Results 1 to 10 of 10
  1. #1
    Untangler
    Join Date
    Feb 2016
    Posts
    58

    Default All these IOT devices

    Hi sorry I see that this has variously been asked but I have never set up a separate VLAN, what I dont understand is how I would control these devices from say my iphone which would be on the main network?

    I have a number of devices that could do with being separate, I also have two boys using PCs, again that might benefit from being separate from work PCs etc, but I would still like to be able to Remote into their PCs etc as needed.

    Not sure what search terms to put in so any hints would be welcome

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,538

    Default

    what is your goal with being separate?
    If you think I got Grumpy

  3. #3
    Untangler
    Join Date
    Feb 2016
    Posts
    58

    Default

    Well I am being told all the time that one day these devices will in the night come together to create one large transformer device and destroy my house.

    I just want to minimise any risk of being hacked, but yes as your simple question intimates, I dont really know.
    Jim.Alles likes this.

  4. #4
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,088

    Default

    Ah, the fun of unmanaged devices...where defense is not an option. D'oh!

    "Microsoft finds Russia-backed attacks that exploit IoT devices"
    https://tinyurl.com/y2ctxprq
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

  5. #5
    Untangler
    Join Date
    Feb 2016
    Posts
    58

    Default

    So can I do anything to mitigate this other than not use them? (They are super useful!)

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,717

    Default

    There are three reasons to use separate vlans:

    1. Performance. If you have a lot of devices on a wireless network, the normal background protocol chatter for dhcp, discovery, etc, can start to eat up significant portions of the available throughput on your network. Segmenting these devices into separate vlans can help alleviate this problem. This is unlikely to ever be an issue on a home network.
    2. Logical Groupings (management). vlans create boundaries for the common discovery protocols like bonjour/mdns and broadcasts. When you have a lot of devices for lots of different people, you can use these boundaries to control who sees what. Be careful, though, because these boundaries tend to be absolute. Vlans don't play well if you want to be able to mix common or shared devices and list them next to private devices. It's hard to, say, keep a common family chromecast next to the living room TV and some home office devices only you can see on the same network, without a specialized and complicated software service.
    3. Security. The boundaries created for the logical groupings can also be used as security boundaries, as long as you understand the limitations and have appropriate filtering and control capability at your layer-3 routing point.


    For the use case in your question, I believe you are likely to run into the limitations described in #2.
    Last edited by jcoehoorn; 08-15-2019 at 12:05 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 14.2.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,538

    Default

    yesYes, divide and conquer the evil transformers!

    So lets say it is not a crap-ton of devices. And we want to make things more secure.
    But you want to keep significant others (S.O.) happy by not breaking their Things.

    well segmentation, in it's various forms, will break connections intentionally.
    And it probably isn't worth the work of putting a brick wall up and then punching holes in it -
    to get say, Bonjour/MDNS functioning for discovering printers, or casting streaming content.
    It is just a pain in the butt to do the work-arounds needed.

    So let's keep your home network just that. You normally have control over the physical environment. That is computer security 101.
    When you identify 'work PCs', do they belong to an employer, or is it your private business?

    Now, a common scenario is two flavors of Wi-Fi, one for trusted devices that your family has control over, and then a secured guest Wi-Fi with a passphrase that you hand out to occasional visitors, kid's friends, etc.
    The right Wi-Fi access point (AP) with dual SSIDS can use a Vlan over a single Ethernet cable back to a Untangle port (or through a managed switch) to isolate those two use cases.
    To me, that is one class of security worth doing. Because you don't always know who is sitting in the neighbor's driveway, you don't want to give them unlimited, unsupervised time to mess with your Things.

    Another class of security is putting all the smart things in jail as much as possible. Untangle can do much of that at the edge without VLANs. I happen to favor things that don't want to phone home to their manufacturer. Otherwise, they don't come into my physical environment (with the exception of smartphones, of course).

    So, does any of that resonate with you?
    Last edited by Jim.Alles; 08-15-2019 at 06:33 PM.

  8. #8
    Untangler
    Join Date
    Feb 2016
    Posts
    58

    Default

    Its a bit confusing TBH, so in essence we are confirming my concern at the beginning that if I put say my smart home plugs (for switching stuff off and on) on a separate VLAN, I cannot then control those devices from my iPhone which would be on the main VLAN, so that makes it a no go.

    So I guess the only other option is to try and ensure security as much as possible with untangle, but these devcies are of course phoning home, I can control them when out and about. Therefore I dont see any reason that should someone take over the devcies server or what ever that I am now super vulnerable, I dont see what untangle can do in this instance really.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,740

    Default

    If you cannot control devices from another network, perhaps the issue is the software? How "smart" is a home plug that cannot be used via another IP range? Functionality that was literally developed in the 60s.

    Which honestly, is why I don't have any of that crap in my home. I'm not buying smart ANYTHING until the vendors in question build something that can perform using 60 year old standards.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,088

    Default

    D'oh! Tomorrow we'll discover VLAN isolation was a pipe dream and simply a convenience dopamine hit. The only thing I trust is physical segment isolation and zero unmanaged 'smart' devices, and will not ever connect my BB10 tracking device to my protected domain (cellular only). We admins are witnessing security's collapse simply because we allowed it (and knew better).
    If I must trust a single hardware, today, I choose Untangle!
    Wake up, Neo...
    The Smart Grid has you...

    "Router Network Isolation Broken By Covert Data Exfiltration"
    https://tinyurl.com/y3ortplo
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2