
Home Network Segmentation: A Must in the IoT Era – CKD3, LLC - ckdiii
https://www.ckd3.com/blog/2018/10/15/home-network-segmentation-a-must-in-the-iot-era
======
secure
I see two practical issues with network segmentation:

1\. It breaks broadcast/multicast, e.g. for your phone discovering your
chromecast. A number of IOT devices need to be on the same network as the
devices from which you want to use them.

2\. It’s way too complicated for novice users to set up, so it cannot be vital
for making IOT devices secure.

Personally, I like to keep all my devices (whether IOT or not) patched
(ideally because they’re auto-updating). That way, if a lightbulb gets hacked,
it can’t get to my backup drive either.

That being said, I do think there’s some value in throttling bandwidth for IOT
devices. It’d need to happen automatically (which makes it hard), but would
nicely prevent DDOS attacks.

~~~
bornabox
The problem is the lightbulb that was sold once and didn't receive any patches
since. Auto or not...

------
thaumasiotes
> According to a 2017 study, North Americans have an average of 13 devices per
> person. That means a family of four has an average of 52 devices on their
> network.

Um, what? No it doesn't. The average devices-per-person over all people and
the average devices-per-person over all people belonging to a household of
four are totally different statistics. You could have an individual average of
13 devices per person at the same time that a family of four has an average of
0 devices.

Behold my five-person population:

    
    
        Loner: 65 xboxes
    
        Luddite Pa: nothing
        Luddite Ma: nothing
        Luddite Grandpa: nothing
        Luddite Son: nothing
    

Does anyone else think that... maybe... there are some devices which a single
person is moderately likely to own one of, but a family of four is vanishingly
unlikely to own four of?

~~~
x1798DE
I imagine "13 devices" does not necessarily mean exclusive ownership, either.
I have a TV, but it's the same TV that everyone in my household has, so a
straightforward multiplication of "people * devices" doesn't totally work.

------
a10c
Why can't you just segregate your network with VLANs? I don't see the need for
multiple routers.

~~~
nrau
Having two distinct routers and physical devices just isolates each network
that much more. A single device is still exactly that at some point, and in
such cases there is always the possibility of an exploit that could compromise
the device fundamentally.

I think the author is just advocating for a very locked down approach but I
agree it is not feasible for most folks.

------
shad0wca7
Cybercriminals?! What a poorly written article. Multiple “firewalls” in a home
and nothing about VLANs?

That being said, it is good practice and something I’ve implemented in my home
- thankfully my Unifi / pfsense setup makes this very manageable.

------
8fingerlouie
I've had my home network setup like this for years, though with VLANs instead
of seperate physical routers.

I've got :

* LAN - where my wife and i connect our laptops/phones.

* SERVERS - for my NAS and a couple of small servers.

* DMZ - just a single server sitting here.

* KIDS - Where my kids and their friends connect their laptops/phones. It's a semi guest network, as it only allows traffic to the internet and a few devices on the IOT network, printers, Apple TVs, etc.

* IOT - Internet of trash, only allows connections to the internet. Only network that allows uPnP. Has multicast repeating on for ChromeCast/Apple TV.

* GUESTS - you guessed it.

DMZ is the only VLAN that can be accessed from the outside. Each VLAN from the
bottom up allows access from the VLANs above, with the exception of the guest
networks. Nothing can access KIDS, IOT and GUESTS.

KIDS can access a couple of devices on the IOT network like printers, Apple
TV, ChromeCast, AirPlay devices, IOT and GUESTS can only access the internet.

My UniFi network then creates 4 Wifi networks as well, one for LAN, KIDS, IOT
and GUESTS.

~~~
dano
Are you using USG or an edgerouter? I've had trouble with broadcast based
access for printer and Chromecast Discovery. Curious as to how you've resolved
that issue.

------
KaiserPro
most home routers are capable of hosting more than one access point, they are
also capable of different VLANs and IP pools. You shouldn't need a second
router.

For your phone to control your TV you'll most likely need to punch a hole in
your segregation to make avahi work. Also any app that controls any of your
devices will most likely want a direct connection at some point

Your printer is just as vulnerable as any IoT device.

Yes its a good idea, but its really not simple to do in practice, unless you
are used to running your own network. Also with the creeping rise of IPv6
you'll need to change how isolation is done _again_

------
wink
Interesting aside: My whole life people were ridiculing me a bit for having 2
desktop PCs and a server on my home LAN.

Now it's turned around, and in my flat (2 people) I have 2 desktop PCs, a
handful of laptops (obv. only 0-2 in use at the same time), a NAS, 2 Kindles,
and 2 Android phones. Oh, and one XBox 360 that's hardly in use.

Compared to this infographic or that study with the 13 devices per person..
Sure, I might own 13 devices with a mac address, but half of them are only
switched on once per year...

As I don't use the Xbox for streaming, it might make sense to move it to the
Guest Wifi, same as the Kindles. Maybe even the phones. But all in all, my
devices are Windows, Linux and BSD boxes that are hopefully kept up to date.

TLDR: What's an IoT era? ;)

