What is Everyones Thoughts

I wasn't really sure where this topic best fit in.

Recently I read an interesting article (link below) discussing micro-segmentation of all of our IoT devices. The article was based on Unifi equipment and how to implement it. Since my network is 100% Unifi I thought I would give it a go since I do work from home on a company laptop although its all VPN.

I am interested in everyone else though. What do you do?

On a side note I did have one odd thing happen. I needed to setup a VLAN interface on my Mac mini running indigo. Its headless and I VNC into it. For some odd reason if I tried to route to the IP the machine rebooted. Once I set the VLan and went into the VLAN IP everything was fine.


https://robpickering.com/ubiquiti-configure-micro-segmentation-for-iot-devices/

I already do this heavily in my network. The Indigo server sits in a completely segmented network on my Zyxel firewall as do all my IoT devices with very strict rules for inbound access.

Right now, many of my IoT devices are on a guest network with no access to the main network. But I recognize that's a really weak solution and I've wanted to do something stronger for awhile now. This article confirms that.

I already do this heavily in my network. The Indigo server sits in a completely segmented network on my Zyxel firewall as do all my IoT devices with very strict rules for inbound access.

I was just looking at Zyxel's site. Are you using one of their USG devices?

Thanks for sharing this article. This is something that I've wanted to do for a while. I don't have many "traditional" IoT devices, but there's nothing wrong with upping security. I'm all Unifi too, so this is great.

Thanks @Sharek326 for sharing the article.

I am not sure how well this would work (or how) with Indigo having various plugins that need to see the IoT devices, e.g.: Alexa-Hue plugin for the Amazon Echos, Lifx plugin for the lifx lamps etc.

It certainly could be applied to things that don't need that access e.g. my weather station that is hooked into Wunderground.

Thanks @Sharek326 for sharing the article.

I am not sure how well this would work (or how) with Indigo having various plugins that need to see the IoT devices, e.g.: Alexa-Hue plugin for the Amazon Echos, Lifx plugin for the lifx lamps etc.

It certainly could be applied to things that don't need that access e.g. my weather station that is hooked into Wunderground.

One of the biggest take aways I got from this was one of my concerns from the start. As we add more devices to out networks we tend to open more and more ports on our firewalls to allow these things to all play well together, rendering our firewalls more and more useless. But if we break off those devices into a separate VLAN create rules to limit the interaction between VLANS we can create a more secure environment for our work laptops, home computers, cell phones. While the work I do on my Work Laptop wouldn't be classified as Fort Knox worthy I am a Corporate Investigator by tade and often have sensitive employee information on my laptop.

Again for every lock there is a key and nothing can't be circumvented. I think it just gives me more piece of mind knowing I am taking additional steps to lock down what I can.

[jay (support)]

As we add more devices to out networks we tend to open more and more ports on our firewalls to allow these things to all play well together, rendering our firewalls more and more useless.

As for this specifically, I personally won't use any device that requires me to open holes in my firewall.

As we add more devices to out networks we tend to open more and more ports on our firewalls to allow these things to all play well together, rendering our firewalls more and more useless.

As for this specifically, I personally won't use any device that requires me to open holes in my firewall.

None of my IoT devices require me to open holes. But they do establish connections to external services, and that represents risk. It's a personal decision whether that level of risk is acceptable or not. Separating them to their own network segments and limiting/controlling their access to/from the "main" network reduces that risk somewhat.

It sounds like you are saying you wouldn't use any device that would require you to open holes. I agree with that.

I was just looking at Zyxel's site. Are you using one of their USG devices?

Yes, I have the USG50 at home. It's been a very good firewall.

As for this specifically, I personally won't use any device that requires me to open holes in my firewall.

This. You have to choose if you want to reach out from inside your house to a service that then has a tunnel back (i.e., Alexa, Siri, etc) but I feel the risk of someone piggy-backing onto that tunnel is fairly nonexistent. But I won't poke a hole in my firewall. I've always used VPN's to gain access to my home network when I'm not there, my cameras are on my VPN but only external cameras. I rely on camera views in HomeKit for anything else since I feel relatively comfortable with how that data gets from my house to my phone. But even then I'm pretty paranoid as I shut down all ability to disable any kind of security system (locks, windows, doors, all home automation) when I'm away.

But, even with all of this, if someone wants in bad enough they'll get in - no matter what you do unless you unplug entirely. I'm just making it hard for the average bear to make dent.

[jay (support)]

It sounds like you are saying you wouldn't use any device that would require you to open holes. I agree with that.

Yep, that was the point of my post. There are other issues outlined in that article and you point out one which are valid concerns and require thought. This particular point for me, however, doesn't require any thought - I just won't do it.

