- Mar 17, 2023
- 202
I have next dns and Commscope Ruckus ICX-7150 along with r-550 APw
I have an itch to secure my home some more. So how would you better secure a house full of IoT devices?
- Thread starter cartaphilus
- Start date
- Aug 16, 2021
- 230
Step 1 vlans - isolate /segrement your network
Put untrusted devices on their own network.
(I have 5 vlans at home)
Trusted
Guests
Iot
Work
Cctv
But even just 2 would be a good start for you, get those iot devices off your main /trusted network
Put untrusted devices on their own network.
(I have 5 vlans at home)
Trusted
Guests
Iot
Work
Cctv
But even just 2 would be a good start for you, get those iot devices off your main /trusted network
- Jan 8, 2011
- 22,361
A WiFi router that receives firmware updates, with VPN and DNS configurable settings, and router firewall.
Disable WPS and other unsecured forms of connectivity.
Enable Guest networks for foreign devices (ie. friends and other family).
I would recommend WiFi 6/6E compatible router at a minimum, however this heavily dependent on the household and how often electronic devices are upgraded. For example, if you are satisfied with WiFi 5 and using older technology, or don’t own any devices that are currently WiFi 6 or later compatible, then don’t upgrade unless you are certain you are no longer receiving router firmware updates. WiFi 7 routers are available, but are relatively expensive right now.
A cybersecurity-powered router isn’t always the ideal umbrella solution, as they often require on-going subscriptions to get the best protection.
Disable WPS and other unsecured forms of connectivity.
Enable Guest networks for foreign devices (ie. friends and other family).
I would recommend WiFi 6/6E compatible router at a minimum, however this heavily dependent on the household and how often electronic devices are upgraded. For example, if you are satisfied with WiFi 5 and using older technology, or don’t own any devices that are currently WiFi 6 or later compatible, then don’t upgrade unless you are certain you are no longer receiving router firmware updates. WiFi 7 routers are available, but are relatively expensive right now.
A cybersecurity-powered router isn’t always the ideal umbrella solution, as they often require on-going subscriptions to get the best protection.
- Aug 22, 2013
- 830
Get a Mikrotik hAp Ax3 with DOH support. you can configure Next dns doh on it and use it as a firewall to all the connected devices in home or you can install pi-hole or ad-guard home in a docker container in the router itself. Mikrotik releases the firmware upgrades almost on a monthly basis and the updates are guaranteed for at-least 5 years minimum.
- Mar 17, 2023
- 202
- Mar 17, 2023
- 202
Wow it runs docker? Hahaha I wonder if I could run sophos xg utm on it or untangle
- Aug 22, 2013
- 830
you don't need untangle, Routeros V7 can do all the things and even more what untangle does except "https" filtering. you can get the allmost the same security with nextdns doh in roteros. Sophos does not even support wireguard, so its a no no if you use a vpn on a router.
Last edited:
- Mar 17, 2023
- 202
Damn I currently have brocade icx-7150 and R510 APs however I don't think they support DOH.
- Aug 22, 2013
- 830
It even supports a usb 3.0 port for added storage for your docker containers. Add a 128GB USB drive and you are good to go.
@Brahman I really like the video of Microtik router, the host is really fun to watch 
The specs are impressive (also for rather low price available in Netherlands)
The specs are impressive (also for rather low price available in Netherlands)
- Oct 3, 2022
- 400
Throw in a cheap box and run pfSense at the entrance to that IoT lan. pfSense is a linux firewall does firewall rules, supports DMZ, and it has intrusion prevention (IPS). That should filter out some attacks to your IoT devices.
Make the IoT WiFi password long, like a passphrase. The length part will filter out some WiFi bruteforce attacks.
But there are exploits for some China made devices, and router + modem residential attacks are on the rise. Security teams aren't raising alarms because they serve to protect corporations but there was a security news article mentioning that. For example, there's an exploit for my Bell modem+router, and there is a permanent attacker box sitting in my lan, nmap sees it, and I can't get rid of it no matter how many times I change the password. Lord only knows what he's doing. So I turn on my VPN even at home.
I hope you are not only focusing on network security, because there is only so much network security can do, like throwing in an NGAV, enable network segmentation. Endpoints are the real end game. After all, attackers aim to get control of your machine. And your server, if you have one. Strong endpoint security is a must.
If you trust Microsoft, their MS Defender for Biz is an EDR (endpoint detection & response) It has a nice cloud console, and you can see your security score, current attack trends (with remediation) and current incidences. And they show a pretty diagram of attacks in progress. And it is cheaper than most AV suites. If you load MS Security Baseline for Windows 22H2, it will give you a device score of 100% secure, which is why I don't trust it that much - the score gives a false sense of security. It only works on Windows Pro.
In the end, true security seems to require man power for monitoring. Which is why I choose an EDR - I have a browser tab open to the console at all times.
Make the IoT WiFi password long, like a passphrase. The length part will filter out some WiFi bruteforce attacks.
But there are exploits for some China made devices, and router + modem residential attacks are on the rise. Security teams aren't raising alarms because they serve to protect corporations but there was a security news article mentioning that. For example, there's an exploit for my Bell modem+router, and there is a permanent attacker box sitting in my lan, nmap sees it, and I can't get rid of it no matter how many times I change the password. Lord only knows what he's doing. So I turn on my VPN even at home.
I hope you are not only focusing on network security, because there is only so much network security can do, like throwing in an NGAV, enable network segmentation. Endpoints are the real end game. After all, attackers aim to get control of your machine. And your server, if you have one. Strong endpoint security is a must.
If you trust Microsoft, their MS Defender for Biz is an EDR (endpoint detection & response) It has a nice cloud console, and you can see your security score, current attack trends (with remediation) and current incidences. And they show a pretty diagram of attacks in progress. And it is cheaper than most AV suites. If you load MS Security Baseline for Windows 22H2, it will give you a device score of 100% secure, which is why I don't trust it that much - the score gives a false sense of security. It only works on Windows Pro.
In the end, true security seems to require man power for monitoring. Which is why I choose an EDR - I have a browser tab open to the console at all times.
Last edited:
Can set up using a dedicated router for IoT devices, one for gaming and one for general use
Ok.........go and get a 10Gbps plan
Ok.........go and get a 10Gbps plan
