(for the security level they’ll contribute to achieve). I’ll stick to the very minimum and very affordable component. We’ll need a bit of hardware if we want to be serious about security, sorry about that. Non-user-friendly security usually is a brilliant way to either upset users or get them to circumvent it. Last but not least, I want all of this to be, above all, usable. Real-time notifications if anything suspicious happens.Long lasting, this is a budget, so it should last.Limit IoT communication capacities to the strictly necessary (you really want your cameras exposed to other eyes?).Resilience to a potential Home Assistant vulnerability.Dynamic routing of what goes through regular or VPN connexion based on protocol.Guests isolated on a subnet (& their traffic going through a VPN).Solid Ingress filtering (from the Internet toward my LANs).Voice activation is cute, but fulfilling 3 letter agencies’ wet dreams of having people install connected microphones in their homes (at their expense) isn’t my thing. No connected microphone: Also, no mic in my home. So I wish for my security to rely as little as possible on 3rd parties and be able to control them when I’ve no choice. (On top of that, we don’t need their app, we don’t want them at all, and we want to control everything through HA) That some attacks can be carried to your home through their hardware, API or services.They will lose your data (not if, when). They are down for maintenance due to a cyber attack or bug with consequences on the usability of your system.Why no cloud dependency? When a hardware provider imposes its (average) cloud services and forces you to use their app, you’re at risk that: We all have different goals and sensibilities, but I believe most HA users like privacy and cloud independence. Table of contentĤ/ Configuring your switch, Wifi and separating your networksĥ/ Securing your HA 1. Please don’t take offense, these kinds of howtos are tricky to write. There will be a lot of edits I’m sure and inclusions of comments that will pop. PS: I adapted my own configuration here, with different ranges / eth, so I may have typoed it, don’t hesitate to let me know, and I’ll correct them. OpenWRT won’t get you as far as this setup, but it’s easier for a beginner. Nothing expert level, but it’s a reasonably advanced network & security technics I’ll be explaining here, which could confuse regular users. This post requires some Linux / network knowledge. ( Reliable power supply + UPS, run it on an SSD and not an SDcard, put it in a safe place and in a case it it’s a naked Raspberry Pi) This guide isn’t about your physical HA security. This doesn’t make me an authority, even less so because now I’m a CEO and no longer on the tech playground, but let’s say I’m sensitive to the topic and have experience. Red test pentester, then blue teamer, I now lead an open-source editor named CrowdSec (which offers crowd-sourced protection against aggressive IP addresses). Since 1999, I’ve dedicated most of my career to cyber security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |