Advanced Smart Home Security – VLANs and Firewalls

rootF IMG 633c839f85a14

As an Amazon Associate I earn from qualifying purchases.

Woodworking Plans Banner

in this video i'm going to show you my advanced home networking setup one of the ways i increase my smart home security is by segregating my smart devices from my laptops and mobile phones on my home network each week there seems to be more and more smart device manufacturers flooding the home automation market with cheap iot products which usually rely on internet access or cloud services to get the cost of these devices down companies need to make sacrifices to quality and security is usually one of those places that gets overlooked when a company is trying to save money these cheap cloud connected devices are the most likely things to get compromised by hackers on your network and could give baddies access to your private data or see inside your house once a hacker is inside your network on one device it's far easier for them to jump to other smart devices hacking each one of them in their path i covered a lot of the basic things you can do to prevent this in a previous beginner's guide to smart home security video which i've linked in the description below those steps will protect you from about 90 percent of hacking attempts you should definitely watch that video if you haven't already but to protect yourself even more i would recommend using this advanced networking setup which is considered to be best practice amongst computer security experts i'm going to be taking you through the theory behind segmenting your home network the benefits of doing so and how firewalls and firewall rules work finally i'm going to give you some tips on how you can go about setting up your own home network in a more secure way let's take a look hey home automation guy start the show most people have a single home network with all of their devices connected together unfortunately in a lot of cases a device is going to trust any other device that is connected to the same network as itself so if a hacker gets access to just one of these devices they may be able to use this as a base from which to hack further into your network what we want to do is separate these devices into trusted and untrusted networks on the trusted network side we're going to connect all of the devices that generally contain personal information or that you use day-to-day to access your social media accounts email online banking cloud storage accounts these are the devices that we want to protect from hackers and usually this is going to be your personal computers any home servers or nas devices that you have and your smartphones as well of course you still need to make sure that you have strong passwords anti-virus software and all of the latest security updates installed on this device on the untrusted side we're going to put all of the other wireless network devices smart devices that you have in your home these will be things like wi-fi light bulbs washing machines smart televisions security cameras printers and voice assistants these two networks will be protected by a firewall which controls what connections can pass from one network over to the other we'll talk more about firewalls in a little bit but for now you just have to imagine them to be some kind of bouncer like at a nightclub the firewall decides who is allowed to pass through the door and who isn't if a hacker gets inside one of the smart devices on your untrusted network it'll be far more difficult for them to get past the bouncer and over to your computer which is where your personal and private information is going to be stored these trusted and untrusted networks are referred to as vlans or virtual local area networks each vlan will use a different set of ip addresses in this example the trusted network uses an ip address range on the 192.168.1 address space and the untrusted network uses an entirely different set of ip addresses on the 10.0.0 range this helps the firewall understand what kind of device is talking to it and whether or not it's allowed to connect to whatever it is it's trying to connect to you can think of the ip address range to be kind of like the class of an airline ticket the untrusted network has an economy ticket which means it has to stay at the back of the plane and you're not allowed to have any free champagne the trusted network however has a first class ticket and that lets it roam wherever and drink whatever it wants the firewall or bouncer makes sure that the devices stay within their lane depending on the rules of their ticket the best way to get started is to create a new untrusted network with its own wireless ssid and then start reconnecting your devices from your old network to the new one i'd also recommend that you put the two wireless networks on different wi-fi channels because this is going to improve your wi-fi performance this is because your smart devices and your phones and your laptops won't be shouting at each other on the same wireless frequency and this is going to improve your network speeds you can now slowly move devices from your trusted network to your untrusted network testing that each one works before moving on to the next one chances are you're going to have to adjust your firewall rules as you go depending on the type of device that it is so what are these firewall rules you ask how do they work a firewall rule is an instruction that determines if a device is allowed to communicate with other devices that it's trying to talk to if the rule says yes this voice assistant is allowed to talk to the internet then it's allowed through the firewall let's go back to our bouncer analogy that we were using before imagine that the bouncer has a clipboard with all of these instructions written on it the instructions may say something like only people wearing collared shirts are allowed into the restaurant section of this club or only people who are on the guest list are allowed