Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 41 subscribers
  • Views 3300 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG v18 IoT security setup and/or suggestion for best practices

Jason Etten

I am looking to secure my internal network with the IoT devices.

Currently I have a home automation system that controls the IoT devices. There are 20+ devices. Each device has a static IP based on the MAC ID setup in XG.

Current Setup:

Modem <> Sophos XG v18 <> Switch <> WiFi via Unifi AP's.

                                                                  Network PC with VM (home automation) & Plex server (this PC is wired)

                                                                  NAS (wired)

                                                                  Have 5 security cameras (wired) 

My goal is to secure the wireless IoT devices as well as the security cameras.

I need the home automation (VM) to be able to contact the IoT devices. The NAS controls the security cameras so this also needs to have contact with the cameras.

I have seen some posts on setting up a WiFi for the IoT devices and creating some VLANs. I have also seen some posts on using the MAC IDs to do some policies/filtering. Looking for the easiest and best practice to secure.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Segregating your networks into separate VLANs is a common technique to separate your less secure devices (e.g. IoT devices) from your more secure devices (e.g. computers). However, one issue you will run into is if those IoT devices need to communicate with your secure devices since they're on separate VLANs. Many IoT devices use mDNS and Sophos XG does not have an mDNS or avahi reflector to re-broadcast mDNS from one network to another network.

    Knowing this, I simply keep all of my IoT devices that utilize mDNS and need to communicate with my more secure devices locally on the same network (e.g. Apple TVs, Apple HomePods, Home Assistant, etc.). I put the rest of my less secure devices on my guest network which is a separate VLAN. You could technically host an mDNS/avahi reflector on a separate device if you wanted to, but I just haven't found the need (pretty sure if you're on this forum, your home network is probably already more secure than 99% of home networks).

    Also, I'm sure you know this but since it wasn't mentioned in your original post I figured I'd just mention it. You will need a managed switch if you plan on using VLANs.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Reply
  • 0

    Segregating your networks into separate VLANs is a common technique to separate your less secure devices (e.g. IoT devices) from your more secure devices (e.g. computers). However, one issue you will run into is if those IoT devices need to communicate with your secure devices since they're on separate VLANs. Many IoT devices use mDNS and Sophos XG does not have an mDNS or avahi reflector to re-broadcast mDNS from one network to another network.

    Knowing this, I simply keep all of my IoT devices that utilize mDNS and need to communicate with my more secure devices locally on the same network (e.g. Apple TVs, Apple HomePods, Home Assistant, etc.). I put the rest of my less secure devices on my guest network which is a separate VLAN. You could technically host an mDNS/avahi reflector on a separate device if you wanted to, but I just haven't found the need (pretty sure if you're on this forum, your home network is probably already more secure than 99% of home networks).

    Also, I'm sure you know this but since it wasn't mentioned in your original post I figured I'd just mention it. You will need a managed switch if you plan on using VLANs.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

Children
  • 0 in reply to shred

    Here is what I have done so far.

    I setup a WiFi network for the IoT devices via UniFi.

    I then created a VLAN using the LAN interface and give it a different IP address than the LAN.

    I created 3 firewall rules:

    One to drop connections from the VLAN to the LAN.

    Allow traffic from the VLAN to WAN.

    Allow traffic from LAN to VLAN.

    Does this sound like an appropriate start?

  • 0 in reply to Jason Etten

    Hi,

    sounds good, you do not need the drop connections from VLAN to LAN.

    Basically it sounds a simpler version of what I have created.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I plan to start testing the setup with one device and make sure I can get it to work.

    What do I do with the hard wired cameras? Do I create a VLAN on a switch to separate them?

  • 0 in reply to Jason Etten

    Hi Jason,

    if your switch has the VLAN capability, that is a good way to go. You will need to ensure you have logging enabled on your firewall rules to see which ports are used so you can limit access. I have a rule for almost each device limiting them to their ports and websites.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML