1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Separate networks for general office, SONOS and alarm

Discussion in 'Networks & Internet Connectivity' started by Mark M, 26 Oct 2021.

  1. Mark M

    Mobster

    Joined: 6 Jan 2006

    Posts: 3,292

    Location: Newcastle upon Tyne

    I read something recently that someone hacked into a casino IT system via a wifi fish tank accessory...could be complete nonsense but it got me thinking whether I should split our network for security with the wireless devices?

    Is it worth setting up separate networks/wifi for our office - one for general computers/printers/voipfones etc which are a mixture of hard wired and wifi. Im looking at getting a couple of SONOS speakers and a wireless alarm so wondered if its worth setting up a separate wifi network for them to connect to that cant access the main office network?

    I'm using Unifi switches/AP's which I'm sure you can set up another guest network via the controller?

    Edit - also looking at installing CCTV but that will be hardwired, so will I need a VLAN for that?
     
  2. Orcvader

    Capodecina

    Joined: 11 Oct 2009

    Posts: 14,947

    Location: Greater London

    Depends how large the office is but generally yes. Also using Unifi APs but with a Draytek router and we have each network within their own VLAN, one for customer use with client isolation, one for staff use, and one for admin use. The non-admin networks also have router access blocked.
     
  3. the-evaluator

    Mobster

    Joined: 24 Sep 2015

    Posts: 3,029

    It's only worth doing if you're going to restrict access between the VLANs. If you're going to leave full access between them then don't bother.

    At home I have 2 VLAN's. 1 for IoT devices (VLAN 3) and the other for everything else (VLAN 1). The IoT VLAN has no access to VLAN 1 expect for access to port 53/udp on 2 hosts so that it can use my Pi-Hole machines for DNS resolution.

    Putting Sonos stuff on a different VLAN can be a right faff. Personally I'd leave them on the main LAN as trying to have your speakers on a different VLAN than whatever device you're controlling it with is a sod to get working.
     
  4. Mark M

    Mobster

    Joined: 6 Jan 2006

    Posts: 3,292

    Location: Newcastle upon Tyne

    I was going to connect the Sonos and the mobiles to the same WAN/VLAN so the mobiles can control the music so should be ok on the same network? The mobiles dont need to connect to the "main" office network for anything so should be fine?
     
  5. the-evaluator

    Mobster

    Joined: 24 Sep 2015

    Posts: 3,029

    No printers on the main network that the phones may need to print to?
     
  6. Mark M

    Mobster

    Joined: 6 Jan 2006

    Posts: 3,292

    Location: Newcastle upon Tyne

    Very very unlikely, we rarely print stuff at all to be honest as we do most things digitally now.
     
  7. WJA96

    Capodecina

    Joined: 13 Jul 2005

    Posts: 17,647

    Location: Norfolk, South Scotland

    VLANs are not a security mechanism. If someone has access to your network then adding a VLAN tag to the packets is very straightforward and unless you are spectacularly smart in how you organise your VLAN tags then it’s usually child’s play to guess the VLAN numbers. And if they have access to your network then they can probably trap your authentication somewhere as well.

    VLANs are great to stop folks seeing different parts of the network but don’t kid yourself that they’re a security mechanism.
     
  8. ChrisD.

    Caporegime

    Joined: 20 Sep 2006

    Posts: 27,435

    Agreed, if someone is on your network, knows what they are doing and really wants to get around, they will. This is why AAA, 802.1X and other security mechanisms exist.
     
  9. Mark M

    Mobster

    Joined: 6 Jan 2006

    Posts: 3,292

    Location: Newcastle upon Tyne

    Hmmm ok, so as you can tell I’m clearly not an expert but is there any point setting up different networks for the SONOS speakers and the alarm? What other steps can I take as a very small business to secure the network?
     
  10. WJA96

    Capodecina

    Joined: 13 Jul 2005

    Posts: 17,647

    Location: Norfolk, South Scotland

    Your most vulnerable access is your CCTV because it’s outside the building and you can jack straight into that. But if you buy a PoE recorder then the recorder acts as a second router for the cameras and runs them on a totally separate physical network. So that should be very secure.

    Anything that has ports, shut them down. Shut them all down and just open up the ones needed to do their job.

    Depending on your router, you can have physically separate networks and use your router to route traffic between them. That way at least any attack is limited to the physical subnet the attacker can gain access to. VLANs all exist on the same physical network and effectively pretend they can’t see each other. The 802.1X trusted devices protocol means that theoretically only devices you approve by authentication can join your network. Using two factor authentication to log in is also excellent but not insurmountable. Devices like UbiKeys are good for this.

    Honestly, honestly, honestly - what are you worried about? What threat are you concerned about? Given that hackers have gained acccess to extremely secure networks, it’s highly unlikely that, in the extremely unlikely event that GCHQ, the NSA, Anonymous, Fancy Bears or the Chaos Computer Club come visiting, you’ll be able to keep them out.
     
  11. Mark M

    Mobster

    Joined: 6 Jan 2006

    Posts: 3,292

    Location: Newcastle upon Tyne

    Thanks for all the advice, really appreciate it. I guess I’m being paranoid as I agree that if someone wanted to be in they could get in! It’s more just a case of trying to make the network as secure as I can for piece of mind, I have sleepless nights about all sorts of stuff I think about with the business!