Sophos XG v18 IoT security setup and/or suggestion for best practices

Question

I am looking to secure my internal network with the IoT devices.

Currently I have a home automation system that controls the IoT devices. There are 20+ devices. Each device has a static IP based on the MAC ID setup in XG.

Current Setup:

Modem <> Sophos XG v18 <> Switch <> WiFi via Unifi AP's.

Network PC with VM (home automation) & Plex server (this PC is wired)

NAS (wired)

Have 5 security cameras (wired)

My goal is to secure the wireless IoT devices as well as the security cameras.

I need the home automation (VM) to be able to contact the IoT devices. The NAS controls the security cameras so this also needs to have contact with the cameras.

I have seen some posts on setting up a WiFi for the IoT devices and creating some VLANs. I have also seen some posts on using the MAC IDs to do some policies/filtering. Looking for the easiest and best practice to secure.

Thanks

This thread was automatically locked due to age.

rfcat_vk · Answer

Hi, 
 I use a seperate network for my IoT devices. Where possible limit their ports and sites they can contact. I also use clienteles access as a management with static IP addresses. 
 Ian

emmosophos · Answer

Hello Jason, 
 Additionally to what rfcat_vk suggested, If you have an IoT device that does not work, the recommendation is to first have it working with no filtering/scanning/decryption. Once this is working, you can then make changes that improve security around these devices. 
 Firewall Rule - The IoT device should hit a rule that has no web policy and no malware scanning. 
 SSL/TLS inspection rules - The IoT device traffic should hit a rule that is Don't Decrypt with a profile Maximum Compatibility, or it should have no matching rule. If you have some TLS decryption rules for some things, you can create a higher level rule with don't decrypt that uses a source of your device, similar to your firewall rule. 
 These recommendations are from this RR that includes IoT. 
 Regards,

shred · Answer

Segregating your networks into separate VLANs is a common technique to separate your less secure devices (e.g. IoT devices) from your more secure devices (e.g. computers). However, one issue you will run into is if those IoT devices need to communicate with your secure devices since they're on separate VLANs. Many IoT devices use mDNS and Sophos XG does not have an mDNS or avahi reflector to re-broadcast mDNS from one network to another network. 
 Knowing this, I simply keep all of my IoT devices that utilize mDNS and need to communicate with my more secure devices locally on the same network (e.g. Apple TVs, Apple HomePods, Home Assistant, etc.). I put the rest of my less secure devices on my guest network which is a separate VLAN. You could technically host an mDNS/avahi reflector on a separate device if you wanted to, but I just haven't found the need (pretty sure if you're on this forum, your home network is probably already more secure than 99% of home networks). 
 Also, I'm sure you know this but since it wasn't mentioned in your original post I figured I'd just mention it. You will need a managed switch if you plan on using VLANs.

Sophos XG v18 IoT security setup and/or suggestion for best practices

Top Replies