Please don't look too far into what I am about to write or misunderstand. I am merely tossing out what ifs or could this happen in open forum.

Lets remove the holes in the firewall to the outside for a moment. With more and ore devices like Alexa, HUE, and Vera where third parties create skills that enhance the usage is it possible that malicious skills could be written. We then add this skill and now there is no need for opening a port in the firewall we just put the problem behind it.

Isolating networks could also prevent these devices from ever seeing the computer you do your banking on. Again I am no authority on what goes into the design or approval of these skills.

With more and ore devices like Alexa, HUE, and Vera where third parties create skills that enhance the usage is it possible that malicious skills could be written.

That's why I don't use skills unless I know it's from a trusted source - but even then I'm pretty selective because you can do what you want with code and the user never knows. But I think that's mostly to protect privacy rather than hacking, the Node servers should pretty much prevent anyone from backtracking into your home but why tempt fate?

My Alexa has two skills: Hue and OurGroceries. HomeKit has one accessory: HomeKit Bridge/Homebridge. I wouldn't use Google Assistant if my life depended on it and Cortana, well, she's cute isn't she? She tries so hard and fails so hard.

You can be absolutely paranoid about it all if you choose. In that case don't use a plugin either because what has more access to your network and computer than an Indigo plugin? And what about Chinese camera manufacturers that have built in back-doors that have been repeatedly used by hackers? Stop buying cameras. There are a lot of folks making Z-wave devices, who knows what's happening there, better stop that too.

In the end you have to mitigate your exposure based on your comfort level and your level of paranoia. Turn it all off - that's the only way to protect yourself, otherwise just don't be dumb about things. Have a strong security policy for your home, data, emails and everything and you'll like be fine. I don't have any two things on the web or in my home that have the same password, good luck hacker.

I'm not paranoid, everyone's out to get me and I know it.

That's why I don't use skills unless I know it's from a trusted source - but even then I'm pretty selective because you can do what you want with code and the user never knows. But I think that's mostly to protect privacy rather than hacking, the Node servers should pretty much prevent anyone from backtracking into your home but why tempt fate?

My Alexa has two skills: Hue and OurGroceries. HomeKit has one accessory: HomeKit Bridge/Homebridge. I wouldn't use Google Assistant if my life depended on it and Cortana, well, she's cute isn't she? She tries so hard and fails so hard.

You can be absolutely paranoid about it all if you choose. In that case don't use a plugin either because what has more access to your network and computer than an Indigo plugin? And what about Chinese camera manufacturers that have built in back-doors that have been repeatedly used by hackers? Stop buying cameras. There are a lot of folks making Z-wave devices, who knows what's happening there, better stop that too.

In the end you have to mitigate your exposure based on your comfort level and your level of paranoia. Turn it all off - that's the only way to protect yourself, otherwise just don't be dumb about things. Have a strong security policy for your home, data, emails and everything and you'll like be fine. I don't have any two things on the web or in my home that have the same password, good luck hacker.

I'm not paranoid, everyone's out to get me and I know it.

I was trying to dance around that whole Indigo Plugin thing to not offend any of the work any of you do. And while I don't consider myself a paranoid person I agree with what you are saying having a strict network security policy can protect you from the average Joe.

I personally don't think IOT isolation is the cure all to any breech or risk you may encounter but I think there is merit in using it as one of many tools.

Who is worried about Chinese Camera manufactures when we got pilots spotting UFO's in Arizona. Was just on my local news

https://www.cnn.com/2018/03/29/us/arizona-pilots-ufo-sightings/index.html

[jay (support)]

The reflector doesn't require an open port...

And I stand by my position. Holes in firewalls are an attack vector, one which I don't believe is worth the risk.

Monkeying around with this concept today and there are some differences between the example posted in the OP article and the current version of the Unifi controller. This seems to work for me, but folks who actually know what they're doing -- please correct me.

The current version of the Unifi controller (in my case 5.6.30) has the firewall rules broken out into categories (WAN IN, WAN OUT, ...):

Screen Shot 2018-03-31 at 11.56.31 AM.png (43.19 KiB) Viewed 3096 times

So, in order to block traffic between the Private network and the IoT network, I needed to apply the rule discussed in the article to the LAN group. I decided to add mine to the LAN IN group which, based on my understanding, blocks traffic on the LAN from coming IN to the Private network (destination) from the IoT network (source). If I'm getting this, I just as easily could've added the rule to the LAN OUT group and flipped the source and destination.

Screen Shot 2018-03-31 at 11.58.40 AM.png (44.32 KiB) Viewed 3096 times

With this setup, I'm able to ping an iPad (connected to IoT network) from the Private network, but I can't ping a computer on the Private network from IoT.