Separate Wi-Fi? Change my devices?

Have a very stable setup for at least 3 years or so.

Currently I have one Wi-Fi that all my smart home devices connect to, all my computers/phones connect to, AND all my guests connect to.

Have not had any issues yet.

  1. should I create a second Wi-Fi to separate my smart devices?
  2. does it matter if the second Wi-Fi is where I move my devices or guests to? Regardless I’ll need to change the password to the main current Wi-Fi which may break some of my smart device connections?

Or is this overkill and assume my friends who I allow to connect to my Wi-Fi are not a-holes and won’t destroy my stuff?

I will share what I do and you can draw your own conclusions. But don't think of it as your friends are or are not a-holes. The real question is are they serious about endpoint security or are they unknowingly bringing a threat into your home? Or is an IoT device compromised with malware and will it become an attack vector by which a bad actor gets to the rest of your devices? Or do people in your house open them selves up to attacks by their online behavior?

The idea isn't really to create a second wifi SSID, the idea is to create separate VLANs and then use a firewall to manage traffic between them. If you've got your firewall set up correctly you are then protecting a malicious attack on one network from infecting devices on another network. So if someone hacks one of your IoT devices and they are able to get to your IoT network, they may be able to see other devices on that network (more on this in a min) but not anything beyond that. VLANs work both with wired networks and wireless networks, so the general practice is to assign each VLAN a separate SSSID. For further protection you can turn on port isolation so even devices on the same VLAN can't talk to each other.

How you configure your network has to do with a number of factors. (1) an understand of the risks and your tolerance for those risks, (2) your willingness to learn how to configure and manage a more complex network. (3) how sophisticated your network equipment is. (4) what other risk mitigation factors or vulnerabilities are in place.

On item 4, I'd consider things like strong passwords, endpoint security, and decent encryption higher on the list than VLAN segmentation. On item 3, many consumer-grade routers don't support VLANs, or they may support a user VLAN and a guest VLAN but nothing else, and you may have very little control over how they are configured. More sophisticated equipment gives you a lot more flexibility but then gets you to #2.

I have 5 VLANs and 4 SSIDs. One for home automation, one for IoT devices, one for users, one for gamers, and a management VLAN with no wireless connectivity. I have firewall rules blocking traffic between them, but I do have some firewall rules that allow user devices to talk to HE, HE to talk to the alarm system, my Mac to talk to the management VLAN, and so on. This is definitely overkill for most people but I have the equipment and the skill set so why not.

So to your questions...

1 - yes, if. you can
2- not sure what you are asking with this. If you're talking about creating a separate VLAN it will operate across the same APs as your current configuration. If you're talking about adding a second wifi gateway and hanging it off the first one, I don't recommend that approach at all. Either you create a double-NATting network or you just bridge one network to the next. While the former CAN be used to do some segmentation it's not ideal at all. And the latter provides you with very little real security. Whatever route you go you will have to either change your smart device connections or the connections for whatever other devices you have.

7 Likes

This is amazing thank you. Only issue is.. I don’t have a clue how to do any of that.

  • where can I learn?
  • do you need a special router to set up a vlan? I have a netgear cm500 and I use EERO. I know EERO has the option of creating a guest network - does this work?

Obviously I’ve set up my Hubitat and automations so I’m somewhat techy, but not sure I’m of the level to be able to do what you mentioned above. Is there an easy way to accomplish this that might be less work? Buying a second router or something?

THANKS

1 Like

My advice, based on your current level of networking skills and existing network hardware, would be to simply enable the Guest network feature on your current router, and allow your guests to simply use that WiFi SSID. That will provide enough protection from any guests messing with your home automation system.

6 Likes

There are some great videos from Tom at Lawrence Systems to get you into more advanced networking topics. Just be aware that many of the advanced network isolation techniques don't work with consumer routers/wifi combo's or even ISP provided hardware. Start small learn step by step.

Also he was a community board:

First, I'm not a security professional, but I did stay at a Holiday Inn last night. And I've watched/read several security updates from CISA/DHS. I'm not sure how relevant those are to consumer hardware, but it seems like solid advice to follow.

