This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Isolate Designated Devices from the Rest of the LAN? (e.g., Isolate IoT devices on the LAN)

I have a variety of IoT devices (appliances) on my home network. The ones I am concerned about are for swimming pool controls (e.g., filter pump, etc.) and a new oven for the kitchen. I also have a couple TiVos, ethernet-enabled Blu-ray players, etc. I anticipate more devices in the future (cameras? doorbell? coyote sensors? whatever?).

Some devices support manual network configuration with dedicated IP addresses. Others are DHCP only. Some devices are WiFi only. Yet other devices are both WiFi-only and DHCP-only. I don't mind experimenting a little bit, but I don't want to leave them permanently on the home LAN for a long time, waiting for them to be compromised and attack my computers on the LAN someday in the future.

The LAN runs from a consumer-grade unmanaged 24-port switch behind the UTM. The 24-port switch connects to the LAN side of the UTM. There are four WiFi access points connected to the switch, which are all consumer-grade routers that are configured as bridges (no NAT, no DHCP, no routing) and as unmanaged switches. The UTM is the DHCP server. 

-> What is the best and easiest way to isolate IoT devices/appliances from the rest of the LAN? 

I wonder about how a VLAN (or multiple VLANs, one per IoT device??) might work. How do I prevent the IoT devices from seeing the other sensitive devices on the switch? Can a non-managed switch handle multiple LANs simultaneously? (E.g., a 192.168.20.x and 192.168.30.x on the same unmanaged switch?). Is it reasonably secure to assume that the IoT devices won't find the devices on the other "LANs" that are connected to the same switch?

Are there alternatives other than VLANs (assuming that VLANs would work)? 

How do I configure the UTM to isolate those IoT devices from the rest of the LAN? 



This thread was automatically locked due to age.
  • let's go by parts:

    with your topology, you can't do it securely.

    to expand:

    you can "isolate" them by using different IP networks for example, but they're all going to be sharing the same L2 domain so all i need to do is change the IP of a device to another(a nmap/network scan would be trivial to do) and i'll see the others.

    utmadm said:
    Can a non-managed switch handle multiple LANs simultaneously?

    a nonmanaged switch is transparent to L3 traffic, it doesn't care about anything above ethernet frames

    utmadm said:
    Is it reasonably secure to assume that the IoT devices won't find the devices on the other "LANs" that are connected to the same switch?

    no, as i've said before, it's trivial to discover your network

    utmadm said:
    Are there alternatives other than VLANs (assuming that VLANs would work)? 

    nom unless you put different physical switches and separate networks for the devices...

     

    one vlan per device is not good from a management standpoint, it can be done but your config will be very complicated and require a LOT of work on rules for each new device.

     

    Your best bet is to build VLANs according to importance, control being the most sensitive of all, like putting a vlan for each type of device, for example:

    VLAN for the pool sensors, then VLAN for the pump controls, same for the oven/furnace/whatever.

     

    you need a managed switch to apply per-port VLANS(you can also do automatic mac-based vlans, but changing a mac is also doable..., but there are safegaurds against that, it all depends on how far down the rabbit hole you want to go) and dedicated multi-SSID wireless AP(they're cheap, for example, tp-link WA901 or 801 can do it, almost any dedicated AP will, but not a router acting as an AP...), which can map different SSID to different VLANs.

     

    then on the UTM you make one intergace per vlan and do your rules accordingly, don't forget to setup one DHCP server per interface....

  • Thanks for this helpful input. I am still thinking about my next move.

    The problem seemed easy at first, until I thought about how my IoT devices I already have in my network. At first, I was only trying to isolate the pool control system and the new internet-connected (WiFi only) kitchen oven. Then I realized that we have a lot of internet-connected devices that might be thought of as IoT. In addition to the pool and oven, we also have Sony Blu-ray players, TiVos, Apple TVs, game consoles, and a whole lot of single board computers and other internet-connected gadgets for my tech-oriented child. Where do I draw the line? What can safely stay on the main LAN and what should be isolated?

    @Mast_01's input helped clarify my own thinking. I understand that running multiple IP networks on the same LAN is security by obscurity. At the same time, I wonder how many attackers write code that scans for additional IP networks on the same LAN, which must be a very rare corner case. 

    I could switch to a managed switch, but several of the LAN segments (ethernet cables) have multiple devices, so they terminate in an unmanaged Ethernet switch or the built-in Ethernet switch on a bridged router/access point. Even with a managed main switch, I have mixed devices on those outlying Ethernet switches.  

    To Everyone: What would you do?  Hmmm. 

  • Only you or a company near you that specializes in home networks can know whether it's more practical to add more Ethernet drops or to buy enough $65 8-port VLAN switches to replace the simple ones you have now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • your network seems too vast and with uncontrolled sprawl(concatenated dumb switches all over, wifi routers as APs, etc) to do any kind of good security.

    the most you can do is to use a different subnet for each type of IOT devices and assign static ip to those devices(forget dhcp in this case it can't be done) so that you can apply a minimum of packet filters necessary(either a short list of ports or if you know the ip ranges of the target servers then you can apply that as well) and BW control rules. But i don'0t know how your iot devices are accesed, if they access directly through lan, if they all use some kind of mobile app that goes through a public service or if they require direct access(DNAT rules/upnp)

    you could try to isolate the high risk control devices with managed switches if they're not behind dumb switches.

     

    if it where me i wouldn't bother for the iot devices, or at least do the subnetting alone.

    utmadm said:
    At the same time, I wonder how many attackers write code that scans for additional IP networks on the same LAN, which must be a very rare corner case. 

    don't ever underestimate the hackers resourcefulness, i had a couple clients with a RDP forward rule to servers using a nonstandard port, i mean, ¿who would even bother to check rdp on those ports(even with portscan protection on the utm)?, next thing we knew hackers got through RDP on the custom port, bruteforced the admins password and dropped a cryptoware inside.....