[Solved] IoT in DMZ

In the beginning of this, you said I might put IoT devices in the DMZ, which made sense, Wouldn’t that negate the need for the Untrusted VLAN? Also, if devices in the DMZ can only get inbound connections, how can data then be transmitted - as in the case of security cameras? You obviously want to see that on your phone or computer, it’s sort of the whole point of have smart devices. If it automatically allows outbound for accepted inbound connections, then doesn’t it defeat the whole purpose?

As you can guess, I’m a bit confused here.

Home routers usually have the Wireless AP built in, so in order to have an AP on a separate subnet, you’d have to disable the built in one (which would have the same IP as the DMZ) and use a separate one that would give out the new IP subnet. And, it would run into the same issue as below:

The router usually has a switch built in (if it’s a home router), but those switches don’t often have VLAN capability. So if I’m using the DMZ on 192.168.1.xxx, then the external switch that DOES have VLAN capability will have to have a static address of 192.168.1.xxx (say, 254 for example) on the port connected to the router, right? In order to be able to access it?

Nathan was just going over all the options that you could use to mitigate the risks within your home network, he never actually stated that you had to have an Untrusted VLAN, he just pointed out that it’s another option that can be implemented. Your network won’t be the same as mine or anyone else’s for that matter, you may have more IoT’s on your network than I do, some people may only be using a wireless network, everyone’s network blueprint won’t be exactly the same, therefore different network security will need to be in place to specifically mitigate the risks. He also stated that you can have the devices that are isolated within the DMZ or a specific subnet to make outbound connections if need be, like if you need to perform updates on those devices. If you’ve got CCTV, as by your message, it sounds like you do, you can put it with the other untrusted devices with an outbound connection, as long as it’s isolated in the DMZ or subnet along with the other untrusted devices then it’s still ok as long as it’s isolated from your trusted devices and the rest of the network. As for the AP, I am fairly sure you can fix that with your firewall like pfsense, you can set up rules to stop AP’s and subnets from being able to talk to each other.

By the way when you subnet and want to put difference devices on a different subnet, what that means is they will be on a different network, so for example your trusted devices might be 192.168.1.xx but then you want to put some other devices into another subnet to isolate it from your other devices, well those will be on a different network, so the IP for the other subnet might be for example 192.168.2.xx

If you’re extremely concerned about your CCTV, you could isolate it on a separate subnet just for that.

I hope this helps.

In the beginning of this, you said I might put IoT devices in the DMZ, which made sense, Wouldn’t that negate the need for the Untrusted VLAN?

No, Other device dont need inbound access like a TV. Only devices that need inbound access like a webcam.

Also, if devices in the DMZ can only get inbound connections, how can data then be transmitted - as in the case of security cameras?

When a connection is initiated it can communicate back because it maintains state. We cover this on the course.

If it automatically allows outbound for accepted inbound connections, then doesn’t it defeat the whole purpose?

The point of the DMZ it to provide an are when inbound connection can be made but that network is isolated from the internal network.

Home routers usually have the Wireless AP built in, so in order to have an AP on a separate subnet, you’d have to disable the built in one (which would have the same IP as the DMZ) and use a separate one that would give out the new IP subnet. And, it would run into the same issue as below:

incorrect. This depends of the firmware. The examples I use like dd-wrt and pfsense can do this.