Building Profiles for well known IoT Devices + Family Functions and Performance
On our home network, we've got over 4 or 5 dozen IoT devices, including Nest cams, Rings, air and environmental sensors (like Awair), smart speakers Microsoft, Amazon, Google), gaming devices, Electric Vehicles, smart lights and switches virtual machines running servers, etc and I've noticed that we're getting alerts that would be better managed if a traffic profile were already created for them (perhaps not to the extent that Palo Alto Networks has with AppID, but something similar that covers most of the well known and deployed IoT devices). Sometimes I find myself adding a single destination IP address into the whitelist which won't work for long, since they're emphemeral (they change) - the goal is to have a stable baseline so that we're not alarming for known good devices to known destinations (this is important). On my first evening the system learned over 60 devices, and produced about 50 alarms.
I'm also thinking about what we might be able to do with our children's devices - to keep them monitored - it would be nice to be able to roll them into the monitoring if they: a) move out of network, b) shutdown their WiFi and go on LTE/Mobile networks. I like the family focused parts of the App, and think that it can be made quite powerful and would help with the uptake of the product.
In the next week or so I planned on doing a bit of performance testing - I think that 500Mb/sec of imix traffic is probably OK for the short term, but in the coming year we're going to need more powerful hardware. We're already running 880Mb/1Gb here over FIOS and I suspect this will be more common.
Otherwise, a very nice little device - I love the open nature and size.
-
Did you ever manage to sort out the alerting?
The alerts from our Ring doorbell drive me nuts. It would seem to me that Firewalla should be able to detect the IP is from Amazon (uploading to an S3 bucket I assume) and provide us with the option to grant future Amazon uploads. That would still be too open, but it would be a great starting point.
I imagine the doorbell isn't working off of IP addresses but rather is doing dns lookups. I wonder if the Firewalla can/should use those lookups to figure out what domain the device is really using. This should allow it to backtrack to figure out the IP address really has a "Ring" subdomain (or possible a Ring.com domain).
Please sign in to leave a comment.
Comments
2 comments