In recent years, I've received a lot of questions about the Guest Wi-Fi SSID (network name), including the catch-all recommendation of using Internet of Things devices with one.
Interestingly, most of these questions are not about setting up this type of wireless network but rather the fact many devices don't work as intended when connected to one.
As it turned out, the answer lies in the understanding of what a Guest Wi-Fi network is—as opposed to the assumption or the online misinformation about this type of Wi-Fi network. Hint: It's not what you think.
This post will explain the "Guest" notion of Wi-Fi networking and how to use it properly. To cut to the chase: Similar to the case of VPN, Guest Wi-Fi is not intended to be a security measure for IoT devices. It has little to do with security at all.
Dong's note: I first published this piece on July 8, 2020, and last updated it on January 21, 2024, with the latest relevant information.
What is a Guest network?
A Guest Wi-Fi network is a fancy name for a virtual SSID that's, by default, isolated from the primary one you use for your home—your intranet. Device isolation is the keyword here.
Isolation how? A device connected to a router's Guest Wi-Fi, by design, has access to the Internet and nothing else. Specifically, it's not part of the router's primary network and, therefore, can't reach your local resources, such as your shared folders or network printer.
Tips
There's no such thing as "Guest" in networking. The name is a marketing term for a built-in VLAN (virtual local network).
If you can create a Wi-Fi SSID (network name) separate and isolated from the one you use, then it's effectively the Guest Wi-Fi network, no matter what you call it.
Consequently, don't bother naming a separate Wi-Fi network with the "Guest" suffix. But if you do, remember that doing so alone does not automatically make that network isolated or more "secure."
The point is this: don't look for a router with the "best Guest networking feature." Instead, look for one that has VLAN capability for its Wi-Fi. Conversely, if a router has a comprehensive Guest networking feature, you can consider that as its wireless VLAN capability.
As the name suggests, this extra Wi-Fi network is for your guests to use—it's for temporary devices. The purpose is to keep these devices separated from your home devices.
The idea is that you don't have to deal with them one way or another, and most importantly, you don't need to offer your primary Wi-Fi network's password to them while still giving them access to the Internet. That might have something to do with privacy or security, though not always the case.
A crude analogy: If your intranet is your home, then the Guest Wi-Fi network is that mother-in-law suite at the far end of your backyard. You know your friends are comfortable there each time they visit, yet you don't have to tend to their every move. Not that you're scared of them, but you don't see the need for them to have the key to your home or general access to stuff inside your primary residency. Everyone is happy.
When a Guest network is not a Guest network
Note that many routers have the option to allow the Guest Wi-Fi network intranet access. With that turned on, the isolation is no longer in effect. The Guest network now works the same as the primary network.
If that mother-in-law suite in the backyard has no bathroom, guests staying there will still need to enter your primary home anyway.
Why would anyone want to do that, you might ask? Other than not knowing what they are doing, there are a couple of additional reasons.
First, not everyone needs a Guest network, and sometimes it's helpful to have multiple SSIDs so you can segment your devices. For example, you can have a group of clients connect to a particular SSID and the rest to another.
Another reason is the owner of the Guest network might want to gain access to the Guest's device. The isolation, or the lack thereof, works both ways, and not every guest network is friendly. That's the reason you want a VPN when using public Wi-Fi.
The point here is that just because it's called a Guest network or the SSID has the "Guest" suffix doesn't necessarily mean it's isolated. But in this post, for the sake of consistency, we assume that it always is.
How to set up a guest network
By definition, any (Wi-Fi) network separated (isolated) from your primary network is a "guest" network. And there are a few ways to achieve this.
Turn it on
The easiest way is to get a router that has this feature—the majority of home routers have the Guest Wi-Fi option these days. In this case, you only need to turn it on via the router's web interface or mobile app. You'll find it in a section called "Guest Network", "Guest Access", or something to that effect.
Once turned on, by default, the Guest network is isolated, so make sure you don't change this setting.
Most routers' Guest network feature comes with some other customization, including time access limit, bandwidth limit, etc. You can configure those or leave them alone, but it's always a good idea to secure this network with a password.
Generally, the Guest network shares the same Wi-Fi standard, channel width, and security level—WPA, WPA2, or WPA3—as the primary network of the same band. If you choose to use the Guest network for legacy devices, change the said settings of the band's main SSID accordingly.
When you use a router's built-in Guest networking feature, chances are all devices connected to the Guest SSID are isolated, meaning not only can't they access your intranet, but they also can't see one another.
In other words, if the guests want their devices to work with each other locally, that won't happen.
