Home network security

Mzezman

Mzezman

Executive Member
Joined
Nov 13, 2021
Messages
5,934
Reaction score
3,931
For you folks with some Smart home devices / homelabs etc - how segmented is your network? I ask as i saw this and thought it was OTT

vxtuh1mc5qub1.png


In my case i only have:
  • Main network (vlan 5)
  • IoT network (vlan 20)
  • Guest network (vlan 99)
 
Or drop all this complexity, assume zero trust, isolate all clients and block all ports by default. (in other words all devices are assumed to be untrusted when they plug into the network, join wifi, etc.)
My router (PfSense + PfBlockerNG + Suricata) are blocking more things coming from cellphones and dockers than IOT devices.

I was far too scared to have a VPN or SSH on my network.
Recently adopted Cloudflared and now I have remote access by using Google Authentication + only allowing connections from very specific location (on the planet) + ASIN list.
Even then I log everything and email myself when access was granted, I simply don't want to assume the best when it comes to WAN ingress. (I log in via WAN rarely enough that getting a login when I'm remote is totally ok to me to see an email pop up to let me know I had a remote login that was routed via cloudflared)

I find creating these subnets and this and that ends up having a bunch of vulnerabilities that allow escalation and as a human who wants to live life at home, I don't want to scan my logs every weekend to see what happened.
 
Gnome said:
Or drop all this complexity, assume zero trust, isolate all clients and block all ports by default. (in other words all devices are assumed to be untrusted when they plug into the network, join wifi, etc.)
My router (PfSense + PfBlockerNG + Suricata) are blocking more things coming from cellphones and dockers than IOT devices.

I was far too scared to have a VPN or SSH on my network.
Recently adopted Cloudflared and now I have remote access by using Google Authentication + only allowing connections from very specific location (on the planet) + ASIN list.
Even then I log everything and email myself when access was granted, I simply don't want to assume the best when it comes to WAN ingress. (I log in via WAN rarely enough that getting a login when I'm remote is totally ok to me to see an email pop up to let me know I had a remote login that was routed via cloudflared)

I find creating these subnets and this and that ends up having a bunch of vulnerabilities that allow escalation and as a human who wants to live life at home, I don't want to scan my logs every weekend to see what happened.
Click to expand...

Seen far too many times that people separate security layers with VLANs and then follow it up with full inter-VLAN routing between trusted and untrusted VLANs.
 
D4N_CPT said:
Seen far too many times that people separate security layers with VLANs and then follow it up with full inter-VLAN routing between trusted and untrusted VLANs.
Click to expand...
The firewalling side of things is not the easiest to understand and implement - i still get confused by the firewall structure in Unifi. I found RouterOS easier in that aspect
 
D4N_CPT said:
Seen far too many times that people separate security layers with VLANs and then follow it up with full inter-VLAN routing between trusted and untrusted VLANs.
Click to expand...
Crazy, that defeats the whole object of network segregation, which is to contain and limit the damage that one compromised device can do.

I like the OP's diagram, and am planning something similar, but with multiple guest SSIDs as well. IOT devices such as Tuya, for example, have prehistoric wireless security capabilities, which. for example, do not support PMFs, so they get their own sandbox.

IOT devices can also be very "chatty", and there is hardly no way to harden auto-configuration protocols, so they need to be restricted to their own broadcast domain. Almost all allow "firewall friendly" remote access, so a compromised vendor (which is inevitable) will definitely wreak havoc at some stage. Rather let them play with one another, in their own locked room.

It might seem complex, but there is very good reason for it.
 
Mzezman said:
The firewalling side of things is not the easiest to understand and implement - i still get confused by the firewall structure in Unifi. I found RouterOS easier in that aspect
Click to expand...
I haven't played with it, prefer to use a real firewall.
 
RonSwanson said:
Crazy, that defeats the whole object of network segregation, which is to contain and limit the damage that one compromised device can do.

I like the OP's diagram, and am planning something similar, but with multiple guest SSIDs as well. IOT devices such as Tuya, for example, have prehistoric wireless security capabilities, which. for example, do not support PMFs, so they get their own sandbox.

IOT devices can also be very "chatty", and there is hardly no way to harden auto-configuration protocols, so they need to be restricted to their own broadcast domain. Almost all allow "firewall friendly" remote access, so a compromised vendor (which is inevitable) will definitely wreak havoc at some stage. Rather let them play with one another, in their own locked room.

It might seem complex, but there is very good reason for it.
Click to expand...

FWIW the image is not my network but how someone on Reddit set theirs up

I like your idea of sandboxjng by e.g. product manufacturer….it does increase the initial setup time and complexity though
 
Have Unifi with 4 VLANs:
- Main
- IoT
- Guest
- HDMI broadcast for some hdmi over lan stuff

IoT can only get to internet and one docker container on a server on my main network.

I use Unifi built in vpn (which is openvpn behind the scenes I think) to access my IoT or cctv from outside.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X