Separate networks for general office, SONOS and alarm

[Mark M]

I read something recently that someone hacked into a casino IT system via a wifi fish tank accessory...could be complete nonsense but it got me thinking whether I should split our network for security with the wireless devices?

Is it worth setting up separate networks/wifi for our office - one for general computers/printers/voipfones etc which are a mixture of hard wired and wifi. Im looking at getting a couple of SONOS speakers and a wireless alarm so wondered if its worth setting up a separate wifi network for them to connect to that cant access the main office network?

I'm using Unifi switches/AP's which I'm sure you can set up another guest network via the controller?

Edit - also looking at installing CCTV but that will be hardwired, so will I need a VLAN for that?

 

[Orcvader]

Depends how large the office is but generally yes. Also using Unifi APs but with a Draytek router and we have each network within their own VLAN, one for customer use with client isolation, one for staff use, and one for admin use. The non-admin networks also have router access blocked.

 

[the-evaluator]

It's only worth doing if you're going to restrict access between the VLANs. If you're going to leave full access between them then don't bother.

At home I have 2 VLAN's. 1 for IoT devices (VLAN 3) and the other for everything else (VLAN 1). The IoT VLAN has no access to VLAN 1 expect for access to port 53/udp on 2 hosts so that it can use my Pi-Hole machines for DNS resolution.

Putting Sonos stuff on a different VLAN can be a right faff. Personally I'd leave them on the main LAN as trying to have your speakers on a different VLAN than whatever device you're controlling it with is a sod to get working.

 

[Mark M]

It's only worth doing if you're going to restrict access between the VLANs. If you're going to leave full access between them then don't bother.

At home I have 2 VLAN's. 1 for IoT devices (VLAN 3) and the other for everything else (VLAN 1). The IoT VLAN has no access to VLAN 1 expect for access to port 53/udp on 2 hosts so that it can use my Pi-Hole machines for DNS resolution.

Putting Sonos stuff on a different VLAN can be a right faff. Personally I'd leave them on the main LAN as trying to have your speakers on a different VLAN than whatever device you're controlling it with is a sod to get working.

I was going to connect the Sonos and the mobiles to the same WAN/VLAN so the mobiles can control the music so should be ok on the same network? The mobiles dont need to connect to the "main" office network for anything so should be fine?

 

[the-evaluator]

No printers on the main network that the phones may need to print to?

 

[Mark M]

No printers on the main network that the phones may need to print to?

Very very unlikely, we rarely print stuff at all to be honest as we do most things digitally now.

 

[WJA96]

VLANs are not a security mechanism. If someone has access to your network then adding a VLAN tag to the packets is very straightforward and unless you are spectacularly smart in how you organise your VLAN tags then it’s usually child’s play to guess the VLAN numbers. And if they have access to your network then they can probably trap your authentication somewhere as well.

VLANs are great to stop folks seeing different parts of the network but don’t kid yourself that they’re a security mechanism.

 

[ChrisD.]

Agreed, if someone is on your network, knows what they are doing and really wants to get around, they will. This is why AAA, 802.1X and other security mechanisms exist.

 

[Mark M]

VLANs are not a security mechanism. If someone has access to your network then adding a VLAN tag to the packets is very straightforward and unless you are spectacularly smart in how you organise your VLAN tags then it’s usually child’s play to guess the VLAN numbers. And if they have access to your network then they can probably trap your authentication somewhere as well.

VLANs are great to stop folks seeing different parts of the network but don’t kid yourself that they’re a security mechanism.

Hmmm ok, so as you can tell I’m clearly not an expert but is there any point setting up different networks for the SONOS speakers and the alarm? What other steps can I take as a very small business to secure the network?

 

[WJA96]

Your most vulnerable access is your CCTV because it’s outside the building and you can jack straight into that. But if you buy a PoE recorder then the recorder acts as a second router for the cameras and runs them on a totally separate physical network. So that should be very secure.

Anything that has ports, shut them down. Shut them all down and just open up the ones needed to do their job.

Depending on your router, you can have physically separate networks and use your router to route traffic between them. That way at least any attack is limited to the physical subnet the attacker can gain access to. VLANs all exist on the same physical network and effectively pretend they can’t see each other. The 802.1X trusted devices protocol means that theoretically only devices you approve by authentication can join your network. Using two factor authentication to log in is also excellent but not insurmountable. Devices like UbiKeys are good for this.

Honestly, honestly, honestly - what are you worried about? What threat are you concerned about? Given that hackers have gained acccess to extremely secure networks, it’s highly unlikely that, in the extremely unlikely event that GCHQ, the NSA, Anonymous, Fancy Bears or the Chaos Computer Club come visiting, you’ll be able to keep them out.

 

[Mark M]

Honestly, honestly, honestly - what are you worried about? What threat are you concerned about? Given that hackers have gained acccess to extremely secure networks, it’s highly unlikely that, in the extremely unlikely event that GCHQ, the NSA, Anonymous, Fancy Bears or the Chaos Computer Club come visiting, you’ll be able to keep them out.

Thanks for all the advice, really appreciate it. I guess I’m being paranoid as I agree that if someone wanted to be in they could get in! It’s more just a case of trying to make the network as secure as I can for piece of mind, I have sleepless nights about all sorts of stuff I think about with the business!