This type of Guest networking is suitable for temporary guests who need the Internet and nothing else. It's also the right choice for a public place, like a coffee shop. But if you want to offer your guests more than just the Internet, this type of Guest networking won't cut it. Instead, it would be best if you had a separate intranet.
Create a separate intranet
If you want your guests living in the mother-in-law unit to feel even more welcome, you can equip the place with more gadgets, such as a network printer or a separate Wi-Fi audio system.
To keep these devices available to your guests yet separate from yours, you'll need to build a different intranet for them.
There are many ways to do this, including using a feature called VLAN, which is available in select high-end home routers. However, the easiest is to use a separate router (with a different Wi-Fi network) on top of your existing one in a double-NAT setup.
In this case, the guest intranet is separate from your primary network, but its devices are not isolated from one another.
And that's important because most local devices require to be in the same local area network (LAN) to work as intended. That brings us to the common yet near-sighted recommendation of Guest Wi-Fi for IoT devices.
Guest Wi-Fi, your IoT devices, and the root of the (nonsensical) security notion
In recent years, the use of a separate SSID for smart or Internet of Things (IoT) devices has been commonplace. There's a reason behind it.
Between 2007 and 2016, during the first boom of IoT devices—those that never had built-in Wi-Fi before, such as printers, IP cameras, locks, doorbells, etc.—there were multiple botnet attacks where "hackers" managed to control hundreds or thousands of these devices and used them to flood a particular website or service with bogus requests causing them to fail to respond to legit requests.
These are called Denial-of-Service (DoS) attacks. The whole episode kind of lumps all IoT devices into the high-risk category.
In reality, these were mostly crimes of opportunity. There was little hacking involved, but mainly the owners' negligence and vendors' sloppiness.
In their early days, IoTs, including many Wi-Fi routers, functioned fully with their publicly known default username and password. Consumers brought them home, hooked them to the Internet, and used them without bothering to change their default security settings. That's like when you get a new gun safe and continue to use it with the default 1-2-3-4-5-6 code.
The bad guys took advantage of this and were able to gain control of these devices remotely with little effort. They then used them as bots to send DoS commands to attack a third party.
A couple of things to note here:
- No harm was done to the owners of the IoT devices involved in these attacks.
- Using these IoTs with a Guest Wi-Fi network (which might have been the case with some of them) wouldn't have made any difference.
What's most important is since then, IoTs have come a long way in terms of security. Most won't connect to the Internet unless the user has created a (new) admin password. But the ambiguous "security" notion persists, and you'll find lots of recommendations online from "experts" that you should use IoT devices with a Guest Wi-Fi network to be safe.
If you somehow still believe that nonsense, consider the three following points.
1. Being in the same network doesn’t guarantee access
It's important to note that having devices, including those of strangers, in the same local network (intranet) doesn't mean they can access one another willy-nilly.
The interaction between local network devices varies depending on the applications. By default, all sensitive data access—such as if you want machine A to access data on device B—requires some configuration or user interaction that determines who can access what and how.
If you don't do anything, access is not available. In other words, it takes work to expose a computer's information to others within the same network.
Another crude analogy: Just because you stay in the same room with a person doesn't mean you're both automatically completely naked to each other. That takes some work on both parties. Sometimes, it takes a lot of work.
2. IoTs are generally low-value targets
As mentioned, IoT stands for Internet of Things, and it generally means an Internet-connected thing that's not a computer or a mobile device. There's only so much such a device can do.
A network printer, for example, can't do much more than printing or sending out an email or a fax. The point is most IoT devices have limited computing capability compared to a real computer or a smartphone.
As a result, they generally are low-value targets. Hackers won't try too hard to hack these devices because there's not much to do with them, even when they are successful. On the other hand, hacking a computer warrants a much higher return on their investment.
3. Important: Most IoT devices need intranet access to work
Most IoT devices need to be part of your home network to work correctly.
Take a network printer, for example. Hooking it to an isolated Guest network will keep it invisible from your other devices—they can't print. In some cases, you still can print, but you have to do so via the Internet, and that means:
- You must set up the printer with a vendor login account, which can be a privacy concern.
- You can't print if the Internet is down.
- It takes much longer to initiate a print job.
Similar things will happen with other devices, like Wi-Fi speakers or IP cameras. Putting them on the guest network means disconnecting them from your local network. Everything now has to go through the Internet.
Here are some more examples of what might not work if you connect your IoTs to an isolated Guest Wi-Fi network.
- You can't wirelessly cast a computer's or mobile device's screen on your smart TV.
- Wi-Fi speakers won't work.
- Network printers won't work locally.
