Smart home network security help

[Neko_UwU]

So i'm working on getting a pretty comprehensive smart home setup, however i'm semi-worried about security;

I've watched a good number of video's on securing smart home devices and making sure the network is secure, but i'm gonna ask in here and see how secure people think "this setup" would be, and i have a few questions at the end, if you all wouldn't mind helping me?

 

My actual home network would have a "Dream machine pro", with a "Access Point HD" for wifi.
The Dream machine would have:

- It's IPS turned on.

- The threat management turned on level 5

- a VLAN for "Main" which would be my phone and computer, a VLAN for "IoT" for all the smart devices, and a normal "Guest" network. [However i'm unsure if i should include alexa devices with the "IoT" vlan or if maybe i should have two IoT vlan's, one for what i would assume are pretty secure devices, like "echo shows" and other actual amazon/alexa devices and ring security devices, then maybe a "IoT 2" for the more insecure (i would assume) devices.

- UpnP would be turned off.

- Remote access/management would be turned off.

- Port forwarding would be turned off.

- WPS would be turned off.

- "respond to pings from lan" and "respond to pings from wan" would be turned off. [I've heard this is good to turn off for increased security]

 

My questions are:

1 - With the network set up like this, would some smart devices lose functionality or not work properly? 

2 - is this fairly secure? any settings i could change to make it more secure? 

3 - Any settings that i have up their "turned off" that don't need to be?
4 - what would you rate this for smart home networking security? is it decent? good enough? pretty good? etc

[Electronics Wizardy]

3 minutes ago, Neko_UwU said:

"Access Point HD" for wifi.

Get the wifi 6 model if you can. Just overall newer and better

 

 

3 minutes ago, Neko_UwU said:

So i'm working on getting a pretty comprehensive smart home setup, however i'm semi-worried about security;

What is your threat model, waht are you worried about?

 

3 minutes ago, Neko_UwU said:

"respond to pings from lan" and "respond to pings from wan" would be turned off. [I've heard this is good to turn off for increased security]

This doesn't help increase security, leave pings on

 

4 minutes ago, Neko_UwU said:

1 - With the network set up like this, would some smart devices lose functionality or not work properly? 

 

Depends on the device. Many want to be easily found by devices like phones, some only reach out to their cloud servers

 

4 minutes ago, Neko_UwU said:

3 - Any settings that i have up their "turned off" that don't need to be?

IPS is likely overkill, since your not hosting, but kinda why not here.

 

 

[BecauseRussia]

1, Yes, many IoT devices will break when not on the same network as the host devices. You can get around this by using mDNS. You will also want to limit the IoT network from accessing the main network, otherwise the separate VLANs are less useful.

 

2. Unifi is not well known for having the best routing. You could consider pfSense.

 

3. No comment

 

4. I would not assume that the Amazon stuff is any more secure than other IoT devices. If it is not a computer, I would put it on a single IoT network, no reason to have multiple IoT networks.

 

Also UniFi has its own line of security cameras and door bells. I would consider looking at those over the ring stuff. Those will be more secure and most important not backup to the cloud, so no remote access by law enforcement. Also they have no subscription for their cameras.

[Neko_UwU]

20 minutes ago, Electronics Wizardy said:

Get the wifi 6 model if you can. Just overall newer and better

 

So i see the 6 is cheaper, but it's 200Mpbs on the 2.4 band, which i guess shouldn't matter much in my case, would you happen to know what makes the 6 better than the HD? i read that the 6 can pick up devices with weaker output signals? [ https://www.reddit.com/r/Ubiquiti/comments/kl41g0/u6lr_vs_achd/ ] which is probably good in my case with the smart devices i would be using. 

 

23 minutes ago, Electronics Wizardy said:

What is your threat model, waht are you worried about?

 

i guess i would say i'm worried most about be "hacked" like how you see people on the news say people took control of X device and started messing with the home owners, i also don't want people to look through my camera's/etc

 

26 minutes ago, Electronics Wizardy said:

This doesn't help increase security, leave pings on

 

Okay, Thanks

 

[Neko_UwU]

18 minutes ago, BecauseRussia said:

ou can get around this by using mDNS.

I'll have to check out mDNS  

18 minutes ago, BecauseRussia said:

You will also want to limit the IoT network from accessing the main network, otherwise the separate VLANs are less useful.

 

Thanks, i added that to my list  
 

19 minutes ago, BecauseRussia said:

I would put it on a single IoT network, no reason to have multiple IoT networks.

I also added this to my list :3 
 

19 minutes ago, BecauseRussia said:

UniFi has its own line of security cameras and door bells. I would consider looking at those over the ring stuff. Those will be more secure and most important not backup to the cloud, so no remote access by law enforcement. Also they have no subscription for their cameras.

I was wanting a general home security system, that can call the police/etc, also ring's camera's are cheaper than the unifi camera's, though unifi's look a LOT better; Also i'm pretty sure it's illegal for the police to give out that info/footage without your permission - https://www.consumerreports.org/legal-rights/police-ask-for-video-doorbell-recordings-what-to-do-faq/#:~:text=Ring gives the police access,safety procedures and applicable law.
 

[Electronics Wizardy]

16 minutes ago, Neko_UwU said:

So i see the 6 is cheaper, but it's 200Mpbs on the 2.4 band, which i guess shouldn't matter much in my case, would you happen to know what makes the 6 better than the HD? i read that the 6 can pick up devices with weaker output signals? [ https://www.reddit.com/r/Ubiquiti/comments/kl41g0/u6lr_vs_achd/ ] which is probably good in my case with the smart devices i would be using. 

Id get th e 6 lr, its the overall better one.

 

And you want to kep everything you can on 5ghz if possible.

 

ALso wifi 6 just has a lot of little improvements with supported devices.

 

18 minutes ago, Neko_UwU said:

i guess i would say i'm worried most about be "hacked" like how you see people on the news say people took control of X device and started messing with the home owners, i also don't want people to look through my camera's/etc

Yea this really won't help much at all here. These devices aren't acessable publicly. And if someone gets in via a exploit or from how the manufacture access the device the network monitoring won't affect this. 

 

And the risk is pretty low here anyways. Most people just have one big network at home and no major issues.

 

16 minutes ago, Neko_UwU said:

i'm pretty sure it's illegal for the police to give out that info/footage without your permission

Those companies can often give the footage to who they want to without your permission. Thats the big appeal of hosting data your self.