I see two practical issues with network segmentation:
1. It breaks broadcast/multicast, e.g. for your phone discovering your chromecast. A number of IOT devices need to be on the same network as the devices from which you want to use them.
2. It’s way too complicated for novice users to set up, so it cannot be vital for making IOT devices secure.
Personally, I like to keep all my devices (whether IOT or not) patched (ideally because they’re auto-updating). That way, if a lightbulb gets hacked, it can’t get to my backup drive either.
That being said, I do think there’s some value in throttling bandwidth for IOT devices. It’d need to happen automatically (which makes it hard), but would nicely prevent DDOS attacks.
> According to a 2017 study, North Americans have an average of 13 devices per person. That means a family of four has an average of 52 devices on their network.
Um, what? No it doesn't. The average devices-per-person over all people and the average devices-per-person over all people belonging to a household of four are totally different statistics. You could have an individual average of 13 devices per person at the same time that a family of four has an average of 0 devices.
Does anyone else think that... maybe... there are some devices which a single person is moderately likely to own one of, but a family of four is vanishingly unlikely to own four of?
I imagine "13 devices" does not necessarily mean exclusive ownership, either. I have a TV, but it's the same TV that everyone in my household has, so a straightforward multiplication of "people * devices" doesn't totally work.
Having two distinct routers and physical devices just isolates each network that much more. A single device is still exactly that at some point, and in such cases there is always the possibility of an exploit that could compromise the device fundamentally.
I think the author is just advocating for a very locked down approach but I agree it is not feasible for most folks.
I've had my home network setup like this for years, though with VLANs instead of seperate physical routers.
I've got :
* LAN - where my wife and i connect our laptops/phones.
* SERVERS - for my NAS and a couple of small servers.
* DMZ - just a single server sitting here.
* KIDS - Where my kids and their friends connect their
laptops/phones. It's a semi guest network, as it only allows traffic to the internet and a few devices on the IOT network, printers, Apple TVs, etc.
* IOT - Internet of trash, only allows connections to the internet. Only network that allows uPnP. Has multicast repeating on for ChromeCast/Apple TV.
* GUESTS - you guessed it.
DMZ is the only VLAN that can be accessed from the outside.
Each VLAN from the bottom up allows access from the VLANs above, with the exception of the guest networks. Nothing can access KIDS, IOT and GUESTS.
KIDS can access a couple of devices on the IOT network like printers, Apple TV, ChromeCast, AirPlay devices, IOT and GUESTS can only access the internet.
My UniFi network then creates 4 Wifi networks as well, one for LAN, KIDS, IOT and GUESTS.
Are you using USG or an edgerouter? I've had trouble with broadcast based access for printer and Chromecast Discovery. Curious as to how you've resolved that issue.
most home routers are capable of hosting more than one access point, they are also capable of different VLANs and IP pools. You shouldn't need a second router.
For your phone to control your TV you'll most likely need to punch a hole in your segregation to make avahi work. Also any app that controls any of your devices will most likely want a direct connection at some point
Your printer is just as vulnerable as any IoT device.
Yes its a good idea, but its really not simple to do in practice, unless you are used to running your own network. Also with the creeping rise of IPv6 you'll need to change how isolation is done again
Interesting aside: My whole life people were ridiculing me a bit for having 2 desktop PCs and a server on my home LAN.
Now it's turned around, and in my flat (2 people) I have 2 desktop PCs, a handful of laptops (obv. only 0-2 in use at the same time), a NAS, 2 Kindles, and 2 Android phones. Oh, and one XBox 360 that's hardly in use.
Compared to this infographic or that study with the 13 devices per person.. Sure, I might own 13 devices with a mac address, but half of them are only switched on once per year...
As I don't use the Xbox for streaming, it might make sense to move it to the Guest Wifi, same as the Kindles. Maybe even the phones. But all in all, my devices are Windows, Linux and BSD boxes that are hopefully kept up to date.
[+] [-] secure|7 years ago|reply
1. It breaks broadcast/multicast, e.g. for your phone discovering your chromecast. A number of IOT devices need to be on the same network as the devices from which you want to use them.