- Most IP cameras won't work, at least in the setup process.
- Local movie streaming (from your server) won't work.
The list goes on. So, to answer many of your questions, putting all your IoT devices on a Guest Wi-Fi network can create many headaches. Stop making it a standard practice!
Consider this: Would you put your only bathroom in that mother-in-law suite? If so, why?
How about that IoT Wi-Fi network?
In the past couple of years, there's been a new trend where networking hardware vendors include an IoT Wi-Fi network with their routers. Specifically, it's a network in which the default name is formed by having the "IoT" suffix attached to that of the primary SSID.
I remember running into this practice the first time with Netgear's Orbi RBKE960. Since then, some other vendors have followed suit.
It's important to note that this separate "IoT" SSID is not isolated. It's just a virtual SSID for your primary network. In other words, devices connected to it are still part of the same intranet as those connected to the primary Wi-Fi network. (And you don't have to use the "IoT" suffix for it.)
The idea behind this practice actually makes sense. Smart Wi-Fi devices are often low-power and require little bandwidth. Using them in a network can hinder the performance of other full-feature clients, such as computers, tablets, or smartphones.
That said, having a separate Wi-Fi SSID that uses the low-performance settings or band for them will help keep your network optimal. These "IoT" SSIDs always use only the 2.4GHz band; some can also use the 5GHz band, but they never use the 6GHz band.
This "IoT" SSID is a convenience but not a necessity. You can do this with any router by separating the bands—each with its own SSID—and using the 2.4GHz only for smart devices.
The takeaway
I don't mean the chance of your IoTs being hacked is zero, nor do I suggest to downplay the security issue in these devices. However, the truth is that using IoTs with an isolated Guest Wi-Fi network makes zero difference on the security front. The only thing that will likely happen is they probably won't work as intended.
So, the point here is this: You need to understand your device and the nature of Guest networking to use them accordingly. By the way, don't use a ton of "smart" IoT devices willy-nilly. That's actually not so smart.
The best way to make sure your IoT devices are safe from hacking is not to get cheap ones from unknown vendors. Then, set a secure password for them and use them with their latest firmware. On top of that, keep your router's firmware up-to-date, too.
Perspective: Security is always a matter of degrees. The only way to keep a device completely secure against online threats is to turn it off.
To those who are still adamant about always using IoT with a Guest Wi-Fi network, consider this: Your router, the one that hosts your Wi-Fi networks, including the Guest Wi-Fi, is itself an IoT device. In fact, it's the highest-value target among all IoTs. What are you going to do about this?
Thank you for the update. If I can take this a step further and question how a Mesh network is impacted! I have a Main Router GT-AX11000 Pro which supports VLAN, along with a GT-AX11000 and (2) zenWiFiAX (XT8)s as nodes. So 4 nodes overall counting the router. (Lots of obstacles and distances in the house.) I use the “Guest” for visitors, those who can’t get their cell service or need to connect to the internet and I keep the IoTs (Guest 2) away from the Main network for organization purposes.
When I set up the Guests (2) I cannot push the bands to all of the nodes. ASUS says it supports 2.4 GHz (3), 5 GHz (3), and another 5 GHz (3) on its Guests. I have 3 nodes and there should be support bands. But even if I take one of the nodes offline, I do not get total band coverage. 2.4 and 5 GHz per each Node. What am I missing?
You’re mixing hardware, David, and with that you can only expect things to work to a certain extend. More here.
Thank you, I like this and hopefully it helps others.
All 4 Nodes including the Router are Tri Band. Three of four are hard-wired (Cat 6a) on the Backhaul and as a troubleshooting step, I disconnected the one using WIFI backhaul only. All four are WiFi 6, 2.4 GHz, 5GHz and 5GHz bands.
A clarification question, on the backhaul, I have it set to Auto even though there is a Backhaul 5 GHz signal and a Cat ^a connection. Wrong?
Another thought. Mixing hardware. Are you saying that the zens do not play well with the AX11000s so make them APs?
Dave
I’m saying what I already said (wrote), Dave. It’s plain English. It’d be better to (read) what I say instead of making assumptions and asking for validation. It’s always in the details.
Or maybe I cannot connect the dots. The “forest for the trees” thingee.
David, doing a quick Google, those devices all seem to be from Asus, is that correct?
“I cannot push the bands to all of the nodes” what do you define as bands? Having each “node” braodcast the Guest(2) SSID?
