One of the big problems with IoT stuff is net security. The things we are buying are gathering information and sending it out to who knows where. In 2015, Samsung issued a warning to consumers not to discuss personal information within earshot of its televisions because the TV was listening, recording, and passing along what it hears. Google has had similar problems with its own stuff.
For those of you who are IT nerds, some of this stuff will seem basic- my apologies, I am still learning, and I assume that a good number of the people who read this blog are as well.
IoT devices are notoriously insecure because manufacturers frequently prioritize low costs and rapid production over robust security. These devices often suffer from weak default credentials, a lack of encryption, and limited hardware capacity for security software, making them easy targets for hackers to hijack and form botnets or even to spy on you and sell your information to others.
Using VLANs can help with that. A virtual network, or VLAN, allows you to maintain separate, distinct networks within your physical network. These virtual networks are like tiny virtual containers that cannot talk to or even see each other, but can be configured to communicate as much or as little information between each other as you desire. That’s where the security comes in.
By creating different ‘trust’ levels within your home network, you can create a system whereby those who are inside of your guest VLAN can only communicate with the Internet or your printer, but nothing else. This prevents a guest from snooping through your files, accessing your router controls, or other mistakes. Placing all of your IoT devices in another VLAN will keep them isolated from other parts of your network and allow you to control where and how much information they can send or receive. Trusted devices such as your cell phone or laptop can be configured to have no restrictions.
In short, it increases security by giving devices “need to know” access without giving them access to things they shouldn’t be accessing. That’s what this new system I am installing does. I setup a few different VLANs:
- Trusted. Devices within this VLAN will have IP addresses ending in 20.xx
- IoT devices. Devices within this VLAN will have IP addresses ending in 30.xx
- Storage. Devices within this VLAN will have IP addresses ending in 40.xx
- Guest. Devices within this VLAN will have IP addresses ending in 50.xx
- Cameras. Devices within this VLAN will have IP addresses ending in 60.xx
Each IP range can then be assigned any number of permissions. For example, IP addresses ending in 50.xx are setup to only be able to access the Internet and a printer. Guests will therefore be allowed to print or surf the Internet, but that is all.
So that is the plan for our network security here at the Ocho. Will it stand up to determined hacking or the NSA peeping at my stuff? Of course not. Is it better and more robust than what I have had in the past? Certainly. Perhaps it will cause those devices and people with nefarious intent to look elsewhere for lower hanging fruit.
Now if you will excuse me, today is going to be a pleasant, breezy 84 degrees, so I am going to go mow the lawn.
0 Comments