Most successful network attacks rely on using known techniques against known-vulnerable hardware. Reputable manufacturers will provide updates and patches to fix these vulnerabilities. So, the best advice I've come across is this:

  1. Keep your devices up to date with security patches.
  2. If the manufacturer stops releasing updates for your device (or never did) get a new device.

These are things that most of us can easily do, at least with our routers and [maybe] modems. Now, if you've got some $5 no-name smart plug on your network that is connected to some Chinese-based cloud service, that's probably worth rethinking.

4 Likes

100% correct. Log4j case in point. This particularly vulnerability affected one of the most widely used logging utilities. It affected all sorts of systems from enterprise-class software to the logging used in HE. Fortunately our good friends at Hubitat were able to immediately patch the vulnerability. And since HE recenly closed a potential hole (some would argue that they also took away a feature but I'm not going there) that some folks created by exposing their hubs to the internet, HE was well protected from such a vulnerability. Other devices... maybe not so much.

Many (if not most) successful attacks are actually malware/phishing etc - that is, attacks directed at user behavior rather than at network vulnerabilities. Usually the attack vector is email. And a lot of time a malware attack then goes on to seek out network vulnerabilities, so it's hard sometimes to clearly deliniate. Which points out the need for multi-layered approaches to security. Secure the endpoint, modify user behavior (the toughest), secure against vulnerabilities, segment the network... all are important.

1 Like

I think @brad5 has laid the considerations out well

And he identifies the #1 issue:

To bring those ideas together, for most people VLANs are overkill IMO. The learning curve is pretty large and is another thing that requires maintenance. I started from a low level of knowledge and got most of the way through and decided the juice was not worth the squeeze. I'd put these items on the list to do before implementing VLAN. Some of these are repeat ideas from earlier in the thread.

  1. Strong and unique passwords. Use a product that allows sharing among family members. I use 1Password and find it to be very good.
  2. Implement a 3x backup plan. 2 on site and 1 off site. As part of that, install a NAS.
  3. Install a pi-hole. It will filter out a lot of stuff that all your devices are trying to track.
  4. Don't install cheap internet connected stuff from unknown vendors. But even the big guys are fairly intensively trying to track you. Think LG/Samsung/Roku/Peloton etc. #3 will help with some of that.
  5. Keep firmware up to date. I'd turn on auto update on everything except maybe your router.
1 Like

If security is a concern (and obviously it is) before you do anything else, make sure you and family are all using strong passwords, for all accounts, updating passwords at least annually, and enabling 2FA where it's available. If you're not doing that, you're missing key low-hangning fruit in the Garden of Security. :slight_smile: Other thing you should be doing is always updating software when updates are available...updates typically include security updates you should have. That's phones, computers, etc.

Using a separate network for your guests is a very good idea. As @ogiewon notes, an easy way to do that is enabling the "Guest" network functionality (present on most routers) and have your guests use that network. People (even nice people like your friends and family) do a LOT of dumb stuff online, clicking on dangerous phishing/malware links in emails, going to sites that are suspect, not updating or turning off/not using virus scanners, etc. The fact that they are your friends/family does not make them safe users.

Using a separate VLAN (@brad5 has five!) for IoT devices is also considered a good way to go by many. This requires having a separate "virtual" network where the IoT devices live, with these types of characteristics:

  1. IoT devices can talk to each other
  2. Optional: IoT devices can talk to the internet - devices like Google Home, Alexa, Hubitat (for FW updates or for cloud integrations), etc., all need cloud access. You can decide to run your IoT 100% local w/no cloud access from your IoT network if you want.
  3. IoT devices can't initiate a connection to your main network. This keeps hacked IoT devices/hackers from reaching out to your personal devices (laptop, phone, NAS, etc.) and wreaking havoc from the IoT network.
  4. Personal devices on main network can connect to devices on the IoT network (this allows you to manage and use the IoT network devices from your main network when you want to - you control when to connect to your IoT devices.

