If you’re looking to implement a Zero Trust Network, Firewalla and the Firewalla AP7 offer simple solutions. Here are some Zero Trust best practices to follow to secure your home network.
- Scenario 1: Isolate a shared printer
- Scenario 2: Isolate a group of wireless smart speakers
- Scenario 3: Isolate a group of guest devices with automatic device mapping
- Scenario 4: Allow guest devices to access your printer and smart speakers
Scenario 1: Isolate a shared printer
You have a new printer that accesses the Internet. You want to keep it isolated from other devices on your network. However, you and your roommates need to access the printer from certain devices.
Firewalla Solution:
After installing your printer and connecting it to the Internet with the Firewalla AP7, apply Device Isolation on the printer’s device page to only allow Internet access while blocking all other local traffic. Then, specify your and your roommates’ devices as Allowed Devices on the printer. Now, only the selected devices can access the printer, while all other device traffic is blocked.
Note: The printer can also access the selected devices, as the Allowed Devices feature is bi-directional.
For more security:
If you don’t want your printer to access the internet, turn off the internet using the Internet shortcut button on the printer’s device page.
Then, turn on NTP Intercept so that the printer can still sync its clocks with Firewalla’s trusted NTP servers.
Scenario 2: Isolate a group of wireless smart speakers
You want to secure a group of wireless smart speakers. Your speakers should not have access to devices outside of their group, like your personal devices. However, they still need to communicate with each other to sync audio, and you still want to use your phone to play music on them.
Firewalla Solution:
With the Firewalla AP7, place your smart speakers into a “Speakers group” and enable VqLAN, allowing internet access and communication within the group while blocking all other local traffic.
Then, add your phone to the Allowed Devices, so your phone can communicate with all the speakers within the VqLAN.
Scenario 3: Isolate a group of guest devices with automatic device mapping
You want to secure a group of guest devices. Your guest devices should not have access to devices outside of their group, like your personal devices, and should not be able to talk to other guest devices. You also want to make sure that new guests on your network are automatically sent to your guest group when they connect to Wi-Fi.
Firewalla Solution A (VqLAN):
With the Firewalla AP7, create a “Guest Group” and enable VqLAN and Device Isolation, ensuring guests have internet access while preventing their devices from communicating with each other or any other local devices.
Then, create a new “Guest Wi-Fi.” Edit the Guest Wi-Fi so that devices are automatically assigned to the “Guest Group” and have the VqLAN and Device Isolation rules applied dynamically. Learn more about assigning SSIDs to a user/group here.
Firewalla Solution B (VLAN):
Using Firewalla’s Network Manager, create a new “Guest VLAN” and set its VLAN ID and IP address subnet.
Using the Firewalla AP7, create a new “Guest Wi-Fi” and map it to the “Guest VLAN.”
Then, create a new rule to block traffic from & to all local networks on the “Guest VLAN” to prevent guest devices from accessing all local networks. With the Firewalla AP7, the rule can also block wireless devices from accessing each other within the same network.
Learn more about Network Segmentation with VLANs here.
Scenario 4: Allow guest devices to access your printer and smart speakers
You have a group of guest devices and you’d like to give them access to your printer and smart speakers. Your guest devices (scenario 3) are already isolated from other devices on your network. Your printer (scenario 1) and smart speakers (scenario 2) are also isolated.
Firewalla Solution A (VqLAN):
With the Firewalla AP7, use the Allowed Devices feature on your “Guest Group” and select the printer and smart speakers group. Now, even with VqLAN and Device Isolation enabled, each guest device can access the printer and speakers.
Note: The printer and speakers may access the guest devices.
Firewalla Solution B (VLAN):
To cast media (like video or audio) from a personal device to a guest device, you’ll need to first enable mDNS and SSDP Relay on the “Guest VLAN.”
If you have a rule to block all traffic from & to local networks on your Guest VLAN, you’ll then need to create allow rules for the printer and the smart speakers.
Go to the printer’s device detail page, scroll to the bottom, and note down the IP address. Then, create a rule to allow traffic to the printer’s IP address on the “Guest VLAN.” Set the Direction to be “Bi-directional”.
For the group of smart speakers, take a look at each speaker’s IP address and create separate allow rules for each device.
Note:
- If the IP address of your device changes, you’ll need to update the rules manually.
- If you have a lot of devices in a group, you could alternatively create a target list, add all the device IP addresses to the list, and create one allow rule for the entire target list. Learn more about target lists here.
- Some speaker devices (e.g. Sonos) may require your personal device to be on the same SSID as the speaker for proper functionality.
Comments
0 comments
Please sign in to leave a comment.