Net Security

Published by Divemedic on

One of the big problems with IoT stuff is net security. The things we are buying are gathering information and sending it out to who knows where. In 2015, Samsung issued a warning to consumers not to discuss personal information within earshot of its televisions because the TV was listening, recording, and passing along what it hears. Google has had similar problems with its own stuff.

For those of you who are IT nerds, some of this stuff will seem basic- my apologies, I am still learning, and I assume that a good number of the people who read this blog are as well.

IoT devices are notoriously insecure because manufacturers frequently prioritize low costs and rapid production over robust security. These devices often suffer from weak default credentials, a lack of encryption, and limited hardware capacity for security software, making them easy targets for hackers to hijack and form botnets or even to spy on you and sell your information to others.

Using VLANs can help with that. A virtual network, or VLAN, allows you to maintain separate, distinct networks within your physical network. These virtual networks are like tiny virtual containers that cannot talk to or even see each other, but can be configured to communicate as much or as little information between each other as you desire. That’s where the security comes in.

By creating different ‘trust’ levels within your home network, you can create a system whereby those who are inside of your guest VLAN can only communicate with the Internet or your printer, but nothing else. This prevents a guest from snooping through your files, accessing your router controls, or other mistakes. Placing all of your IoT devices in another VLAN will keep them isolated from other parts of your network and allow you to control where and how much information they can send or receive. Trusted devices such as your cell phone or laptop can be configured to have no restrictions.

In short, it increases security by giving devices “need to know” access without giving them access to things they shouldn’t be accessing. That’s what this new system I am installing does. I setup a few different VLANs:

  • Trusted. Devices within this VLAN will have IP addresses ending in 20.xx
  • IoT devices. Devices within this VLAN will have IP addresses ending in 30.xx
  • Storage. Devices within this VLAN will have IP addresses ending in 40.xx
  • Guest. Devices within this VLAN will have IP addresses ending in 50.xx
  • Cameras. Devices within this VLAN will have IP addresses ending in 60.xx

Each IP range can then be assigned any number of permissions. For example, IP addresses ending in 50.xx are setup to only be able to access the Internet and a printer. Guests will therefore be allowed to print or surf the Internet, but that is all.

So that is the plan for our network security here at the Ocho. Will it stand up to determined hacking or the NSA peeping at my stuff? Of course not. Is it better and more robust than what I have had in the past? Certainly. Perhaps it will cause those devices and people with nefarious intent to look elsewhere for lower hanging fruit.

Now if you will excuse me, today is going to be a pleasant, breezy 84 degrees, so I am going to go mow the lawn.

People who have read this post: 202
Categories: Account and INFO SecurityCommunicationsSecurity

8 Comments

Joe Blow · June 4, 2026 at 8:08 am

Really really smart IT guys that know way more than me when queried repeatedly say they do NOT have any of those gizmos in their homes. You’re aware of the potential for nefarious uses. I have refused to allow my wife to get a Ring camera, nor any other IoT device for those reasons. I don’t understand the things my accountant says, but I trust her and follow her instructions. Same-same.

    Divemedic · June 4, 2026 at 10:31 am

    That’s why I only use ring cameras on the outside of the house.

    I would also add that you probably have IoT devices and don’t even realize it. If you have bought anything with a computer chip in it for the past decade, it phones home whether you know it or not. Your car, television, and appliances like refrigerators and even toasters. They all do it.

    The most valuable thing today is information- and everyone is selling. Those customer loyalty cards? Yeah even the information on your shopping habits is for sale.

      noiot · June 5, 2026 at 12:35 am

      All those things you listed are pretty easy to avoid. There are still old toasters out ther and appliances that have no network ability. For the ones that do, dont hook them into your local LAN. I dont have my tv hooked up to my wifi. I use an old computer hooked up via HDMI to watch youtube, netflix or whatever.

Downwind of Seattle · June 4, 2026 at 10:36 am

I prefer the triple router/firewall model… One at the Internet connection feeding two different routers/firewalls. One for the home computer network and one for the idIOT devices… That way, when (not if) one of them gets compromised they don’t have any access to the computer traffic.. You also can improve the security of idIOT devices by only using IPV4 so they don’t register with who knows what IPV6 DHCP and/or DNS server.

    Divemedic · June 4, 2026 at 10:42 am

    That’s essentially what’s being built here. Each VLAN is its own network with its own firewall.
    High Risk
    Smart TVs
    Ring devices
    Random IoT gadgets
    Printers

    Moderate Risk
    Phones
    Tablets

    Low Risk
    Synology
    Managed switches
    Router

    Putting the first group into VLAN 30 and blocking access to Trusted devices addresses the largest risk.

Liberty · June 4, 2026 at 11:29 am

Separating IoT devices to their own vlan limits the mischief if one device was to get hacked. But does nothing for data harvesting/privacy concerns.

I have been experimenting with blocking outbound access for devices. Sometimes the only outbound traffic is your data being harvested.

    Divemedic · June 4, 2026 at 2:37 pm

    It limits the exposure of the IoT device to the rest of the network.

paul · June 5, 2026 at 1:50 pm

I have my own router. I don’t care what the ISP provides, my LAN, my router. All I want is a connection to the ‘net.
I have a Pi-hole for DNS. Runs on a Raspberry. Works great for blocking ads for the entire network. My router is at 192.168.0.25 and the pi is at 0.24 for DNS. Everything goes through the Pi.
Kindle tries to cheat. I set a IP address for it, 0.90, just like on a PC, and it keeps the 8.8.8.8 to Google. So I blocked 0.90 from Google. Kindle works fine.
I can block .90 at the router but then I can’t do anything with the Kindle, no mail or web or downloading books.

My TV isn’t smart. I don’t have anything else trying to connect.

Comments are closed.

Related Posts

Account and INFO Security

There Is No Hiding Your Thoughts

I have people who comment that they don’t allow devices in their home to track them because their devices aren’t connected to the Internet. Obviously, if you are reading this, you are connected to the Read more…

Security

Done Stamp

The closet organizer is done. I secured 3 pieces of 3/4 inch plywood to the wall, spanning 6 studs. They are attached with 52 two and a half inch screws- one screw every 16 inches Read more…

Security

Cameras

As any of you who are regular readers here know, whenever I undertake a major project, I always debate, design, and document the dog doo-doo out of it. (Sorry, I just liked the alliteration in Read more…