
Ask HN: Guide for securing home network with smart devices? - jxf
My parents have recently moved into an apartment in NYC with a number of smart devices that came with the apartment: thermostats, light bulbs, et cetera.<p>Given the tenuous security of IoT devices, are there guides or resources that you&#x27;d recommend for securing and configuring one&#x27;s home WiFi so that this doesn&#x27;t become a Mirai-botnet-style problem?
======
dsacco
This is a good question.

I suggest you begin with the network itself, and look at the different fault
points that exist or could be easily introduced. There are three basic
components - the IoT smart devices, the computer(s) used to browse the
internet and the networking equipment (specifically the gateway/router, but
also separate access points and switches if you happen to have those).

Let's first outline reasonable security goals:

1) reduce the likelihood of one IoT device compromise leading to compromise in
any other single IoT device,

2) reduce the likelihood of one IoT device compromise leading to compromise in
your network itself (gateway/router)

3) reduce the likelihood of one IoT device compromise leading to compromise in
your computer(1)

Now we can proceed:

1) Set up a separate VLAN for IoT devices so that they cannot interact with
the other fault points on your network (your computers).

2) Assign a statically mapped subnet address to each device.

3) Set a firewall policy so that no device can see any other device on the
network by default.

4) Set a firewall policy that drops all traffic on this network by default.

5) Now we'll sort the devices by required privilege. For devices like the
Amazon Echo, Google Home, Control4, URC, etc that need to control many other
devices, allow traffic from their IPs to proceed to the devices they need to
control.

6) If you can figure out exactly which ports the devices use to send and
receive requests, further lock them down.

7) Set a firewall policy that drops all outbound traffic from the IoT VLAN by
default. For each device, set a specific policy that allows traffic for it to
pass through _only_ to specific hosts (i.e. Hue lights to Hue hosts). Nest
cameras don't need to send traffic anywhere but Google's servers, for example.

8) Remove password-based SSH authentication into your router and set a
firewall policy that only allows SSH login from a specific IP address that you
control (such as a $5/month VPS).

9) So that you don't shoot yourself in the foot with 8), set up daily backups
of the router in case you lock yourself out of it and need to restore
settings.

10) Set up your router so that it can only be locally managed from a specific
subnet IP, which will be your main computer.

This is a reasonable start. All the other advice about how to secure your main
computer still applies, because (as ever), that is a huge failure point.

