Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: IoT and the advice to isolate them on networks  (Read 313 times)

chenks

  • Reg Member
  • ***
  • Posts: 688
IoT and the advice to isolate them on networks
« on: September 12, 2019, 12:34:16 PM »

so i keep seeing people saying that IoT devices should be on their own VLAN and not be able to communicate with other LAN devices.
but isn't that the point of IoT devices? that they can communicate with other devices?

example, a google home speaker. i give it a voice command and it does what i ask (example turn on the lights).
if that speaker is isolated then how can it communicate with the lights to turn them on?

i know the reason for doing so is always security, but don't you end up cutting the device off at the knees by doing this.

thoughts?
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 7564
  • Retd sw dev; A&A; 4 × 7km ADSL2; IPv6; Firebrick
Re: IoT and the advice to isolate them on networks
« Reply #1 on: September 12, 2019, 04:27:22 PM »

Exactly. You can have the thing so secure that it’s completely useless since none can access anything. Networks are meant to enable communication.

There are two ways of looking at things; you can out a wall around the things you want to protect or you can out a barrier up areound where the bad guys are (or might originate from). I have recently changed my firewalling to use a mixture of these two approaches, based on convenience and ease of management, among other considerations.

As for things like light switches, there’s the case of an untrusted device; if it is talking to manufacturers when it shouldn’t be - because of some indirect connection to an off site remote control app perhaps- then perhaps the main firewall should block outbound stuff from these devices. But then they either won’t work at all or will not be as useful. I wouldn’t buy any of this kit that ‘phones home’ unless I was very sure about the organisation behind it.

The other aspect of firewalling a light switch might be to prevent unauthorised users accessing it.

I base things on groups of totally trusted users and devices and you’re either in or you’re out.
Logged

chenks

  • Reg Member
  • ***
  • Posts: 688
Re: IoT and the advice to isolate them on networks
« Reply #2 on: September 12, 2019, 05:35:39 PM »

well with the lights in particular, in my example they are philips hue devices, so the bulbs and switches aren't on the LAN at all, they communicate with a Hue Bridge via zigbee, and it's only the bride that is on the actual LAN.

but the bridge needs internet access to for cloud access to work (for "coming home" routines etc). you can't isolate the bridge otherwise you limit what it can do. and if the google home speaker can't communicate with the bridge then than can't do any of the functions you may want to use.
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 2545
Re: IoT and the advice to isolate them on networks
« Reply #3 on: September 12, 2019, 07:56:52 PM »

Very few IoT devices communicate directly with other devices within the internal LAN at all.

Most goes through some online server or there's the zigbee stuff.

I have about a dozen smart home devices and only my Sonoff smart plugs work over the WLAN.
Most of my smart devices are cheap, go through some Chinese server and don't work without an internet connection.

It wouldn't hurt to isolate the devices that don't talk over the LAN.
Logged
Plusnet FTTC 80/20 -  ECI now Huawei cab
retx low @ 3dB target SNRM
Zyxel VMG1312-B10A bridged with 1508 MTU + Asus RT-AC68U running Asuswrt-Merlin

chenks

  • Reg Member
  • ***
  • Posts: 688
Re: IoT and the advice to isolate them on networks
« Reply #4 on: September 13, 2019, 07:42:46 AM »

so in my example, what is the path of communication?
i say "OK google, turn on living room lights".
there is some path of communication from the Google Home to the Philips Hue bridge.

another example, i can say "OK google, turn on living room TV" and it does it (because the TV runs Android TV. again what is the path of communication there?
in that instance i can't see it doing that via the internet. (the TV is ethernet connected, the Google Home is WIFI connected).
Logged

j0hn

  • Kitizen
  • ****
  • Posts: 2545
Re: IoT and the advice to isolate them on networks
« Reply #5 on: September 13, 2019, 12:27:04 PM »

Quote
in that instance i can't see it doing that via the internet.
Unless you have a magic Google Home with all the tech inside it to decipher your voice, then it goes over the internet like every other Google Home/Amazon Alexa voice command.
These devices are glorified speakers/microphones and all the analysing/processing of speech is done on Google/Amazon's servers.

Try it connected to your network without an internet connection and see how far you get.

The Phillips Hue kit itself works over LAN, but you need to use the app for that.

Google Home and Amazon Alexa won't work without an active internet connection.

Path is something like Google Home > Router > Google servers > Router > Hue Bridge > Hue lights.
« Last Edit: September 13, 2019, 12:30:31 PM by j0hn »
Logged
Plusnet FTTC 80/20 -  ECI now Huawei cab
retx low @ 3dB target SNRM
Zyxel VMG1312-B10A bridged with 1508 MTU + Asus RT-AC68U running Asuswrt-Merlin

chenks

  • Reg Member
  • ***
  • Posts: 688
Re: IoT and the advice to isolate them on networks
« Reply #6 on: September 13, 2019, 04:08:39 PM »

i wasn't debating the fact that the google home needed internet access.
i was saying that surely once the google home was worked out what i said, it needs to be able to communicate with the bridge - so does it do that via the internet also? or via the local LAN?

so if you isolate all IoT devices from seeing other LAN devices, then once google home has worked out the voice part, will it still turn the lights on or will it fail because it can't see the bridge. same question for the TV, which is essentially just an Android TV device on the local LAN.
Logged
 

anything