Securing smart home devices using VLAN and firewall rules on Ubiquiti

Securing smart home devices using VLAN and firewall rules on Ubiquiti

December 24, 2019 1 By Kailee Schamberger


so chances are you’ve probably installed a smart plug or switch perhaps a security camera or other IOT device on your home network by default these devices sit behind the firewall in your home network and historically there have been security risks associated with these kind of IoT devices to mitigate the risks posed by these smart devices I’ll be showing you how to isolate them from the rest of your network using micro segmentation through VLANs this will prevent access from a hacked security camera for example from accessing the rest of your home network or causing other kinds of issues on your Wi-Fi so my tests here use Ubiquity Unify devices which tend to give you a little bit more control than your standard home router for some of these advanced settings so first off in the ubiquity controller we’re gonna head over to the network section and create a new network we’re gonna call it IoT devices and that’s gonna be a corporate network and by default that’s gonna give it its own subnet I’ll use the LAN interface and we’re gonna give it a VLAN ID I’ll use the number 3 here but you can go all the way up to 4096 we’re going to use the 10.10.10.1/24 subnet and that will reserve the gateway IP for your USG on dot 1 that will give you 254 addresses to use all the way from dot 12.25 4 and those will be the IP addresses used for our smart devices so we’ll go ahead and save that now that we’ve set up this IOT device VLAN will go under wireless networks I’m going to create a new wireless network to use that VLAN so we’ll call this IOT Wi-Fi will enable the network we will secure it with WPA personal give that a passcode and then under Advanced Options you’re going to check off the option here to use VLAN which is the ID that we assigned it before of number 3 and we’ll save that and now that we’ve created a VLAN and an associated Wi-Fi network when we configure new smart devices on our network we can associate it to that IOT devices Wi-Fi or if we have wired devices we can go into the port configuration inside unify and tell it to use that same VLAN now to show you how to do that we’re gonna click on the devices section and select one of our switches then under the port configuration you can click on a port and select the Edit pencil and change the switch port profile from all two IOT devices and then anything plugged into that switch port that we’ve configured to use IOT devices we’ll be using that same subnet now by default both your existing network in that new VLAN we created it will still be able to talk to each other so we need to set up some firewall rules so let’s go over to routing and firewall head over to the firewall tab what groups we’re going to click on create new group and we’re going to call that IOT and we will assign that group the same subnet that we gave our VLAN and we’ll save that and once we’ve created a grouping for the IOT devices we’ll need to do something similar for our private devices so we’ll create a new group called private and give that IP address range of our internal network and save that and then we’ll head back over to firewall and click on create new rule we can give this firewall rule descriptive name like block from iot to private network make sure that’s enabled and set up to use before predefined rules so that this rule runs before any other predefined rules on the security gateway will set this to drop all traffic we can choose to enable logging and we’ll do this for new connections so any of these smart devices that we’ve segmented off from the rest of our network now will not be able to establish new network connections to the rest of the computers on our private network so to finalize that we have to choose our source which will be IOT and we’ll change the destination to our private network so I trust my IP security cameras least of all so I only want them talking to the NVR on the local network and never going out to any external devices so I’ve created another firewall rule specifically for my IP cameras to stop them from talking out at all so I have this rule here that says stop cameras talking out have it on before predefined rules we’re dropping all packets enabling logging from anything from the camera’s IP address group because these IP cameras have no need to talk to anything other than my network video recorder and that’s it so at this point we’ve segmented the rest of our smart devices off of our home network using this VLAN now you can have any new Wi-Fi smart devices to this new Wi-Fi network that we’ve created that utilizes this VLAN and any hard wired devices can be assigned by a port configuration to the VLAN that we’ve created these devices will now be segmented off the rest of your network allowing your local trusted computers to talk to them but they cannot talk to the rest of your network and so I hope you found this video useful for enhancing the security of your smart devices if you did I’d appreciate you clicking on the like button down below and consider subscribing to my channel for more great videos thanks for watching