I am not a networking expert and set up my IOT devices in a separate subnet (vlan) and then wanted to stop the IOT vlan from being able to talk to the non-IOT vlan - then only as needed - so for security purposes, I fist created IP groups for all of my IOT devices - then did this (obviously they should not be be blocked from themselves (which makes no sense in this case but also they should not be blocked from their own gateway - so ip any cannot be used either (or instead):
This of course caused problems, so I allowed only specific IP addresses from the IOT vlan to reach Specific dresses on the non iot vlan (for instance so I can use the Shelly or WEMO app on some devices on “Internal LAN” to see those devices on “IOT” vlan (as a higher priority rule than the fist one above):
Some IOT devices starting becoming unreachable. So, in addition to blocking all IOT items from being able to direclty touch the critical devices on the “Internal LAN” reach the other non-iot vlan first, you would have to allow the mDNS to get through (unfortunately my router only allows all or none for this - not by device by by entire VLAN - and also in both directions):
Sorry about the rambling but I do get alot of help from these forums I feel like I have to give back.
I can cut off the iot vlan from the Internet except for those iot devices which require the internet to operate properly, And I do enjoy keeping all of them accessible on the Internet so that I can reach them from my cell phone without a vpn using for example the Shelly or Wemo apps - my only saving grace in that way is I have 30 digit passwords on every single device to access each and they’re all unique…
So what else can I do to harden the IOT vlan? Maybe split apart the IOT devices that require Internet to operate properly from the others and block the others from the Internet until I want to try to do a firmware upgrade for them? Anything else I can do? What am I missing here?
There is a point where added security becomes a diminishing return. You can have the most secure network in the world but make it next to worthless without constant micromanagement. Presuming this is your home network, you’re a very low/next to no priority on anyone’s list for attacks.
My general recommendation is more or less what you have in place. Segregate IoT devices into their own VLAN/network. For anything that you don’t need internet access for, block from the internet (and that means in both directions). Limit connectivity between the IoT and main VLAN to explicitly defined rules, but don’t get too in the weeds here. Usually limiting access to IP space (e.g. IoT subnet can talk to HA server IP) is good enough. mDNS being on probably isn’t that big of a deal. Your main risk exposure there is someone is already in your network and could use the service to map out the rest. Secondary would maybe be mDNS poisoning, but the same could be said about regular old DNS.
A few schools of thought go into all of this. Nothing should be done that you don’t have a solid understanding of. The main thing here is that I’ve seen plenty of folks turn a feature on for “security” because a guide told them to. But, they didn’t fundamentally understand what they were doing and broke something. Then, instead of removing the feature, they try to “fall forward” and “fix” the problem through brute force, usually making the matter worse.
The second is to understand what you are trying to protect and focus on that. Do I really care if someone gets access to a temperature sensor? Probably not. Do I want to minimize exposure to my main desktop? Absolutely. Then you go back to step 1. What am I capable of doing that can reduce that risk footprint for my desktop? And start from there.
A good example is ESP devices. For those that have a web interface configured, I rarely use them. They’re in the IoT network. I’ve blocked connectivity between my main network and the IoT one. I have a rule that allows IoT to reach my HA server by IP. I have another rule with all my ESP devices in it to allow connectivity to my desktop. I leave it set to disabled unless I need to reach a web interface (for trouble-shooting for example). I enable it on the fly for that one session and set it back to disabled.
You can certainly get fancy beyond that but, again, that gets back into step 1 of understanding and the unwritten step of realizing that you’ve got to maintain whatever is put in place. You could totally do unidirectional ruling (e.g. main desktop can initiate a conversation with ESP devices, but ESP devices can’t initiate with the main desktop), but you’ll have to keep track of that ruling when it inevitably causes headaches down the line.
I’d also note that one of the best things you can do for security is to clearly document what you’ve done, and ideally have a configuration stored that you can restore if something goes wrong. Otherwise in 12 months time when something goes wrong, you won’t quit recall what went where and why, and will be left with a number of problems to solve that you don’t understand the reason for. Don’t ask me how I know…
That’s a fair point, especially when it comes to getting into some more advanced methodologies. But, that goes back into how much effort someone is willing to put into things. This level of effort almost turns managing your home network into a second job. Not necessarily a bad thing, but not everyone wants to put that amount of time into it. If someone falls into the latter bucket, they probably shouldn’t be turning some of those dials.
Agreed 1,000 percent. Somebody tried to steal my identitiy once around the same time my home was nearly flooded, so I became a nut about both home automation (leak sensors, alarms, even tied in a weather station) and security. It made such a big affect on me I may change my career (I am in IT but I think I may pivot the cyber securty).
I did find out much later without realizing it that I made a big goof, in selecting Omada in general - the products are great and I had to go with them for a unified UI because the price for everytrhing elose that offers the same thing is much too high. My goof was that the cloud for Omada (for those who have cloud access to their consolidated UI enabled) is that TP-Link’s headuarters is in Shenzhen China, and therefore the CCCP has direct access to your internal network if they want it). As soon as I realized that mistake, I turned off cloud access - and even deleted the account fo same, altogether.
Nobody really knows who is looking at your stuff especially with regards to hardware manufacturers who put in back doors - so I would think putting a device of some kind in between my Verizon fiber ONT and my router would be able to catch such traffic. But I have no clue how to do that and even if I had the resources and the time I’m not sure I’d be able to understand what I’m looking at unless I’ve gone through a steep learning curve…
So both of you are saying you think there’s nothing else really to make it more secure? I do also have 10 combined client vpn tunnels (from 2 non-nine eyes securtity providers) using LT2P/IPSEC grouped together as the internet access destination for my deviices)…
And this is the case for any protected account. A lot of people seem to have this common misunderstanding that most security exposures of individuals comes from some elaborate work by evil doers. The reality is that it’s a lot simpler than that…exploit human conditions.
This is why phishing and phone scam campaigns are so successful. Humans are gullible creatures of habit. The other piece is that most of these things are done in the abstract. Why target Joe Blow specifically when I can just run an email phishing campaign against a million email addresses knowing that a good percentage are going to click my link and just hand over their credentials to their bank? It takes way less time and is way more profitable.
If anyone wants to protect themselves, the best measures are:
Unique, long, and complex passwords for each account (read up on password entropy if you want to know more).
Learn to identify scam emails/phone calls. No Suzie, the IRS is not going to call to give you a heads up that they have a warrant for your arrest if you don’t pay them.
Enable two factor authentication anywhere possible (bonus points for using an out of band passcode generator like Google Authenticator).
Get identity theft insurance…which is a nice segway into this episodes’ sponsor…(I’m kidding). But, for real, this has turned into a legitimate insurance policy offering that’s not necessarily a bad idea. It gets back into that cost/benefit analysis though, so maybe not for everyone.
