Riko
Occasional Visitor
Vlan hopping and mitigation:
en.wikipedia.org
Do i need an IoT VLAN
- Thread starter ddaenen1
- Start date
Mitigation is better than no Mitigation. However, Mitigation doesn't work in the real world. Attackers are not stupids. Attackers use vulnerability. That's why Physical Network Separation is needed. Home use? VLAN is fine. It feels better. Users may feel they are safe.Vlan hopping and mitigation:
VLAN hopping - Wikipedia
Riko
Occasional Visitor
My pfSense system has 4x 2.5gbps ports.
1 for WAN and 2 ports for the 2 nic LAG to the switch.
1 have only one unused port left.
I like to learn networking best practices and to prevent, mitigate vulnerabilities that comes with the territory.
"Not flying is always safer then flying."
www.linkedin.com
1 for WAN and 2 ports for the 2 nic LAG to the switch.
1 have only one unused port left.
I like to learn networking best practices and to prevent, mitigate vulnerabilities that comes with the territory.
"Not flying is always safer then flying."
How do you secure VLANs against attacks such as VLAN hopping and spoofing?
Learn how to prevent VLAN hopping and spoofing attacks and follow best practices for VLAN configuration and management.
Last edited:
ddaenen1
Very Senior Member
So that would mean additional hardware and building up a separate LAN network for IoT? If that's needed, i think i am going to pass.
Yes. Unless your IoT devices don't effect anything on your network. Sometimes IoT devices broadcast horrible packets to everywhere. It occurs network issues.
Last edited:
It can be as simple as you using a second network non-VLAN by using a second LAN port in Pfsense if you have an extra port in your NIC in your Pfsense router.
But the other thing is if you use a VLAN with its own network it can be just as safe as a separate network. You just need to add a blocking ACL, maybe a couple, on a Cisco switch. This may not be true on other L3 switches as I have not used them, so I don't know. I am not sure a L2 switch will be as safe. I can think of ways a L2 switch would not be as safe.
Last edited:
macster2075
Very Senior Member
Is it safe to allow IoT devices to access the internet?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.
Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?
I've always wondered about that. I tend to block internet to all my IoT devices as I think it's more secure.
Is there a real security risk to allow Iot devices to have access to the internet even if they are on a separate network and isolated?
ddaenen1
Very Senior Member
Well, AFAIK IoT devices need the internet to connect to their respective servers to be able to be controlled by an app. The point is to ensure they cannot access anything else on your LAN. Therefore, putting on a separate VLAN to isolate them is what you would want to achieve.
macster2075
Very Senior Member
I have seen that some iot devices are able to be controlled by an app when internet is blocked, but they need to be connected to the main network. If they are on a vlan, for example, they do not work when blocking internet access. Why would that be?
why can internet be blocked when connected to main network and they continue to work fine, but if they are on a vlan, internet access is a must?
Tech9
Part of the Furniture
You have to provide LAN or WAN access to the control device - app, hub, whatever it is. If you cut WAN and move the IoT devices to isolated VLAN obviously they will stop doing whatever they are doing. No access to Internet, no local access to the controller - like they are not connected at all. You have two possible options - 1) allow WAN access and the devices will communicate with the controller over Internet; 2) move the controller on the same VLAN so the IoT devices can see it.
macster2075
Very Senior Member
Sorry, I am still a little confused...how come those iot devices work fine with the internet blocked when they are connected to the main wifi network?
But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.
I would think if they need internet access to work, they would not work when internet is disabled regardless of what network they are connected to...this is why I am confused.
But, when they are connected to a wifi network that is on a different subnet (using vlan), they do not work if internet access is disabled.
I would think if they need internet access to work, they would not work when internet is disabled regardless of what network they are connected to...this is why I am confused.
Tech9
Part of the Furniture
Because your controller is perhaps on the same main network and they have access to it.
Because they don't see the controller over Internet (blocked) and can't see it over LAN (isolated VLAN). They may be connected to this VLAN, but can't do anything. It depends on what IoT devices as well. Some may continue doing whatever they are doing, some need access to the controller to work.
macster2075
Very Senior Member
oh ok.. so it depends on the iot.. that makes more sense.. thanks.
Tech9
Part of the Furniture
Most are dumb and rely on some software running somewhere else to tell them what to do. All common light bulbs, switches, power plugs, etc. wait for remote commands. They call them "smart", but the actual "brain" is somewhere else and it needs access to the devices, WAN or LAN.
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
| J | Allowing Remote Desktop Connection between VLAN's | Routers | 23 |