With the utmost respect David I think your termanology is incorrect and causing some confusion, atleast for me. 😛
Dong, or anyone else! I want to get an internet radio working on a hospital guest network.. the kind that requires no password but requires you to click a “get online” browser button. Do you think this would be possible? I can’t go to the hospital right now as I am in the UK and my dad is in hospital in Canada. I was thinking perhaps there is a way to extend the guest network via a cheap device which the makes the network available with a password – seems a bit convoluted though
Assuming the issue is that the radio has no mechanism to agree with the TOS so it can’t connect, you can try this way if you have a laptop, Sean. Another way is to spoof the MAC address of the radio on a computer than get that computer connected, similar to how I hooked a Tesla to a public Wi-Fi network.
Good luck! Hope your dad recovers quickly!
So putting devices like wifi cameras, smart bulbs into guest network, basically will be impossible to control them through their native apps while the controlling device us connected to a different netwotk (different wifi or cellular) am i getting it right?
It’s possible if the app works at the Internet level (and not at the local network level). But before that, a device might require local-level access during the setup process.
I see.
Do you think it’s worth the hassle moving all the bulbs, alexa and cameras from my main 2.4Ghz network to a separate ssid guest network just made for them?
Cheers.
That’s up to you, Dima. Read the post for more. But using a separate Wi-Fi for IoT for security reasons is basically a bullshit idea, to begin with. What you need to be concerned about is the performance of your network — more in this post.
“be impossible” No it wont be. The devices firewall needs to block traffic from the guest network to the main network, but allow traffic from the controlling devices IP (EG spare tablet on the main LAN) to the guest network.
Dong, I’ve been combing your resources – SUPER appreciate your thoroughness and clarity!
Question about the guest network bandwidth limiter option.
My main router is an ASUS AX5700, and I’m using ZenWiFi XD6’s with AiMesh as nodes (wired backhaul). I’ve got bandwidth limited for guests at 10Mbps, but it only works when connected to the main router. Once a device connects to a node, the bandwidth is no longer limited on the guest network. Any thoughts on how to fix this?
That’s generally the case with AiMesh and Travis. Guest networking used to be available only at the router until AiMesh 2.0. I don’t think what you need will happen anytime soon since it’s very complicated.
Oh, that’s disappointing. I guess I could set up a second network with my old Deco X20’s for guests, but I was hoping to avoid having to have the extra hardware.
1. What, if any, settings can be changed on an Asus router so that someone cannot connect a 2nd router to the Guest Network and thereby get to the main network? If so, do you have an article to read on how to do that or an search term to use?
2. The only Iot devices I found that need to be on my main network are the TV (to cast from the laptop) and the printer (to print), but they don’t need internet access – only intranet. So I used the Asus Router AiProtection/Parental Controls/Time Scheduling feature, put those devices on the list, and set the time to “Block.” Is that doing what I think it is, which is blocking those devices from accessing the internet and thereby adding a layer of protection?
3. My Asus router has 3 guest networks. Do you have an article on strategies for using these? I deduce that Asus Ai-Mesh only includes the first one. On mine the third is labeled “Default setting by Alexa”; googling indicates that just means it is the one Alexa changes if you connect your router to Alexa and give voice commands. My preliminary thought on the three guest networks is to use one for adult guest, a second for grandchildren that I can set to shut off at 10pm, and a third for IoT devices, but would love some guidance…
1. You do that by securing the SSID the usual way. As mentioned, isolation is the mechanism that keeps devices connected to a Guest network from accessing your local resources. But the Internet still has to go through the primary router.
2. Both the TV and the Printer need access to the Internet for firmware updates and streaming in the former’s case. But sure, you can do that to keep specific devices from the Internet.
3. Your assessment is correct. As mentioned in this post, you can name/customize them however you’d like.
The Verizon router #CR1000A appears to have two separate connections to handle guests and IoT devices. Thoughts?
• Guest Wi-Fi (2.4 GHz)
• IoT Wi-Fi (2.4 GHz)
The IoT notion doesn’t mean anything — it’s misleading and arbitrary aimed to fool folks who don’t know into thinking the hardware is “better” or “more valuable” than it is, Oliver. Netgear does the same with the Orbi RBKE960. Many routers have multiple “Guest” networks, and you can name or use them however you want. Asus and Synology, for example, offer three or more per band. By the way, make sure you this the post carefully — you wouldn’t have asked the question if you did.
Actually the IoT network on the Verizon CR1000A is not meant for security. The router has a combined SSID for both the 2.4 and 5GHz networks (SON). We’ve found that many IoT devices, including some Ring doorbells, won’t connect at all with SON enabled. So the IoT network gives you a dedicated 2.4 signal without spitting your SSID for your primary network.
