Will a VPN isolate my IoT devices from the outside world?

[G+_William Burlingame]

Will a VPN isolate my IoT devices from the outside world? I have a spare Raspberry Pi 3 and noticed that some are using Raspberry Pis for VPNs. Do they slow down the speed to such a degree that it’s an impractical platform to use? It doesn’t have Gigabit Ethernet nor USB 3.0 and only has a one GB of RAM. In addition, the built-in WiFI is slow. Should I consider another single board computer or something more powerful?

[G+_Travis Hershberger]

A VPN is not going to isolate your IOTICH (internet of things I can hack) devices, they still show up on the public internet at some point.

 

Steve Gibson on Security Now talked about this a little while back, and the easy solution is to use 3 routers. 1 connected to the modem like normal, and then 2 others with their WAN ports connected to the first ones LAN ports, one of which only has IOTICH things connected to it, and the other for your normal devices.

 

The same thing can be done with managed or smart switches and the use of VLANs, but most of us don't have those just sitting around. Would be a good KnowHow episode, Ubiquiti makes a nice 5 port router/switch you can pickup for $50 called the ER-X that is able to do all that fancy networking stuff. Most of it is burried in a command line instead of a GUI tho.

[G+_David Alitz]

A VPN is an encrypted connection between two trusted networks traversing an untrusted network. If you could set up a VPN connection between each of your IoT devices and their respective Internet servers, that could improve security.; but, you would need to configure things both on your end and the server side (which you can't access.)

 

Most of the IoT vulnerabilities I've heard of wouldn't be fixed by a VPN anyway. The flaws seem to fall into two categories.

 

The first is that most IoT devices have a need to renegotiate connections to the wireless network. In many cases during renegotiation they will fall back to a default key or another insecure means of re-establishing the connection. It's at this point that a hacker can spoof one side of the connection infiltrate the network.

 

The second problem is on the service side. With some IoT Internet services, you just need the serial number of the device to connect. Others have similar insufficient means of establishing identity before connecting.

 

IoT has some growing up to do. In the meantime, you probably want to set up a separate network/wi-fi in your house for your IoT devices; so if you IoT network is compromised hackers aren't on the same network as your computers.

 

Second, I would monitor the traffic on the IoT network and configure the firewall to limit the connectivity of your devices. Then, if they are hacked, they won't be able to make connections outside the norm.

 

You could probably use a Raspberry Pi as a router/firewall for an IoT subnet.

[G+_William Burlingame]

My "IoT" devices are security cameras. I have eight of them. Seven are connected via Ethernet. I feel the cameras are important. I've changed the logins, but I'm not sure if that's adequate. Are thinks such as Roku and Chromecast considered IoT devices. If so, add those to my list.

[G+_David Wiggins]

If consider those IoT as well. Worth the Roku, definitely place it on the other net, maybe with some QoS to make sure you don't get stuck buffering. If I understand the Chromecast, though, it needs to be on the same network as the device casting to it. You can get around this with custom firewall rules and static routes (I do this with my Kodi Pis), but it can be a pain to set that up.

 

Same with the cameras. The best way to secure them is to make sure only certain devices have access to them. Again, that can get crazy too.

[G+_Jason Perry]

William Burlingame?, depending on the camera it may not be.

 

Download Fing on your phone scan your network so it can find your devices, then scan the ports on the devices. If there is a port other than 80 open, look into what it's for.

 

The other way is simpler and scary that it works. Login to your camera, copy some links into note pad, log out, then see if the links still work.