IOT (Internet of Things) security with Peplink


#1

I’m looking for general tips on how to safely integrate a potentially un-safe device into my network: IOT devices such as wifi cameras, thermostats, VOIP telephones, etc.

My initial thought was to segregate them to a “guest” VLAN / WiFi and keep them off of my more secure business network. That way, even if they are misbehaving they can’t do much damage. However a problem with this approach is that other devices which may want to talk to the IOT devices can’t. Simple example: A Philps HUE bridge, if it’s on the guest VLAN, can’t be accessed by iOS devices on the main VLAN.

Another approach: put the IOT device on the secure network, but firewall it tight. Closing all ports except for the few that it needs. The problem with this approach is that it’s not always apparent what ports/protocols an IOT device needs.

Anyone solved this?


#2

Assume main network is Untagged Vlan. Below is my suggestion:

  1. Group the IOT devices in a Vlan, for example Vlan 10.

  2. Internal Network Firewall (Network > Access Rules > Internal Network Firewall Rules)
    2.1 Add new rule to allow Untagged Vlan accesses to Vlan 10.
    2.2 Change Default rule to deny any any.


#3

Thank you. Does that basically set up a one-way connection through the firewall? So VLAN 10 can’t see the untagged VLAN, but the untagged VLAN can see devices on VLAN 10?


#4

Many of the IOT devices no longer require inbound port access. Phillips Hue bridges create and persist an outbound connection to a server on the internet. A client will make a call to that server and the server routes the request to the connection.

I would be careful of isolating all of your services to a single VLan. Some of these devices use multicast/broadcast for discovery. Some of these protocols do not allow for discovery across VLans. IPhone connecting to a Samsung TV inside of the YouTube app is one example that does not work across VLans. Phillips Hue does work across VLans and the internet. My thermostat gateway works similarly to the Phillips Hue bridge. It all depends on the service and sometimes the client.

Good luck


#5

To follow up on this, here’s what I ended up doing:

Under Network/LAN: Created a VLAN for the guest device. Inter-VLAN routing is ON (but see below for firewall rules). I’m using 1003 because that’s the VLAN ID that Airport Extreme base stations use fo their Guest WIFI network. See Using Peplink Balance with Apple Airport Guest Network

Moved all potentially unsafe devices, includsing Printers and IOT devices and the AppleTV (which serves as the HomeKit hub) onto the Guest WIFI (VLAN 1003)

Other IO devices which connect via Ethernet (such as Philips Hue bridge) were connected to one of the ports on the Balance one, set to Access / VLAN (this is found in Network/LAN/Port Settings).

Enabled Bonjour Forwarding (See Network/LAN) ServiceNetwork=Guest VLAN, Client Network = Untagged.

Added Firewall/Access Rules:
“AllowAppleTV” Protocol Any, single address (address of AppleTV), To Network (untagged network): Allow
“BlockGuestVLAN” Protocol Any, Network (Address of GuestVLAN), To Network (untagged network): Deny

Basically, this keeps the IOT devices on the Guest VLAN/WiFi network. They can see each other, but they can not see into the trusted network. But, the opposite direction is open: devices on the trusted network can talk to devices on the guest VLAN.

So far so good!