2. It’s way too complicated for novice users to set up, so it cannot be vital for making IOT devices secure.
Personally, I like to keep all my devices (whether IOT or not) patched (ideally because they’re auto-updating). That way, if a lightbulb gets hacked, it can’t get to my backup drive either.
That being said, I do think there’s some value in throttling bandwidth for IOT devices. It’d need to happen automatically (which makes it hard), but would nicely prevent DDOS attacks.
[+] [-] bornabox|7 years ago|reply
[+] [-] thaumasiotes|7 years ago|reply
Um, what? No it doesn't. The average devices-per-person over all people and the average devices-per-person over all people belonging to a household of four are totally different statistics. You could have an individual average of 13 devices per person at the same time that a family of four has an average of 0 devices.
Behold my five-person population:
Does anyone else think that... maybe... there are some devices which a single person is moderately likely to own one of, but a family of four is vanishingly unlikely to own four of?[+] [-] x1798DE|7 years ago|reply
[+] [-] a10c|7 years ago|reply
[+] [-] nrau|7 years ago|reply
I think the author is just advocating for a very locked down approach but I agree it is not feasible for most folks.
[+] [-] p0cc|7 years ago|reply
This is what you want to do:
* Isolate each group of devices with different VLANs
* Use firewall rules on your layer 3 device (router, firewall, frankenmodem, etc.) to prevent communication between the subnets tied to those VLANs.
This is an example of what this looks like at layer 3: https://documentation.meraki.com/MR/Firewall_and_Traffic_Sha...
[+] [-] KaiserPro|7 years ago|reply
[+] [-] shad0wca7|7 years ago|reply
That being said, it is good practice and something I’ve implemented in my home - thankfully my Unifi / pfsense setup makes this very manageable.
[+] [-] 8fingerlouie|7 years ago|reply
I've got :
* LAN - where my wife and i connect our laptops/phones.
* SERVERS - for my NAS and a couple of small servers.
* DMZ - just a single server sitting here.
* KIDS - Where my kids and their friends connect their laptops/phones. It's a semi guest network, as it only allows traffic to the internet and a few devices on the IOT network, printers, Apple TVs, etc.
* IOT - Internet of trash, only allows connections to the internet. Only network that allows uPnP. Has multicast repeating on for ChromeCast/Apple TV.
* GUESTS - you guessed it.
DMZ is the only VLAN that can be accessed from the outside. Each VLAN from the bottom up allows access from the VLANs above, with the exception of the guest networks. Nothing can access KIDS, IOT and GUESTS.
KIDS can access a couple of devices on the IOT network like printers, Apple TV, ChromeCast, AirPlay devices, IOT and GUESTS can only access the internet.
My UniFi network then creates 4 Wifi networks as well, one for LAN, KIDS, IOT and GUESTS.
[+] [-] dano|7 years ago|reply
[+] [-] KaiserPro|7 years ago|reply
For your phone to control your TV you'll most likely need to punch a hole in your segregation to make avahi work. Also any app that controls any of your devices will most likely want a direct connection at some point
Your printer is just as vulnerable as any IoT device.
Yes its a good idea, but its really not simple to do in practice, unless you are used to running your own network. Also with the creeping rise of IPv6 you'll need to change how isolation is done again
[+] [-] wink|7 years ago|reply
Now it's turned around, and in my flat (2 people) I have 2 desktop PCs, a handful of laptops (obv. only 0-2 in use at the same time), a NAS, 2 Kindles, and 2 Android phones. Oh, and one XBox 360 that's hardly in use.
Compared to this infographic or that study with the 13 devices per person.. Sure, I might own 13 devices with a mac address, but half of them are only switched on once per year...
As I don't use the Xbox for streaming, it might make sense to move it to the Guest Wifi, same as the Kindles. Maybe even the phones. But all in all, my devices are Windows, Linux and BSD boxes that are hopefully kept up to date.
TLDR: What's an IoT era? ;)