Many people now have Amazon echo/dots / Google home / Apple HomePod, smart TVs, smart thermostats, etc…
What happens if one of those get hacked? They’re already on your system? they’re authorized and allowed on your network… now what?
That’s why you should have a WiFi network dedicated to IoT devices on a separate VLAN. If one gets hacked, they’re not on your network.
You allow your main lan, to cross the VLAN without issue, but devices on the other side, no nothing outside their VLAN and their connections to the net (which some need to get updates, weather, etc).
Things that should be on your IoT lan: alexa/google/siri devices. your smart TV/android players/apple TVs/PS4/PS3/Xbox/etc… including your smart locks, and smart thermostats. Your media server should also be on that network.
Things to keep on your secured main:
your smartphone
laptops/computers
servers (NFS/backups)
Your cameras that don’t need ANY connection to the net could also be firewalled up on another VLAN, or as some others have done, put in firewall rules for those devices to not be allowed to connect anywhere, but allowed to be connected to from inside the lan (network security camera recorders).
Some common firewall rules…
your main LAN to IoT:
* all traffic
your IoT to Lan
* mDNS — this is so the devices can be discovered by the entire network.
* your devices that need connection back across the VLAN. Such as a network scanner, to sftp into a server to drop scanned images off
* mqtt traffic, because that’s what a lot of IoT devices do use for communications.
* ntp traffic out to the net.
* you could probably block out most other traffic… if you know you can.
Your IP Cameras should probably be firewalled to prevent anything going out, with the exception of “All Established and Related connections”.
It’s easiest to show what “All Established and Related connections” means. Say you’re devices behind your current router make a connection to a website, that website is able to send you back data — but that server couldn’t originally start/initiate communication with your browser.
This is not a simple, easy task to make and split your network. It will take several hours, and hardware that is compatible with it. My network ecosystem is 100% Ubiquiti. I did have a dlink smart switch, that stripped off my vlan, so non of the devices on the vlan could communicate out. After figuring that out, I moved all the devices off, and will retire that switch.
I think maybe still possible to use a switched port, that is dedicated to a VLAN, so all devices behind it will be on that VLAN… I’ll have to test that, but I’ve had enough networking stuff for the last few days.
Leave a Reply