into the vip section you'll need to map out all the different ways that your devices need to communicate in order to function properly you then need to create firewall rules for all of these different types of communications that strike the right balance between allowing the correct amount of access without allowing too much access hackers are most likely going to come in via your internet connection rather than physically accessing your wireless network so the first place you should start is by asking yourself which smart devices need internet access and which don't unfortunately most wi-fi smart devices rely on a connection to some company's cloud servers so they may not function if you cut them off from the internet the best way to figure this out is to simply disconnect them from the internet and see if they still work smart tvs music players and voice assistants will probably all need to talk to the internet in order to access the content that you want to stream or listen to but does your smart washing machine printer or light bulb really need to be accessible from the internet maybe not i also personally use security cameras that work locally within my network and don't rely on a cloud service to store footage this allows me to safely cut my security cameras off from the internet making them far less likely that they're going to be hacked and expose any of the footage from them you will want to make sure that your trusted network can access the internet too because your phone and laptop are pretty useless without the internet these days next up you'll need to determine what connections are allowed to happen between your two trusted and untrusted networks your computer and your phone will likely need to be able to talk to the printer in order to be able to print pages in fact in my network i generally allow all devices in my trusted network to be able to talk to all devices in my untrusted network this is so i can cast music to my smart speakers content to my smart tv and control my smart lights and other devices using my mobile phone but going the other way from my untrusted to my trusted network things are far more restrictive there is no reason for my tv to initiate a connection to my smartphone or for my light bulb to talk to my home server so these connections are denied but my smart tv does need to talk to my home server because that's where i run plex my printer needs to be able to talk to my laptop because it also functions as a scanner my voice assistants though do not need to talk to anything on my home network all of their traffic goes either to the google or amazon cloud nowhere else it's not actually as cumbersome as you think to set this up you don't need to create rules for every single allowed connection and disabled connection firewall rules are usually checked in order from top to bottom until it matches a rule and then it stops checking any other further rules i recommend starting with two firewall rules that are deny rules one that blocks all access from the untrusted network to your trusted network and another one that blocks all access from the untrusted network to the internet these are called deny rules because they block connections you can then start layering rules on top of that that allow different types of the connections we just spoke about for example a rule that allows the tv to talk to the home server and a rule that allows the printer to send and scan information to the laptop now when i turn on the tv and start the plex app it will try and contact the home server the firewall will start checking the rules from top to bottom until it comes across a rule that matches this type of traffic in this case rule number two which allows this type of connection it won't get any further down the list of rules so it's never going to reach any of the deny rules if my washing machine gets hacked however a hacker is going to try and use this to jump across into my laptop and the firewall is again going to try and match this connection against these rules it will go past all the allow rules because none of them refer to the washing machine and then match on rule 3 which is all traffic from the untrusted network being blocked to the trusted network you can increase the security one step further by isolating the devices on your untrusted network from connecting to each other it's highly unlikely that your smart light bulbs need to talk to your printer so this is how you get increased network security by employing multiple network segments and firewall rules to get started with this you're going to need a wireless router that supports vlans it's unusual that the router that came with your broadband is going to have this kind of advanced functionality but there are dozens of brands on the market that support this kind of functionality so you just need to find the one that works the best for your setup i personally use unifi networking equipment made by a company called ubiquity their devices are really popular amongst other smart home enthusiasts as well but any router that supports vlans and customized firewall rules will allow you to create a network setup like this if you want a detailed step-by-step guide on how to set up vlans and firewall rules with unified devices you should check out the video i linked in the description by a guy called rob from a channel called the hookup he does a way better job than i ever could do about describing how to set this up it's a great resource even though i have this secure home networking setup i still try and avoid buying wi-fi devices if i can i much prefer smart devices which use zigbee to communicate with my smart home rather than wi-fi because it's faster more secure and the battery life is way better want to know more about zigbee why not check out this other video i did and together we can make your home smarter [Music]

pexels photo 920382

As an Amazon Associate I earn from qualifying purchases.

You May Also Like

About the Author: tech