Most routers allow a guest network on a specific band, Zee. As mentioned, it’s a form of virtualized a spefic band or bands into a separate SSID.
Right. My comment is in response to “it’s misleading and arbitrary aimed to fool folks who don’t know better.” I think it’s for the novice to get their devices up and running without having to manage SSID’s on different bands. There are more advanced routers for those users.
👍
*SON = Self Organizing Network.
It’s actually more often called “Smart Connect“.
I think best pratice is to connect any IOT devices to your guest networks and dont allow guests to reach eachother internally. Doing so Any access should go through internet, thats a downside.
But most routers
only allows only one Guest SSID? I want my guests to access guest wifi with less bandwidth and my own iOT devices on another guest network with more premium
connections. How does Dong archive this, or am i thinking too complicated?
Most routers with Guest networking allow you to adjust the total bandwidth for guests, Dzung.
No problem, I am actually trying to understand here.
If you don’t consider your guests a security risk, then why use the guest network at all? Alternatively, why not just give guests access to your primary network?
In the case of Asus Guest networks there is no difference anyway.
Best practice for Asus Guest networks would surely then be to disable the guest network and only allow trusted clients access to your primary network?
For best practice, if you can’t securely allow guests access to the internet without exposing your internal devices, what is the point of the guest network access?
It’s a matter if degrees, Luke. If you go around taking things as black and white, this Guest Network thingy is the least of your problems. Not that what you said about it is correct. 🙂
Dong,
Great article! Helped solve many issues I was having with my IOT devices.
Thanks,
Jim
Awesome! Glad it worked out, Jim.
Dong,
I am one of those that put most of the IOT devices (~50) onto a guest network. I have two issues wondering if you have any insight to it. Does the guest (virtual) network has the same range? I have a couple of Kasa devices that are located at the perimeter of the house that does not always connect. Wondering if I switch it over to the main network it would stay connected.
Is the connection on the virtual network as stable? Device dependant?
Some of my Kasa, Lifx, and a few devices inside the house randomly disconnect and does not reconnect on its own. Wondering if I switch it over to the main network it would stay connected.
I have an Asus 89x router. Wondering if that is a problem.
This depends on the hardware, Chinh. But yes, the main Wi-Fi network is almost always better than the virtual one. They should have the same range, though. As for why things get disconnected, you might want to check out this post, especially when you use a Wi-Fi 6 router, which the RT-AX89X is.
Ok. Don’t keel over from the length. 🙁
First and foremost: I am NOT trying to argue or be combative with you. I’m new to all this and am GENUINELY trying to understand and learn.
At the start of your article you mention that – in terms of the widespread hack of IOT devices back in the day – “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”
1) Do you mean it wouldn’t have made any difference because you’re presuming people plugged and played their router out of the box (i.e. didn’t change any default username/passwords on it?)
2) So, my MAIN home network is my “intranet”? Is that correct?
*** You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”
Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?
BUT.
“First, it’s important to note that having devices in the same local network (intranet) doesn’t mean they can access one another willy-nilly.
The interaction between network devices varies depending on the applications. Still, all sensitive data access — such as if you want a machine A to access a shared folder on a device B — requires some configuration which determines who can access what and how.
If you don’t do anything, by default, the access is not available. In other words, it takes work to make a computer’s information exposed to others.”
Ok….. I didn’t know that.
BUT.
3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?
This next thing you wrote….. gah. I…I AM SO TOTALLY LOST.:
“No, I don’t mean the chance of your IoTs being hacked is zero, but it sure is much lower than that of your computer or your phone. And USING THEM WITH A GUEST WI-FI NETWORK MAKES LITTLE DIFFERENCE, IF AT ALL, ON THE SECURITY FRONT.”
4) What the what? You said that a Guest Network is isolated from the “intranet” (i.e. the MAIN network). Wouldn’t it follow then that IoT devices being on the Guest Network WOULD lessen the chances of a MAIN network getting hacked should the less-secure IoT devices on the GUEST Network get hacked since a Guest Network is isolated from the MAIN network?
And this is why – if what I wrote in the previous paragraph is true – I’m again TOTALLY CONFUSED by you writing: “The Guest Network is not synonymous with better security.”
As far as things “likely not to work as intended”:
1. I don’t own a wireless printer. My printer is connected to my laptop. If anybody needed to print anything they could email it to me and I’d print it for them. Sorted. 😊
2. My home is far from the Jetsons. I have 2 Smart TVs, some smart plugs, a few smart bulbs, an Amazon Echo and a Dot. That’s about as “high-tech” as things are ever going to get around here!
