Security for IoT devices

TheLyppardMan

Very Senior Member
I've read somewhere that any smart IoT devices should be kept separate from the main network for security reasons. That's easy to accomplice for my Honeywell Evohome programmable radiator thermostats by connecting the control panel to a guest network but my security cameras at the moment store video clips on my Synology NAS. Question: if I were to store the video clips on a USB flash drive attached to the router, would the guest network be able to access it even if it were set to not have access to my intranet or does switching on that setting also block access to any flash drives attached to the router?
 

GSpock

Senior Member
Access to router is blocked when access to intranet is disabled. So, it will not work. (and by the way just tested it ...)
 

bennor

Very Senior Member
Question: if I were to store the video clips on a USB flash drive attached to the router, would the guest network be able to access it even if it were set to not have access to my intranet or does switching on that setting also block access to any flash drives attached to the router?
Generally (and by default I think) the Guest Network, when enabled, blocks access to the intranet. One would have to change the Guest Network option Access Intranet to Enable for Guest network clients to access the main LAN (intranet).

Or if one wants more granular control over their Guest Network, use the YazFi add-on script. It can be used to tailor access to or from Guest Network clients including using the custom scripting to allow specific Guest Clients to access a single (specific) main LAN client.
Edit to add:
 
Last edited:

ZebMcKayhan

Very Senior Member
Question: if I were to store the video clips on a USB flash drive attached to the router, would the guest network be able to access it even if it were set to not have access to my intranet or does switching on that setting also block access to any flash drives attached to the router?
As already answered: No, not per default.

But there is always the possibility to add custom firewall rules if you would head down that path. Could look something like:
Code:
iptables -A INPUT -i wl0.1 -s 192.168.101.32 -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT
to allow specifically interface wl0.1 ip 192.168.101.32 to access ports 137, 138, 139, 445 (SMB ports).

you could skip the -i <IP> if you like but then all guests on this network will have access to the SMB share. adding the IP means only this device but it also mean this ip would need to remain static.
 

bbunge

Part of the Furniture
Besides the above comments it is not smart to even consider using an USB drive on the router to store camera events. Use quality cams from a good manufacturer and keep their firmware upgraded. The NAS is a good place for the events.
 

TheLyppardMan

Very Senior Member
It looks like I've got a fairly-steep learning curve to follow if I attempt to do this, as at the moment I don't know anything about iptables or how to add/remove them.
 

heysoundude

Part of the Furniture
the smartypants in me was going to leave an answer like "IoT devices are only secure in their boxes, at the store you bought them from - best to leave them there" but some bigger brains beat me here
 

TheLyppardMan

Very Senior Member
I think my NAS is protected by only allowing the IP cameras to access the share where their videos are stored (see image) and most of our personal data is stored on the other NAS shares with appropriate permissions, but what I feel I ought to do is prevent any other IoT devices from accessing other devices on the network. At the moment, I only have one other IoT device, i.e., my Honeywell evohome controller for my radiator valves, but that doesn't need access to anything on my network, so I have simply put that on a guest network with no access to the LAN. Is there a simple way for any other IoT devices such as my security cameras, to only allow them access to my NAS, which has a fixed IP address xxx.xxx.xxx.200 and block access to all other internal IP addresses? The router's IP address is xxx.xxx.xxx.254 in case that is relevant.
 

Attachments

  • Screenshot - 17_08_2022 , 17_44_04.jpg
    Screenshot - 17_08_2022 , 17_44_04.jpg
    51.1 KB · Views: 21

bennor

Very Senior Member
Is there a simple way for any other IoT devices such as my security cameras, to only allow them access to my NAS, which has a fixed IP address xxx.xxx.xxx.200 and block access to all other internal IP addresses? The router's IP address is xxx.xxx.xxx.254 in case that is relevant.
Yes, as indicated above use custom scripting either in the iptables or in YazFi (guest to lan communication).

In one of the YazFi threads, if I remember right, there is a whole discussion on precisely this subject, confining one or two IoT devices on the Guest WiFi to accessing a single LAN side client device.
 
Last edited:

TheLyppardMan

Very Senior Member
Yes, as indicated above use custom scripting either in the iptables or in YazFi (guest to lan communication).

In one of the YazFi threads, if I remember right, there is a whole discussion on precisely this subject, confining one or two IoT devices on the Guest WiFi to accessing a single LAN side client device.
Thanks. I've asked the question on the YazFi discussion to see if someone can tell me how to set that up.
 

bennor

Very Senior Member
@TheLyppardMan I had a similar need in the past, maybe this thread would help you to achieve your desired network setup
The OP eventually added some additional information in their YazFi thread in the add-on subforum that changes things a bit with what has been discussed in this thread, and which would make using YazFi less than optimal for the OP's needs.

https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784608
Thank you for your detailed explanation. However, I'm rather embarrassed to admit this, but I've realised a couple of things that I should have done earlier (I think it's an age-related thing as I often get confused or forget things these days). Firstly, one of the cameras is not on Wi-Fi but rather has access to my network via a Powerline adapter. The other thing is, unless I need to access the cameras data remotely, then I can simply block their internet access from within the network map client status page thus:
View attachment 43647View attachment 43648
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top