Sophos XG v18 IoT security setup and/or suggestion for best practices

Hi,

I use a seperate network for my IoT devices. Where possible limit their ports and sites they can contact. I also use clienteles access as a management with static IP addresses.

Ian

I am not very technical in the networking realm.

Can you elaborate? Like all the IoT devices are on a private network including WiFi?

What is clienteles access?

Thanks

Hi James,

clienteles access is setup in the authentication tab where you assign user name, IP address, email address ( issue dummy email addresses) and group. Now you can use the groups to control access to firewall rules. The clienteles access only works if you are using static IP address assignments.

Ian

Hello Jason,

Additionally to what rfcat_vk suggested, If you have an IoT device that does not work, the recommendation is to first have it working with no filtering/scanning/decryption. Once this is working, you can then make changes that improve security around these devices.

Firewall Rule - The IoT device should hit a rule that has no web policy and no malware scanning.

SSL/TLS inspection rules - The IoT device traffic should hit a rule that is Don't Decrypt with a profile Maximum Compatibility, or it should have no matching rule. If you have some TLS decryption rules for some things, you can create a higher level rule with don't decrypt that uses a source of your device, similar to your firewall rule.

These recommendations are from this RR that includes IoT.

Regards,

Segregating your networks into separate VLANs is a common technique to separate your less secure devices (e.g. IoT devices) from your more secure devices (e.g. computers). However, one issue you will run into is if those IoT devices need to communicate with your secure devices since they're on separate VLANs. Many IoT devices use mDNS and Sophos XG does not have an mDNS or avahi reflector to re-broadcast mDNS from one network to another network.

Knowing this, I simply keep all of my IoT devices that utilize mDNS and need to communicate with my more secure devices locally on the same network (e.g. Apple TVs, Apple HomePods, Home Assistant, etc.). I put the rest of my less secure devices on my guest network which is a separate VLAN. You could technically host an mDNS/avahi reflector on a separate device if you wanted to, but I just haven't found the need (pretty sure if you're on this forum, your home network is probably already more secure than 99% of home networks).

Also, I'm sure you know this but since it wasn't mentioned in your original post I figured I'd just mention it. You will need a managed switch if you plan on using VLANs.

Here is what I have done so far.

I setup a WiFi network for the IoT devices via UniFi.

I then created a VLAN using the LAN interface and give it a different IP address than the LAN.

I created 3 firewall rules:

One to drop connections from the VLAN to the LAN.

Allow traffic from the VLAN to WAN.

Allow traffic from LAN to VLAN.

Does this sound like an appropriate start?

Hi,

sounds good, you do not need the drop connections from VLAN to LAN.

Basically it sounds a simpler version of what I have created.

Ian

I plan to start testing the setup with one device and make sure I can get it to work.

What do I do with the hard wired cameras? Do I create a VLAN on a switch to separate them?

Hi Jason,

if your switch has the VLAN capability, that is a good way to go. You will need to ensure you have logging enabled on your firewall rules to see which ports are used so you can limit access. I have a rule for almost each device limiting them to their ports and websites.

Ian

I am struggling getting my wireless network going for the IoT devices.

I setup a new network in UniFi.

I then created my IoT wifi.

Created a VLAN.

Created a DHCP.

I have firewall rules for the IoT VLAN.

I currently can not get an IP address from my DHCP range on my wifi network. I get an error stating there is no internet and the IP address is a random one. Notr in any of my IP ranges.

What did I setup or miss?