3. If I want (I never do) to stream something from my computer to my TV, I have an HDMI cable tucked behind the TV that I plug the laptop in to and voila.
5) I have Bluetooth earbuds and headphones that I’ve connected to the Echo and the DOT. If I put the ECHO, DOT, etc. on the guest network, will the bluetooth earbuds still connect to those devices? (I warned you I was in over my head.)
You make a good point about the router itself being an IoT device and what to do about that conundrum!! Creating a complex password and prayer? I don’t know. At a certain point don’t you have to let go and let God? LOL. This stuff can drive you nuts if you let it.
Erikje commented: “A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage. A guest network is a simple way to segment your iot devices…. The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.”
Cooloutac may not have been the height of gentility when writing:
“I think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. Smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but what’s idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. They use them to launch attacks on the rest of your network. Like your phone and computer that you worry about.”
6) Basically, then, isn’t what they both wrote sound?
I’m seriously about ready to just throw all of this crap out. Candles and abacuses are looking better and better.
If you reply I will be completely astounded and deeply, deeply grateful. 🙂
Hi Dong,
I’m totally with you in one regard: I am also too old for some sh*t.
Your annoyance is unfounded in terms of my taking anything as “absolute”, “black or white”. The fact that I was posing questions backs up that I wasn’t doing either of those things. I was trying to learn.
“Make” you answer?
“Stupid” questions?
“With something you don’t know, don’t make assumptions.” Again: I ASKED QUESTIONS. That is the furthest thing from “making assumptions” as one can possibly get. It’s trying to LEARN.
Asking you to “take my problems as your own”? You’re giving yourself much more credit here than is warranted. I was asking questions in full understanding that you’re not an Oracle.
Ah! I DID make one assumption! I assumed that your having a comments section was so that people not as knowledgeable as you about these sorts of things could ask you questions and learn.
My bad.
You likely won’t (VERY likely won’t); but if you re-read what you wrote back to me, you thinking to yourself “God, I came across like a callous, hostile, arrogant a-hole” would be singularly appropriate.
Lori what you apparently did learn and can pat yourself on the back for seeing is that even a novice can detect the errors present in the above article. I’m learning more in the comments about how to integrate IoT devices than I did in the main article.
Hi Lori – I think am somewhat in the same boat as you -i.e. being new to the concept of network segmentation for the sake of personal security (although I have been building/using computers for the majority of my life).
I also have to agree that some portions of this article are a bit confusing/contradictory. So let me try to answer ‘some’ of your questions (which would also help me gather my own thoughts):
1) “using these IoTs with a Guest Wi-Fi network (and that might have been the case with some of them) wouldn’t have made any difference.”
My answer: Am assuming that Dong was referring to the fact that these users hadn’t bothered to change their default settings – which obviously means that they being on the Guest network (or any network for that matter) wouldn’t have protected them.
But what if they had actually configured their IoT devices correctly and then put them on the Guest network? Would they have been protected then? Maybe. It also depends on how the rest of their network was configured.
2) You go on to say “And enabling a Guest Wi-Fi network… by default, [is] isolated from the primary one (the “intranet” one?). As such “a device connected to the Guest Wi-Fi has access to the Internet but not your local resources, such as your shared folders or network printer.”
Ok, so this sounds like good security to me so far! IoTs and guest devices on the Guest Network can’t “infect” my main network, yes?
My answer: Yes, but it depends on your router settings. When creating guest networks there should be settings like “enable intranet access” or “isolate from main network”, etc. Configuring this would either isolate the guest network from your main/personal/intranet network, or allow access.
Some routers also have an additional setting: AP (Access Point) isolation. Enabling this would mean that devices connected to that particular network would not be able to talk to each other (i.e. inter communication – which I think Dong’s article also touches upon).
3) I’m not necessarily worried that a guest is going to try and log in to my bank account. Still…wouldn’t them being on a Guest Network protect my MAIN network just in case any of their devices have malware or other bad stuff on them?
My answer: Yes, if your main goal here is to separate ‘your guests’ from your private network, then having a Guest network (which is isolated from accessing the intranet/main network) definitely helps (as compared to having just one big network).
Any level of network segmentation (done correctly) definitely helps towards achieving better security.
However, if your goal is to also protect your network from ‘uninvited guests’ (hackers) from the internet, then does the guest network isolation protect you? Only to a certain extent. It would ward of the curious neighbor /casual hacker, but it wouldn’t protect you against a professional dedicated hack. This is because, although the guest network can provide some isolation, its still isolation only at a ‘software’ level. And software can always be cracked with the right resources.
