I hope you didn’t open the post because you thought I have the answers… I would like to extend an invitation to anyone here who knows how to properly, and securely, set up a home network for an IoT/Home Assistant system?
At the moment, I just run everything on the same network, which is okay, but I want to integrate my alarm system in the future and then it might start to not be okay anymore…
Truth be told, and I’m speaking from a point of ignorance, I’m still running a pretty flat network. No vlans or anything. My Tasmota based devices have access to the internet, but they don’t make use of it. It’s purely for my convenience (like doing firmware updates and NTP). Things (like cameras) are on a 2nd network that never sees the internet. These go to a BI NVR with two network cards.
So, while more security is always better, I must ask (again, in ignorance) why you would want to go over the top? As long as you can manage what goes to the cloud on device level, I don’t see the point of going full nerd on the network?
Maybe help me right here, for in case I’m missing something. I’m trying to understand how your typical ‘thief’ would gain entry to your property by ‘hacking’ your network somehow
So something as simple as giving someone access to your wifi network (or them gaining access), would effectively grant them access to every device on your network. That can’t be good, especially if you have your alarm system coupled to it?
Guess it goes a little like this: Did you like playing toktokkie as a kid? I really do not want my neighbour’s kids to, for example, decide it is a fun idea to turn off my pool pump every time I turn it on…
I do run a guest network myself, but this isn’t fool proof.
Troy Hunt recently did a series of articles on home automation IoT stuff (links at the end).
The 3rd article was on security.
My eventual takeaway was that, you probably “should” set up separate VLANs, but they are a pain and, if you trust stuff like Tasmota, you’re probably ok not doing it.
But, he also makes the point that all software (even Tasmota) has bugs, so understand that there is always a chance there’s a 0-day vulnerability or something that a bad actor could exploit to open your driveway gate, for example. You need to make peace or deal with that appropriately.
Troy Hunt Articles:
Article 1 - Intro, rant, etc
Article 2 - Zigbee, more ranting
Article 3 - Security
Article 4 - Making it work for Humans
Article 5 - Some videos
I also set up a guest network, which is on a separate subnet. No, it isn’t foolproof but then I’m stricter with allowing guest access on my network than I am allowing someone on my property, which I’m also strict about. It’s a risk vs complexity decision and my subjective/ignorant opinion is that it’s solution looking for a very low risk problem.
Pretty much my feeling on the matter. I did make sure that Tasmota is set up in such a way that it wouldn’t create it’s own AP when it can’t find the programmed wifi network after a reboot. That’s a pretty big vulnerability right there.