In this example, we’ll demonstrate implementing Zero Trust with Firewalla and AP7, showcasing its three key principles:

1. Microsegmentation
2. Least privilege access
3. Continuous monitoring

For a quick walkthrough of this example, check out our video on implementing Zero Trust with the Firewalla AP7:

Let’s assume you’ve recently bought a smart thermostat for your home. 

The first step is microsegmentation.

STEP 1: Microsegmentation

Microsegmentation isolates your smart thermostat from other devices to reduce security vulnerabilities from spreading across your network. 

• STEP 1-1: Enable VqLAN
• STEP 1-2: Send Devices to VqLAN Microsegment
• STEP 1-3: (Advanced) Use VLAN Segmentation

STEP 1-1: Enable VqLAN

VqLAN ensures that all local traffic within the group remains isolated, preventing communication with other devices.

To enable VqLAN:

1. If you already have a group for Smart Devices, go to the group and turn on VqLAN.
2. If you don’t have a group yet, create one:
   1. From your box’s main screen, tap Devices > Create Group
   2. Set the group name to “Smart Devices” and Save. 
   3. Go to the new group, scroll down, and turn on VqLAN.

Please note that VqLAN is only available to boxes with the Firewalla AP7 installed.

STEP 1-2: Send Devices to VqLAN Microsegment

If the smart thermostat is installed and connected to Wi-Fi, add it to the group:

1. Go to the “Smart Devices” group.
2. Tap Devices > Manage Devices.
3. Select the thermostat device to add it to the group.

If you have the Firewalla AP7, set up an SSID to automatically assign devices to the group:

1. From your box’s main screen, tap Wi-Fi.
2. Select an existing SSID for IoT, or create a new one (tap Create Wi-Fi > Set the SSID, password, and network > Create)
3. On the SSID detail page, tap Edit > User/Group > Choose a group or user > Save.

Learn more about SSID to group mapping here for some examples.

 

STEP 1-3: (Advanced) Use VLAN Segmentation

You can also use traditional VLANs to segment the network. Using VqLAN with VLAN can add another layer of protection. Learn more about VLAN Segmentation here for some examples.

 

STEP 2: Least Privilege Access

With least privilege access, the smart thermostat should be granted only the minimum access necessary for functionality.

• STEP 2-1: Enable Device Isolation
• STEP 2-2: Secure DNS & Time Synchronization
• STEP 2-3: (Advanced) Restrict Internet Access to Specific Domains 

STEP 2-1: Enable Device Isolation

Device Isolation ensures the thermostat can only communicate with the internet and no other devices on your LAN. 

To enable Device Isolation:

1. From your box’s main screen, go to Devices.
2. Tap the smart thermostat device.
3. Scroll down and enable Device Isolation.

Notes:

• This feature is only available to devices connected to the Firewalla AP7.
• Depending on your device and access requirements, Device Isolation may not be needed. Learn more about when to use VqLAN, Device Isolation, or both in the FAQs here.

STEP 2-2: Secure DNS & Time Synchronization

To prevent third parties from spying on your activity and ensure the device stays in sync, enable DoH (DNS over HTTPS) and NTP Intercept.

To enable DoH and NTP Intercept:

1. Tap Services from your box’s main screen.
2. Turn on DoH > Tap Apply To > Select the Smart Devices group.
3. Turn on NTP Intercept > Tap Apply To > Select the network.

STEP 2-3: (Advanced) Restrict Internet Access to Specific Domains 

For advanced users, you can block all internet access except for a few trusted domains that your thermostat needs. 

STEP 2-3a: Identify Required Domains

1. From your box’s main screen, go to Devices.
2. Tap the smart thermostat > Network Flows. 
3. Note the top upload/download domains/IPs, and verify they’re trustworthy. 

 

STEP 2-3b: Create Firewalla Rules

1. From your box’s main screen, tap Rules > Add Rule. 
2. Create a rule to block all Internet traffic for the Smart Devices group.
3. Create allow rules for each trusted domain/IP.

NOTE: If your device is in a group, all rules apply to each device in the group. You may need additional Allow rules for each device’s trusted domains.

Learn more about Managing Firewalla Rules here.

STEP 3: Continuous Monitoring

Even with the security measures of microsegmentation and least privilege access, it is essential to continuously monitor your devices. 

• STEP 3-1: Check Alarms and Network Flows
• STEP 3-2: Monitor Local Flows

STEP 3-1: Check Alarms and Network Flows

If Firewalla raises an alarm about your thermostat, make sure to investigate it:

1. From your box’s main screen, tap Alarms.
2. Tap on a specific alarm to view more details. 
3. Check the destination addresses, network flows, and data transferred.

 

STEP 3-2: Monitor Local Flows

If you have the Firewalla AP7 installed, monitor your local flows to ensure that there is no unwanted traffic between devices on your LAN. 

To check local flows:

1. From your box’s main screen, tap the Local Flows chart.
2. Check the devices on the Data and Flows tabs.
3. Tap on any device to view detailed connection logs.

Final Thoughts

By implementing microsegmentation, least privilege access, and continuous monitoring, your smart thermostat is now fully protected under a Zero Trust network. These same principles can be applied to other smart home devices using the steps outlined above. 

For more examples of Zero Trust, check out our Zero Trust Best Practices and Examples.

 

Other Zero Trust Network Architecture Resources:

• Learn more about Zero Trust Network Architecture here.
• Learn more about VqLAN here.
• Learn more about microsegmentation & segmentation examples here.