix of Cisco and Arista switches in our access layer. Can you implement NAC across both?
Yes. 802.1X and MAB-based NAC are standard protocols that work on both Cisco and Arista access switches. We implement NAC across your full access layer regardless of vendor mix. For new deployments, we recommend Arista for the additional streaming telemetry capability that supports IoT monitoring.
How do you handle devices that cannot be identified through passive discovery?
Unknown devices are automatically quarantined through our NAC implementation until they can be identified and classified. We use multiple identification methods including MAC OUI lookup, network behavior analysis, and DHCP fingerprinting. Devices that remain unidentifiable are placed in a restricted VLAN with limited network access pending manual review.
What happens when IoT devices need firmware updates or vendor support access?
We design the segmentation architecture to accommodate these operational requirements. Firmware update processes are documented and tested within the segmentation model. For vendor support, we implement temporary access controls that provide vendors with access to specific devices rather than broad network access, with all vendor sessions logged and monitored.