Why Inbound and Outbound Traffic Is No Joke

Lizzie Zabojnik

5 min read
Share
Why Inbound and Outbound Traffic Is No Joke

Full article

You wouldn't let just anyone walk through your front door, and you certainly wouldn't let your kids broadcast your home address to every stranger on the street.

So why would you treat your internet network any differently? For commercial buildings, data coming in and out from the internet to your network controls your smart devices, access control devices, HVAC units etc.


Network traffic management — specifically, controlling what flows in and what flows out — is one of the most critical responsibilities an IT professional holds. Every packet of data from devices on the network or from the internet that crosses the boundary of your organization's network is a decision. A bet. A calculated risk. And whether that traffic is a firmware update, a thermostat sync, or a rogue probe from an attacker halfway across the planet, it's the IT team's job to know about it, control it, and — when necessary — shut it down.


Let's talk about why this matters, how some well-known devices handle it (spoiler: not all approaches are created equal), and why less is sometime better when it comes to what's on your network.


Inbound vs. Outbound: The Two-Way Street That Needs Traffic Cops

Here's the basics,

  • Outbound traffic is data leaving your network — think of it as sending a letter. Your device (laptop, WiFi thermostats etc) initiates the connection, reaches out to a server somewhere on the internet, and sends information.
  • Inbound traffic is data coming into your network — someone (or something) from the outside is reaching into your internet infrastructure.
  • Both are necessary. Both are actually dangerous if left unchecked. IT professionals are the traffic cops standing at the intersection, deciding what gets through, what doesn't, and what was never supposed to be on the road in the first place.
  • The prefered standard? Devices that initiate outbound connections only. When a device reaches out to the server on site to then make an internet connection, the IT team can restrict the conversation to a known destination, over a known port, with a known purpose. When a device accepts inbound connections from the internet, it's pretty much sitting at the front door saying, "Come on in, whoever you are." While devices that only reach out are naturally restricted to connect to very they are designed to connect to, devices and reach out and accept internet traffic in have a much bigger surface area for attacks.


The Honeywell Approach: Every Thermostat for Itself

Honeywell smart thermostats — like many IoT devices, they use both inbound and outbound protocols (set of rules, for routing and addressing packets of data so that they can travel across networks and arrive at the correct destination) to stay synced up. Here's how it works:


When someone adjusts the temperature directly at the thermostat:
The thermostat sends that change outbound from the organization's network, across the internet, to Honeywell's cloud servers. The servers process the update and reflect the change on the user's online account so everything matches.


When someone changes the schedule from the online account:
Honeywell's servers send that update inbound — across the internet, through the organization's firewall, and down to the thermostat. The thermostat receives the inbound connection and applies the new schedule.


Now, here's where IT professionals start to sweat: every single thermostat is doing this. In a commercial building with 50 thermostats, that's 50 devices maintaining their own independent connections to the internet. Fifty devices accepting inbound updates. Fifty devices with their own little open door to the outside world. Fifty potential entry points that an attacker could probe, exploit, or use as a pivot deeper into the network.


And it's not just theory. Attackers have exploited wirelessly connected IoT devices to breach organizational networks. A thermostat might seem like a low-value target, but to an attacker, it's a foothold. Although rarely used for attacks, it's still a beachhead. A way in.


The Pelican Wireless Approach: One Door, Outbound Only

A different company on the block, Pelican Wireless, has implemented a new way of connecting HVAC controls to the internet.


Pelican operates on a fundamentally different architecture. Instead of every thermostat connecting to the internet independently, all thermostats on a site communicate with one device: the Pelican Gateway. The Gateway is the only device with internet access, and — here's the kicker — it is programmed to initiate outbound connections only.


That means:

  • No inbound ports are open on the organization's firewall
  • No external server can reach into the network through a thermostat
  • The Gateway reaches out to Pelican's cloud, pulls down any updates or schedule changes, and distributes them locally to the thermostats
  • The thermostats themselves never touch the internet — they only talk to the Gateway on the local network
  • One device. One connection. Outbound only. That's it. And the connected is through a VPN as well!

A Personal Story: The Cringe and the Smile

I used to oversee the installation of smart thermostats at large commercial buildings and school districts. And I'll never forget the reaction from IT teams.
When we were installing Honeywell, the IT director would always ask the same question: "How do the thermostats receive updates and setting changes?" They'd ask it calmly, almost casually — the way you'd ask a contractor about what lights he's going to install. But when I explained that each thermostat connects to the internet individually and accepts inbound connections from Honeywell's servers, their body language shifted instantly. The calm was gone. The cringe was real. And the follow-up questions would come rapid-fire:

  • "How many inbound connections are we talking about?"
  • "Can we restrict the ports?"
  • "What protocols are being used?"
  • "We have 250 thermostats at this school, that means 250 inbound and outbound connection points?"
  • "What happens if one of these gets compromised?"

They were right to be concerned. They were doing their jobs.


Then my company switched to installing Pelican Wireless. Same initial question from a new IT director: "How do the thermostats receive updates and setting changes?" And I'd explain: there's one Gateway device, it only initiates outbound connections, and the thermostats never touch the internet directly.
Every single time, without fail, the IT director would lean back in their chair, smile, and say something like, "Now that's how you should do it."
That smile? That was the smile of someone who didn't have to worry about 250 thermostats becoming 250 potential attack vectors at their school.


Why Less on the Network Is More

Anyone who has ever managed devices on a network knows the truth: one too many connections can overwhelm a network, cause wireless interference, and become an absolute nightmare to manage. But it's worse than just congestion. Every internet-connected device is a potential attack surface. Every inbound connection is an open door.


The benefits of the "less is more" approach — fewer connected devices, outbound-only traffic — are substantial:

  • Reduced attack surface: Fewer devices touching the internet means fewer opportunities for attackers to find a way in.
  • Simplified firewall management: One outbound-only device is easy to whitelist, monitor, and audit. Fifty bidirectional devices is a spreadsheet nobody wants to maintain.
  • Lower wireless interference: Fewer devices competing for spectrum means a cleaner, faster, more reliable wireless environment for everyone.
  • Easier compliance: Security frameworks and auditors love architectures where the perimeter is tight and traffic is predictable.
  • Faster incident response: If something looks wrong, there's one place to look — not fifty.
  • Peace of mind: Outbound-only architectures mean that even if an attacker knows your device exists, they can't reach it. It won't answer the door.


Keep It in Mind — and Thank Your IT Director

The next time you interact with technology that is connected to the internet, spare a thought for the network architecture behind it. Somewhere, an IT director made a decision about what devices should be on the network and how those devices communicate — how they reach out, what internet data is let in, and what doors (or ports in the world of IT) stay firmly shut.


Containerized gateways. Outbound-only protocols. Minimal footprint. These aren't just buzzwords — they're the difference between a network that's manageable and one that's a liability with greater security.


So here's to the IT professionals who cringe at inbound connections, who ask the hard questions before the installers and hardware are even chosen, and who understand that every device on the network is a decision with consequences.


Thank you, IT directors — for keeping us safe digitally, one firewall rule at a time.

Read more