Additionally – the general design of home routers tend to be inclined more towards convenience than security. (When it comes to networking, there is unfortunately an eternal struggle between convenience and security)
So then what do you do? How do you proceed? Ask yourself these questions:
1. Do you simply want to ‘network-isolate’ people who visit your home, whom you may or may not know very well?
Then by all means go ahead with the guest network – with intranet isolation enabled and strong passwords.
2. Do you use semi-trusted IoT devices (Alexa, Smart TV from a known brand, Playstation, etc) and don’t think you’re at a major risk of a professional hacker coming after your finances, and want the simplest way to achieve a better level of security?
Look at configuring multiple Guest networks on your router (with strong passwords – different from each other, and your main network/internet), enabling intranet isolation, and enabling AP isolation (in cases where your IoT devices don’t need to communicate with other devices on that network).
If you’re looking for a new router I would suggest Asus – as it offers a good level of customization and receives frequent security updates.
Additionally – also look at updating the software/firmware on all your devices (and configuring strong passwords), and running scheduled antivirus/malware scans on computers and phones.
3. Do you use un-trusted IoT devices and consider yourself a potential target for a dedicated hack?
Then you might want to look at something more than the basic-isolation provided by Guest networks.
From what I have learnt so far, there are two main ways to attain ‘better’ network segmentation/isolation:
1) VLANS – Virtual LANs – These basically split up your network at a software level (similar to Guest networks), but provides more customizations and is designed more with security in mind. However it needs specific hardware and software knowledge, to setup and configure. You could read up more on these if you’re interested and a bit tech-savy.
2) Multiple Routers – This is not only (relatively) simpler compared to setting up VLans but is also ‘stronger’ in terms of security. Because this approach provides ‘true’ isolation at a hardware level, which is very difficult (if not impossible) to get through. Each router will have it’s own firewall, physical and virtual addresses, etc.
But the downside is the additional cost and space for multiple routers (and cabling, etc).
No matter which route you take, I suggest you do some reading on it. Because somethings done incorrectly (due to lack of knowledge) could potentially make things worse!
Alright, this is pretty much all I have gathered so far. Hope I was able to add ‘some’ clarity, if not much. Good luck with your journey 🙂
Consumer grade, even some ProSumer grade all in one routers can’t securely handle this. A true gateway appliance is needed and it can and will through the use of vlans… It is a small learning curve but you can write rules for anything.
My “trusted” networks can talk with my IoT devices, but not vise versa.
Let’s say my neighbor and I are at the fence between our properties. I would have to initiate the conversation and we could talk for hours. Now. If we are standing there and I have not initiated and conversation, he can not see me… He could keep calling out my name and I would never hear.
Now
Any one logging into my “guest network” can not see each other, or anything else. So, someone comes over, needs to use the internet for something, well no problem. Give them the password, they log in , they are taken to a captive portal, agree to MY terms, and if it isn’t illegal, the have access for a set amount of time. It really isn’t that hard.
IE… Grandkids come over for a Sunday dinner… They talk, play games, whatever, even on the internet. But when it is close to dinner time, I can tell Alexa to “Stop happy time” , (even though Alexa lives on the Iot vlan) all access is killed, time for the family time. This type of control really isn’t that thought to learn/grasp..
Oh, the router you get from your ISP could be the worst thing in your LAN, and double NAT should be a last resort, especially when there are so many affordable solutions out there. And by that I mean a gateway that has NO wifi for around $100. The reason for no wifi is because YOU define what rules YOU want. The wifi will be controlled but the gateway.
My (admittedly limited) understanding of guest network isolation (at least in terms of a Netgear router) is that – contrary to Netgear documentation – when the guest network option is enabled on the router, it is NOT isolated. Though, as I said, evidently Netgear claims that it is.
This might differ from one model to another, Lori. But generally, by default, a Guest network is isolated from the main network. Note that the isolation is only limited to the local network and not via the Internet. For example, an iPhone connected to an isolated Guest network can still Facetime to another connected to the main network, or any network for that matter.
Thanks for replying! Truthfully, I’m so in over-my-head here I should probably keep quiet.
I have questions but need a little time to organize them better. May I write and ask for your feedback again?
FYI, Asus Guest Networks as an example are not isolated properly from the main guest network.
While they may appear to most clients and users as isolated, this isolation can be easily bypassed by anyone.
All a user needs to do is connect a second Asus router in repeater mode to the Guest network, and they will have full access into the main network.
e.g. Your primary RT-AX89U router running a guest network, using only the guest network credentials, a RT-AC68U can be connected as a repeater to the guest network, and any devices connecting to the repeater will have full access into the main network. Not isolated at all.
