IoT devices on guest network question(s)

lepa71

Senior Member
Does it make sense to isolate IoT devices by creating a guest network(s)?

What is so special about them?

Thanks
 

bennor

Senior Member
There are various security reasons to isolate IoT devices to a Guest network. Among them if one or more of them happens to get compromised it won't impact the rest of the main LAN clients. The downside to moving IoT devices to a guest network is some IoT devices may need access to clients on the main LAN or main LAN clients need access to IoT devices. One can search the internet for the many posts and discussions on why its a good idea to isolate IoT devices.

Some of us use YazFi for our guest WiFi network and put our WiFi IoT devices on that guest network. Some of us lock down the Guest network including using client isolation.
 
Last edited:

OzarkEdge

Part of the Furniture
Does it make sense to isolate IoT devices by creating a guest network(s)?

What is so special about them?

Thanks

It makes sense to keep untrusted clients off your private LAN/WLANs, provided they need Internet access only. But sometimes this will conflict with you/apps accessing them from your private LAN/WLANs/devices.

OE
 

Morris

Very Senior Member
I agree with isolating IOT devices and this is also what I do. While this protects your main network and some I'd bet some very valuable assets, my thermostat is an IOT device and my home is a valuable asset. Should my thermostat be taken over by a malicious actor they could freeze my pipes and cause a lot of damage. It's not as simple as one would like and my thermostat is just one example.
 

eibgrad

Part of the Furniture
I agree with isolating IOT devices and this is also what I do. While this protects your main network and some I'd bet some very valuable assets, my thermostat is an IOT device and my home is a valuable asset. Should my thermostat be taken over by a malicious actor they could freeze my pipes and cause a lot of damage. It's not as simple as one would like and my thermostat is just one example.

Yes, but that's NOT the intent of having an IOT network.

Any such blackbox device is subject to possible malicious takeover, regardless whether assigned to the private or IOT network. The point is to place those devices you trust *least* on their own separate network to protect your other assets. It's NOT because it's more likely to prevent the malicious takeover and the direct consequences to the thing(s) which it controls. It's a valid concern, but again, it has nothing to do w/ the efficacy of placing it on the IOT network.

What you're describing is whether you have good reason to trust it in the first place, irrespective of where you end up placing it on the network. Because we insist on dealing w/ "less trustworthy" devices due to their considerable convenience, we mitigate that risk (but not eliminate it) w/ the IOT network. But at the end of the day, you may regret having bought and installed it anyway.
 

Morris

Very Senior Member
Yes, but that's NOT the intent of having an IOT network.

Any such blackbox device is subject to possible malicious takeover, regardless whether assigned to the private or IOT network. The point is to place those devices you trust *least* on their own separate network to protect your other assets. It's NOT because it's more likely to prevent the malicious takeover and the direct consequences to the thing(s) which it controls. It's a valid concern, but again, it has nothing to do w/ the efficacy of placing it on the IOT network.

What you're describing is whether you have good reason to trust it in the first place, irrespective of where you end up placing it on the network. Because we insist on dealing w/ "less trustworthy" devices due to their considerable convenience, we mitigate that risk (but not eliminate it) w/ the IOT network. But at the end of the day, you may regret having bought and installed it anyway.

The least trusted things associated with any network are humans, well intended or not. Every host should be isolated from every other host except when needed. Our toy routers are not capable of this so we must do what we can and it's sadly ineffective yet better than noting
 

bbunge

Part of the Furniture
When I discovered that Dish customer support could remote into my Dish box without my permission is when I created a Guest network. And yes, my Ecobee is also on the Guest network.
 

L&LD

Part of the Furniture
The best security for IoT devices; don't power them up within your home, and most certainly don't connect them to your router (main, guest, YazFi, wired, or otherwise).

As @Morris rightly pointed out, even using a different ISP with a separate router for those intrusive IoTs won't keep you safe from the script kiddies looking to make a name for themselves.
 

lepa71

Senior Member
So those are the IoT devices I have.
2 C545 air purifiers
1 Google Nest doorbell
3 light bulbs.

Not much.

This is what I did
I created one 2.4 band IoT guest network for light bulbs and air purifiers and one 5 band IoT guest network for doorbell. For all of them, I still allow intranet access. I want to be able to see the doorbell video on my Sony Google TV. I'm not sure about light bulbs and purifiers. I guess I will have to play around to see if I can disable the intranet on the 2.4 guest network. I do know that both guest networks are on the same subnet and this is why was wondering if in my case I really need to do it.
 

lepa71

Senior Member
The best security for IoT devices; don't power them up within your home, and most certainly don't connect them to your router (main, guest, YazFi, wired, or otherwise).

As @Morris rightly pointed out, even using a different ISP with a separate router for those intrusive IoTs won't keep you safe from the script kiddies looking to make a name for themselves.
So what do you do? Where/how do you connect them?
 

L&LD

Part of the Furniture
I don't use them. No need, really.
 

lepa71

Senior Member
I don't use them. No need, really.
Well... I don't go crazy on those but I do like my doorbell. Light bulbs were used in vacation mode while we were out of town. For air purifiers, I agree, those are just nice to have toys. lol
 

L&LD

Part of the Furniture
For security, only one is needed to go past crazy. :)
 

OzarkEdge

Part of the Furniture
The best security for IoT devices; don't power them up within your home, and most certainly don't connect them to your router

A smart TV is an IoT device.

A smart phone is an IoT device.

Got any of those on your IoT device router?

OE
 

L&LD

Part of the Furniture
No tv's, but a few monitors (with no network connections).

How is a phone an IoT device? I think that's stretching it.

Particularly for me with no apps installed except for MS products.
 

OzarkEdge

Part of the Furniture
How is a phone an IoT device? I think that's stretching it.

Particularly for me with no apps installed except for MS products.

The phone is not so IoT in terms of cheap/vulnerable hardware, but once you mix in ever-changing cloud-based apps from who knows where doing who knows what, then the phone becomes (remains) another vector for abuse.

OE
 

Morris

Very Senior Member
So those are the IoT devices I have.
2 C545 air purifiers
1 Google Nest doorbell
3 light bulbs.

Not much.

This is what I did
I created one 2.4 band IoT guest network for light bulbs and air purifiers and one 5 band IoT guest network for doorbell. For all of them, I still allow intranet access. I want to be able to see the doorbell video on my Sony Google TV. I'm not sure about light bulbs and purifiers. I guess I will have to play around to see if I can disable the intranet on the 2.4 guest network. I do know that both guest networks are on the same subnet and this is why was wondering if in my case I really need to do it.

Burglar with megaphone "OK Google, open the door"
Klick
 

L&LD

Part of the Furniture
@OzarkEdge, yes but like I said, no random apps for me.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top