VLANs require a more sophisticated router and user, it is a technical rabbit hole that not everyone will want to dive down into. Not crazy difficult, but a definite big step up from normal "consumer-level" router activities.

Just getting your guest users on the guest network is a great start. If you're allowing visitors to access your network then I'd do that now. I didn't set up my VLANs until my kids were both out of the house, but if I'd had VLANs when they were young, I'd have put them on a separate limited network as well.

If you put both guests and IoT on your Guest network you're mixing things up a bit, but at least you're isolating the potentially most concerning devices/people in the same sandbox.

Note that all Guest networks are not created equal, so you should read-up on what your Guest network provides in terms of isolation/access.

1 Like

@danabw Good call out on 2FA. I would add it is my preference to avoid SMS whenever possible and use authentication apps like Google Authenticator or Microsoft Authenticator instead. I have a colleague who was the victim of a SIM social engineering attack (the telco provider's contact center) and they managed to hack quite a few of his accounts before he was able to put an end to it.

2 Likes

Yup - good point. I use the Google and Microsoft authenticator programs, and you can also set a phone as an authenticator if you wish for some actions. Samsung has some integrated (non-SMS) authentication as well.

Skip separate apps. 1Password (and I'm sure others) will keep the TOTP codes. Makes it a lot easier as the fields can get filled automatically without changing apps.

Another piece of advice: set up online accounts with the IRS, Social Security, any financial institutions, or other high-value organization where you have an account. That will keep anyone else from setting accounts up in your name.

5 Likes

In the U.S., an important one is USPS Informed Delivery, which sends you out a daily email with images of your mail to be delivered that day.

Thanks! Did not know about this, very helpful.

1 Like

Interested in how others react to my approach...maybe scare me into changing.

I've always been nervous about password services...smaller companies (relative to Google/MS). What if they go under, what if they are struggling silently (fake accounting), can't afford or decide not to pay for the best employees, services, maintenance, etc.

I use very strong/crazy passwords and 2FA, and I do use Google and MS authentication apps & have a physical key, and also do some phone-authentication. No SMS if I can absolutely help it. I feel like the big guys are a very big target, but they also have by far the biggest pockets and the biggest markets/income to protect and will spend accordingly, just based on self-interest.

I also feel the "school of fish" metaphor works here...being one of hundreds of millions of users in the Google/MS schools of users makes me much hard to "find" and less likely to be a targeted in a leak than if I'm in a much smaller school of fish leaked from a password service.

Make any sense, or have you been virtually slapping me repeatedly for the past few minutes. :wink: Appreciate it if the bright minds here poke big holes in what passes for "logic" in my brain :wink:

1Password has extensive documentation of their security architecture. Among other measures, they use a system of a normal user passphrase plus random generated code for authentication. It's essentially a 2 part password.

They started out as a Mac password manager and have steadily grown their business and now are generating their revenue and value as a cross platform system for managing enterprise passwords. So much so they now have a valuation of $6.8B! Not bad for Canadians :).

This is one of the best software subscriptions around IMO, Easy enough for the whole family to use.

1 Like

I use Bitwarden, as it is free. I used to use LastPass, until they got way too greedy, IMHO.

1 Like

That's excellent! But kinda making my point... MS and Google are almost 5 trillion market cap total. Just not in the same universe. :slight_smile:

If really want to go down the rabbit hole you can host your own password manager. Bitwarden publishes all the code and there is a full docker container that makes this a very simple deploy. I have been running this code since he published. 100% solid and to make it even more secure you have to be on my network or VPN'd into the network to update your password cache on your devices or add new passwords. Cloud services are really secure but they are a honey pot for bad actors.

2 Likes

Or don't use a hosted, network-accessing password manager at all.

I've used the open source program KeePass (keepass.info) on several systems. On my Android phone, I'd use KeePassDroid (*). I manually copy the encrypted database between systems by saving it to Google Drive. The app itself doesn't have permission to use the network.


(*) I installed it via f-droid.org, an open source app repo that builds from source and publishes the APKs for install via the F-droid app. It's also available on the Play store.

1 Like