0

I am currently segmenting my home network into several networks and zones due to the fact that my cheap router keeps all devices (private, smart home, entertainment) in one network (without a guest network feature and client isolation).

The network contains one NAS that has a typically multi-purpose role in private networks: All relevant machines backup to the NAS and it used as a file and streaming server (exchanging files between machines, music stored on it, etc), and it hosts a very little website accessible only in the local network with some data displayed in a smart home application running on a standard smart phone (not purely for smart home use).

Naturally I would assume the NAS as something that should reside in a high security zone because it contains important data. PCs and Laptops are in the same zone. Now the tricky part: My smart-tv, my network music player, consoles and my tablets do sometimes need to access the NAS for their content, which they cannot per default because they would be in a lower zone "media zone" (e.g. I do not trust my smart tv in any way).

Are there only three solutions to that?

  1. Move NAS to lower security zone (into the media zone)
  2. Allow communication from media zone to high security zone (bad practise?)
  3. Get another NAS and put it into the media zone with the appropriate content for this zone and perform sync and backup tasks from/to this NAS from the NAS in the high security zone?

While the last solution would be the most secure it might not be the most viable thing to do. Are there other approaches I miss here? Has 1. a benefit compared to 2. or vice versa?

There is of course also the smart-home / IoT zone, which should basically not access anything and isolate the devices as there is no trust or control over them (could be the guest network :D)

Samuel
  • 708
  • 5
  • 13

1 Answers1

1

When communicating between different zones consider the sum of:

  1. It is best when a high-security device initiates the connection to the lower-security device. So a high-security device doesn't listen to connections passively, but actively controls when and who it communicates to.
  2. Pass the needed protocols (ports) and block the rest, both ways.
  3. Pass the needed IP addresses and block the rest, both ways.
  4. Pass during specific hours, block the remaining time.
  5. Use a proxy if it can aid the authentication/authorization/auditing. (NAS usually implements these sufficiently, so probably not needed.)

In your situation, when you cannot afford to implement points 1+2+3+4+5, it's still better to say implement points 2+3+4 than nothing. It's low cost (as you've already decided you will segment the network) and it does provide some added security.

kubanczyk
  • 1,182
  • 6
  • 11