Networking: Recommended Practices

Healthy-Paranoia
IoT Networking SSID VLAN Wi-Fi
Page content

TL;DR

Create at least three home networks. The primary network is for your computers and mobile phones. The second network is for smart home and internet of things (IoT) devices like smart lights, switches, plugs, controllers, and appliances. The third network is for guests. Prefer wired connections over wireless. Consider the benefits and drawbacks of advanced networking configurations. Never use default passwords.

Terms & Tech

A router connects different networks together and provides the physical and logical interfaces between them. A switch provides wired access to networks and an access point provides wireless capabilities. Most home networking devices combine all of these interfaces into the router itself. SSIDs (Service Set IDentifier) represent the wireless networks and VLANs (Virtual Local Area Networks) represent the wired networks. Networks can be subdivided into subnetworks (or expanded into supernets) based on the network mask and a subnet can span a VLAN and SSID to create a broadcast domain that connects them. Home networking manufacturers attempt to simplify all this as much as possible, and while that’s helpful to get started, it can leave parts of your network exposed to attack, and worse, it will not be obvious.

Recommendations

  1. The primary network may also include Google cast endpoints like Google TV and speakers and it may also include Airplay devices. These devices use multicast to stream from source devices and require advanced configurations like mDNS and UDP/TCP firewall adjustments if they’re placed in the IoT network. Google and Apple devices are (hopefully) less likely to contain vulnerabilities and when vulnerabilities are discovered, these organizations issue firmware updates to patch the issue.
  2. The IoT network will host devices from various manufacturers who have a variety of security practices and implementations. IoT devices are connected to the Internet by design. If the host service is compromised, it presents a risk that bad actors could connect into your home network, potentially placing your other connected devices at risk. Some home routers only offer primary and guest network configurations. Use the guest network for IoT if this is the case. Do not simply assign devices to a network based on the manufacturer. For example, Google Nest cameras are not cast endpoints and do not need to be on the primary network. Ensure Network Attached Storage (NAS) devices, computers, tablets, and phones utilize a network that doesn’t have any IoT devices on it. Since local computing uses the cloud to control IoT devices anyway, local connectivity is rarely needed.
  3. The guest network should only ever host guests. Configure a simple passphrase that’s easy for guests to type, and change the passphrase as often as you feel necessary. Do not place anything on this network that isn’t a guest.
  4. Most modern networks are mostly wireless, but Ethernet should be used wherever possible, and MOCA only when absolutely necessary. MOCA (Multimedia Over Coax Alliance) uses coaxial cable. If you must use coax, use a physical Point of Entry filter (confusingly called PoE and not to be confused with Power over Ethernet) to prevent data from leaking beyond your home. Coax is bidirectional and if there’s no PoE filter, there’s nothing to terminate the signal. Use a MOCA security key on all MOCA devices. MOCA supports 128-bit AES encrypted, pre-shared keys – and do NOT use the same phase or key you use anywhere else because the service provider may have access to the configuration.
  5. Optionally, there are advanced networking options that can restrict access to home networks, too. It’s possible to limit network access based on a device’s MAC address (Media Access Control) and/or it’s also possible to disable DHCP (Dynamic Host Control Protocol)’s automatic IP address management and assign network addresses manually, but these are overkill for the typical home.
  6. Finally, never use a networking device’s default password. Ever. They’re published here so you can factory reset the device, login, and change it.