Unsure best direction for better logging and securing IoT devices

[Richard H]

I'm into IoT and home automation, but I'm embarrassed to admit I've rather ignored the security aspects of my home network so far. I'd be really grateful for some guidance on the best direction to address this, especially if anyone thinks I might be wasting my time looking into building a NG firewall type device!

I have an ASUS RT-AC86U router and a few unmanaged gigabit switches. My house contains lots of IP connected things such as:

• PCs & laptops
• IP cameras connected to Blue Iris
• Google home hubs & Amazon Echos
• Squeezebox music streamers
• Logitech Harmony remote hubs
• Wifi smart switches
• Home Assistant, Samsung SmartThings Hub, Vera Z-Wave hub
• Various games consoles
• Xiaomi robot vacuum cleaner
• Smart TV, Chromecast, Nvidia Shield video streamers

I've reserved IP addresses for many of those devices in the router, partly to help Home Assistant config and partly because of a desire for neat ranges based on type of device!

The robot vacuum is my latest addition and I've heard some worrying things about what it sends "home", so thought it's really time I looked to get a handle on security. My primary aims are to have some way of locking down my IoT devices so they can't talk to anything more than they really need to. I'd also really like to get some good reports & stats out of my network. I'd love to be able to see what bandwidth individual devices are using, and part of the world they're talking to. Also, when my broadband provider and streaming TV providers both blame the other company for a poor service, I'd love to have the information to understand who's really at fault! Generally preventing risky web sites/pages loading would be great too.

I bought a mini PC with dual network ports with the thought that I'd install something like Sophos Home / Untangle / OpnSense. I can't seem to get the Sophos ISO to install, but I've had a brief look at OpnSense and Untangle, with my initial thoughts that Untangle looks a lot more user friendly which might justify the $50 cost. I'm thinking I should probably ask for advise before going down this route though, to see if it's really the right tool for the job! I'm familiar with Linux, but not very knowledgeable on network stuff beyond the basics. I'm really not sure if a vlan is right for me, or how to set one up!

My router struggles to provide WiFi for the whole house, so once I've made some progress on security, I'm thinking of getting some Access Points (not sure if I new mesh ones, or maybe use another ASUS router to try the AI-mesh thing), just in case that makes a difference to any advice.

Thanks in advance for any thoughts!

 

[coxhaus]

Untangle is a good choice if you are serious about security. It runs in 2 modes. It runs as a router or as a transparent bridge. This is not the best fit for an ASUS router. If you are going to separate WIFI then you might want to use Untangle with separate wireless APs.

If you want something to stop bad web pages then use QUAD9 9.9.9.9 for DNS. It is a good start.

 

[Richard H]

Thanks for your reply. I'm afraid I have more questions!

Would Untangle alone provide me with what I need to put restrictions around my IoT devices? Should I be thinking about VLANs, and if so can I do that without having to buy extra kit?

If I go for Untangle, it seems like it is best to make that my new router. I guess I could then use my Asus router purely as a wireless AP in the short term, while I decide what dedicated APs to buy?

I was not aware of Quad9 - looks interesting. I've just switched to it on my router to give it a go.

 

[abailey]

I use Untangle in my home and it can certainly do what you want, including the reporting. To separate your IOT devices you will need to use VLANs (or totally separate LANs). For VLANs you will need some managed switches and some AP's that can handle VLANs (if you want the AP's to provide wireless to multiple VLANs). You are thinking right with Untangle in that it is best run in router mode. Untangles free version may be all you need. The free version can do VLANs and reporting. Here is a comparison: https://www.untangle.com/untangle-ng-firewall/software-packages/

 

[coxhaus]

When I ran Untangle many years ago I ran it as a transparent bridge right behind my Cisco router. I also ran my layer 3 switch so I used my layer 3 switch for VLANs. I ran Untangle as a security appliance.

But as abailey states it can handle the VLANs.

 

[MichaelCG]

There are a few challenges to keep in mind when trying to use VLANs for segmentation. For media type devices (firesticks, chromecasts, sonos, etc) you may lose some functionality if your compute devices (laptop, tablet, phone, etc) aren't in the same broadcast domain.

I built out an IoT segment at my house and only about half of my IoT devices ended up on it since I lost too much functionality. My webcams and most of my FireSticks are on the IoT network, but my Sonos and a few other devices had to stay on my local LAN so the apps that control them on my phone would actually work correctly.

For what it's worth, I am running a SophosXG as my firewall. It provided more web layer features than pfSense, although it is quite a bit more complex to manage and configure due to the additional features. Once running, it is awesome. It just took quite a bit of time to tune all of the firewall and filtering rules to get what I was after. pfSense vs OPNSense....they both have similar features, but these days pfSense has more commercial ties and OPNsense may have more current development and flexibility.

 

[Richard H]

Thanks very much everyone. I'm starting to think VLANs may be a step too far for me at the moment due to complexity, hardware requirements and potential loss of functionality. Maybe I should go back and have another go at getting that Sophos ISO to boot!