Colonel Panic wrote:I've also heard that it is good to separate out all IoT stuff on to a separate network; should that be a separate SSID, or a separate LAN (ie LAN2)? But would doing so not make interacting with it locally (set up & subsequent interrogation of devices) more difficult? c/f laptop on "main" network, widget on "IoT" network.
I'd agree with Steve that it's probably overkill for most people.
I've done it nonetheless (!), 4 VLANs, each with their own wireless SSID:
1) General (normal laptops, phones, printers, NAS, etc)
2) Kids (with content filtering)
3 and 4 are self contained (i.e. no access to each other or the other VLANs)
My initial rationale was to set-up the kids network - i.e. to create a network for the kids laptops, tablets, etc that had content filtering by design. It took a little bit of fiddling (with a tool called proxy-arp) to get things like DLNA and mirrorcast to work across the two VLANs, but after the initial set-up they all seem to work fine. We've also ended up with a couple of the smart TV's on the kids network as a lazy way of blocking YouTube.
The IoT network was set-up out of paranoia. Various things from CCTV, heating, weather station, automation, etc. In theory some of these could be a point of entry to the network to run malicious code, and some (E.g. house alarm) have remote access by design from the alarm monitoring company .... so I isolated them from the main network. As Steve says this often means that to initially set them up I need to temporarily connect to the IoT network to run the initial discovery and configuration routine.
I don't think I would recommend that others bother.
Everything uses SSL these days and your Apple things don't have any open ports anyway unless you've deliberately done something weird, so I'd just get on with it. I'm really not sure what harm a rogue IoT device could really do anyway if everything is properly secured to start with.
I'd generally agree. Ironically if anything is vulnerable it's probably the other IoT devices on the same VLAN anyway. There are a few 'holes' on the generic network - e.g. DLNA by design makes photos available insecurely, so was one reason for putting guests on a separate VLAN.