So I don’t trust Asus guest networks at all. I can’t speak for other manufacturers.
There’s no RT-AX89U router, Luke.
Sorry, mixed up RT-AX86U and RT-AX89X. Regardless, I believe the insecure Guest Networks are part of the AsusWRT code, not specific to individual models.
It’s not really a security matter, Luke. It’s like you should not consider your guests as security risk, in which case you shouldn’t have them over as guests. Things are not black and white. The Guest network is a matter of convenience, not security.
iot devices with zero days are known to give access to the local network.
Or the other way around.. a local privilege escalation grants access to all iot devices to put them in a botnet.
A lot of very cheap iot devices do not have any serious or even funny way of security. So putting them in isolation is a good way to limit damage.
A guest network is a simple way to segment your iot devices. The one that do not work on it will shift to the normal network or better a own SSID.
The guest network is one of the simplest way to achieve that security for the normal user. Yes there are much better ways, but they are not accessible for normal users.
So there is nothing idiotic in using the guest network for iot. It is in fact a simple and often effective way of protecting your stuff.
It is when you apply that to those that need intranet access to work, Erik, like printers, Wi-Fi speakers, etc.
Or, said differently, almost every IoT device in my home needs access.
Router: Obviously.
Switches & access points: Obviously.
Speakers: Yep.
Google Home/Nest displays: Yep.
Roku: Maybe not, but I don’t use it now, so I should probably just unplug it.
Chromecast, Android TV: Yep.
Printers: Yep (don’t even get me started on what a PITA cloud printing is)
Weather station console (reports data to Weather Underground): Probably not. Meh. I’ll take my chances that someone goes to all the trouble of hacking such a relatively uncommon device.
Samsung “Smart” TV: Probably not, but it’s so useless (other than as a monitor) I haven’t even bothered to connect it to my new router.
I’m sure I’ve forgotten some, but the best security solution for them is probably just to unplug them since I probably don’t use them anyway.
Nie list, 123. And PITA is absolutely accurate! 🙂
i think people are referring more to devices like amazon echo, blink cams, ring doorbell cams, robot vacuum cleaners, smart home plugs, smart lights, etc… all those things are accessed through the internet not a local lan. smartcast tv’s and printers are the small minority with houses full of 30-50 iot devices. the only time you might need local access is for initial setup. Sorry to say but whats idiotic is to say that hackers won’t target iot devices. they don’t use them for their bandwidth. they use them to launch attacks on the rest of your network. like your phone and pc that you worry about.
Thanks for the input. It’s a matter of degree. Also, I don’t think you actually read my post in its entirety.
I mean to say resources, not bandwidth. What you should realize is most people are not idiots. They already know their printers and TVs have to be on the same network if they want to access them. And it is not troublesome to re connect them, unlike the 30 iot devices they might have connected. Printers and TV’s are not even considered “iot” devices by most people. I think that is the confusion.
But also you should realize there is much a hacker can do with an iot device (smarthome devices). Even something simple like a smartplug is very capable of being a vector to sniff or infect your pc and phone. Its idiotic to suggest hackers would not bother when its the first thing a hacker might do.
That being said, you are right in the sense they would probably go for the printer and tv first. Since they are more capable and more likely to be on the same subnet. But probably not as easy to compromise as some cheap iot device that has no security at all and doesn’t even get regular updates.
This is all much more practical then mac address spoofing when you don’t know the wifi password. The cheap iot device is probably more likely to expose the password then the tv and printer.
Probably out of scope of what you’re saying, but I feel it’s very important to segment the IoT devices. I just don’t trust the makers of these devices to focus on security. At all. People want security, but they have lousy equipment. You can’t really have it both ways. Get a good router. A real router. For home, a good router is the Netgate SG-1100. Not too expensive at all. Tons of videos on how to set things up and you’ll be a whole lot smarter on this stuff. Get a good wireless access point that supports vlans. Ubiquiti makes really good ones. You don’t even need a managed switch. Again videos on youtube. Iot’s are the low hanging fruit. Their security is lacking and are an excellent attack vector to the private network.
I agree, Thomas, which is why you should get IoT devices from shaddy vendors.
Haha…I’m one of those that uses Guest Network for IoT devices. So far 90% of them works including IP Cams, Smart home devices, etc. Chromecast I put them on the main network as you would need to switch to the guest network to cast. Only one that doesnt like Guest Network are my Lifx bulbs. I cant get them to connect to guest.
Yeah, you can make it work but it could be a pain and, if so, you deserved it, Peter. 🙂