Products Firewalla Blue Firewalla Red Firewalla Gold

Articles in this section

How to Secure IoT Devices in Your Smart Home with Firewalla (Part 2): Control

Avatar
Firewalla Team
  • Updated
Follow

 PART 1: Visibility

PART 2: Control

After gaining visibility to your devices, the next important thing to do is to control the access of your devices by:

  1. Limiting internet access of IoT devices to minimize risks for getting tampered 
  2. Isolating IoT traffic from the rest of the network to reduce the overall risk exposure of the network

Here are some recommendations on how to use Firewalla to implement such a strategy. 

Warning: make sure you understand what you are doing when blocking rules are created.  If anything strange happens to your network after the block, please undo the block.

 

1. Block Unwanted Access with Block Rules 

Domain/IP/IP-Range Block Via the Rules Button

You can block following targets by using the "Rules" button. You can find out more about its capabilities here.

  • IP Address
  • Range of IP Address
  • Domain name
  • Remote port
  • Region beta.jpg
  • Local Network mceclip1.png
  • Internet (all internet sites) 

 

Block Via Alarms

This can also be done from the alarm interface. For example, if you receive an alarm that one of your devices is accessing a malicious site, you can block the entire domain or IP from the alarm screen and apply to all of your devices. 

 

   IMG_1412.PNG  IMG_EA5B900EAF63-1.jpeg

 

Block Via Network Flows

While you are looking at the device's network flows, you can tap on the flow entries to get into the detail screen, and in the details screen, you can block flows. (Please note that not all flows can be blocked and your device may still maintain its functionality.)

 

Activity Category Block

For smart devices that function closer to a general-purpose computer, you should implement similar controls to your computers or smartphones. For example, if your kids are using the smart TV, you can use category blocking to make sure they don't access sites they're not supposed to. 

IMG_1409.PNG  IMG_1408.PNG

   

Region Block / Geo-IP Filtering

Firewalla allows you to create blocking rules to block connections from a geographic location. This feature is useful if you want to prevent your network from talking to IP addresses in specific countries. It can be an effective way to stop hackers from attacking your IoT devices. Learn more about Geo-IP filtering.  Geo filtering is only available on the Firewalla Blue and Firewalla Gold

Country_Block.jpg

 

2. Only Allow Trusted Access with Whitelist Rules earlyaccess.png

For devices that are very purpose-specific, and only need access to specific services, you can configure rules to only allow trusted connections to come through. For example, on your Ring devices, you can block all internet access, but only allow access to ports required by Ring's services (IP addresses and ports). Learn more about allow/whitelist rules. (This feature is in early access, it will be available to general access soon)

ring-resize.gif

 

3. Block Unrecognized/Unused Open Ports

In Part 1, we talked about open ports and how they can be a security risk. Make sure that you check open ports on your network (Home -> Open Ports). If you don't recognize any port, or if any port was permitted by you but should not be open anymore, you should block them.

IMG_6448.PNG

 

4. Enable Family Mode

On smart devices that your kids have access to, it's safer to enable the Family mode (Home -> Family) that includes Family Protect, Safe Search and Social Hour features. It will give you peace of mind that inappropriate content won't pop up on smart displays or speakers. 

IMG_D9F4B9603D52-1.jpeg

 

 

  

5. Isolate IoT Traffic with Network Segmentation mceclip1.png

Firewalla Gold is a combination of a router and a firewall. It supports network segmentation through physical LAN and VLAN. You can use network segmentation to create multiple local networks in your home, and dedicate one for IoT devices. This way you can isolate IoT device traffic from the rest of the network, to reduce the risk exposure in case IoT devices get compromised. 

Here is an example where you can:

  • Create a VLAN to segment your IoT devices
  • Create a rule on the VLAN to block all outgoing traffic to other parts of your network

mceclip1.png

 

6. Manage Smart Devices with Device Group earlyaccess.png

Device Group is a software-based segmentation. It is available on all products including Firewalla Blue and Red. You can use Device Group to manage devices that share the same rules and policies. This will greatly simplify the daily management of devices and policies.  (This feature is in early access, it will be available to general access soon)

Here is an example where you can:

  • Create a device group for streaming devices
  • Add all your smart TVs, speakers or set-top boxes to the group
  • Manage the group with consistent rules and policies across the whole house

Learn more about device groups.

mceclip2.png

 

7. Visibility + Control

Here is an example of how to bring together network visibility and control to manage a popular app TikTok. 

https://help.firewalla.com/hc/en-us/articles/360050863873-How-to-block-an-application-using-Firewalla-Network-Flows-

 

→ PART 3: Protect

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.