PART 2: Control
After gaining visibility to your devices, the next important thing to do is to control the access of your devices by:
- Limiting internet access of IoT devices to minimize risks for getting tampered
- Isolating IoT traffic from the rest of the network to reduce the overall risk exposure of the network
Here are some recommendations on how to use Firewalla to implement such a strategy.
Warning: make sure you understand what you are doing when blocking rules are created. If anything strange happens to your network after the block, please undo the block.
1. Block Unwanted Access with Block Rules
Domain/IP/IP-Range Block Via the Rules Button
You can block following targets by using the "Rules" button. You can find out more about its capabilities here.
- IP Address
- Range of IP Address
- Domain name
- Remote port
- Local Network
- Internet (all internet sites)
Block Via Alarms
This can also be done from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen and apply to all of your devices.
Block Via Network Flows
While you are looking at the device's network flows, you can tap on the flow entries to get into the detail screen, and in the details screen, you can block flows. (Please note that not all flows can be blocked and your device may still maintain its functionality.)
Activity Category Block
For smart devices that function closer to a general-purpose computer, you should implement similar controls to your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to make sure they don't access sites they're not supposed to.
Region Block / Geo-IP Filtering
Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering. Geo filtering is only available on the Firewalla Blue and Firewalla Gold.
2. Only Allow Trusted Access with Whitelist Rules
For devices that are very purpose-specific, and only need access to specific services, you can configure rules to only allow trusted connections to come through. For example, on your Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules. (This feature is in beta, it will be available on official release soon)
3. Block Unrecognized/Unused Open Ports
In Part 1, we talked about open ports and how they can be a security risk. Make sure that you check open ports on your network (Home -> Open Ports). If you don't recognize any port, or if any port was permitted by you but should not be open anymore, you should block them.
4. Enable Family Mode
On smart devices that your kids have access to, it's safer to enable the Family mode (Home -> Family) that includes Family Protect, Safe Search and Social Hour features. It will give you peace of mind that inappropriate content won't pop up on smart displays or speakers.
5. Isolate IoT Traffic with Network Segmentation
Firewalla Gold is a combination of a router and a firewall. It supports network segmentation through physical LAN and VLAN. You can use network segmentation to create multiple local networks in your home, and dedicate one for IoT devices. This way you can isolate IoT device traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised.
Here is an example where you can:
- Create a VLAN to segment your IoT devices
- Create a rule on the VLAN to block all outgoing traffic to other parts of your network
6. Manage Smart Devices with Device Group
Device Group is a software-based segmentation. It is available on all products including Firewalla Blue and Red. You can use Device Group to manage devices that share the same rules and policies. This will greatly simplify the daily management of devices and policies. (This feature is in beta, it will be available on official release soon)
Here is an example where you can:
- Create a device group for streaming devices
- Add all your smart TVs, speakers or set-top boxes to the group
- Manage the group with consistent rules and policies across the whole house
7. Visibility + Control
Here is an example of how to bring together network visibility and control to manage a popular app TikTok.