What can be done to harden typical consumer networks?

Question

With the latest rise of IoT devices in consumer networks, a typical home network for the sake of this attempt on a canonical question for consumers might consist of

• a SOHO router that does provide a LAN switch, NAT and WiFi as well as UPnP and NAS capabilities,
• a wifi Printer,
• a DVR,
• a TV,
• a couple of different makes and models of WiFi cameras,
• some „smart“ home devices such as thermostats and light bulbs,
• a couple of PCs with Windows, Mac OS and Linux and
• a couple of android and iOS smartphones.

What measures can a consumer take on the infrastructure and the end points to make this setup reasonably secure for regular use against criminal activity (not against state actors or APTs) without impairing for example remote access to the DVR or cameras?

Answer 1

Anyone attempting to set up a "secure" home network with "smart" devices is going to have to make some compromises either about security or about ease of use.

I would say the first thing to do is to segment your network into at least 2, possibly 3 or more.

One for data access from reasonably protected End User Compute (EUC) devices (including desktops, laptops, tablets and mobiles). This network should not allow any inbound connectivity (standard firewall configuration). You might also consider segmenting your Wi-Fi network though this can be a pain to use since devices on wired and wireless connections may not be able to talk to each other without additional configuration. Certainly consider a guest Wi-Fi SSID.

This segment will also be used for media devices - these need access to the Internet but will be less secure as they get updates less often (maybe never) and vendors have nasty habits with your privacy. You may be able to segment these devices too if you don't need much access from EUC devices and that is certainly preferable.

The second main segment would be for IoT devices - typically, you should never allow these direct access to the Internet. Of course, if you have purchased devices that only work via an Internet facing service, you are rather stuffed there, those devices would have to go on your main segment but you should at least consider setting up firewall rules that only allow specific devices to talk to specific service endpoints. All other IoT devices may be allowed to talk to each other but not the Internet - well not directly anyway. Consider a home hub of some sort where you can control traffic securely - that's a separate question really. If you need to access IoT devices from EUC devices, configure specific routing to allow that.

In my own setup, IoT devices have access to a Raspberry Pi running Node-RED which is the hub. That Pi does have outbound access to the Internet but there is no inbound access. For offsite alerting, I use a Telegram "bot" which provides end-to-end security without the need for firewall rules. The Node-RED derived bot reaches out to the Telegram servers which allows secure, 2-way communications.

I never buy IoT devices that require external services to work. Not only does this potentially compromise security, it also means useless devices if/when the vendor loses interest or goes out of business. I may make an exception at some point for a "smart speaker" such as Alexa or Google Home. But that would not be controlling anything important in the house.

Wi-Fi camera's are another source of security issues. Again, I'd advise against connecting them direct to the Internet. Treat them as IoT devices and use a secure hub to act as a proxy if you really need external access to the video. It may also be possible to again use a Telegram bot to send video securely.