WSJ had an article about securing your IoT system. One of the recommendations was to run it on a separate SSID. My wifi/router is an Amplifi Alien and it has an SSID dedicated to IoT.
However, my SThings Hub is LAN wired to the wifi/router. I’m guessing that connection disables any use of a dedicated IoT SSID. Only my Honeywell thermostat required connection to a wifi in order to work.
Do all the devices (the ones that did not require an individual connection to the wifi) communicate directly to the hub and are not at risk by connection to the wifi?
There are different types of IoT radios like Zigbee, Z-Wave, and Thread, in addition to Wi-Fi. In the ST architecture, most Wi-Fi devices do not communicate directly to your ST hub, but rather over Wi-Fi to the ST cloud (on the Internet) which in turn talks to the vendor’s cloud to control the devices (again over the Internet). There are some exceptions such as smart speakers that can connect locally to your hub using Wi-Fi (and the use of Edge drivers on the hub) and for Matter over Wi-Fi devices. For those Wi-Fi devices that can locally communicate with the hub, it might be useful to have an IoT dedicated SSID. Whether having a different SSID for IoT or not makes a difference, that depends on whether your router has filtering in place to prevent one LAN/SSID from talking to another. If not, then having separate SSIDs is rather pointless, IMO.
For the other radio types I mentioned, they form their own mesh networks and then communicate locally with the hub using their designated radio frequencies. For those devices, having a separate IoT SSID makes no difference since they are not Wi-Fi devices.
Here is a diagram that explains the ST architecture:
Even though your hub is wired via Ethernet to your LAN and if your router is advanced enough to create/manage what are called Virtual LANs or VLANs, you can set up rules to make wired devices essentially live on a virtual network alone or with other devices, including those on a WiFi IoT SSID. Therefore, with this kind of configuration your hub can talk to the Internet and to other devices on the same VLAN, including those on the IoT WiFi, but not to other stuff you’re trying to protect or keep separate–like your computer of phone–if that is how you set up the configuration.
Yes, it gets complicated! (And it’s not something with which I have much experience, so perhaps there are others here that can be of further help. It varies according to the features of your router, so the make and model number of said router is of extreme importance!)
Thank you for you explanation. My wifi shows which devices are connected to it. The only connected device is the Hub and, in my case, the Samsung Station. It shows the Hub as a Wired connection. While everything seems to be using a radio freq to connect, only the Hub shows as connected to the wifi and needing the wifi SSID/Password. A wired connection does not really use an SSID, so I think my router’s feature to offer an alternate SSID for IoT does not apply here. I will gladly accept an alternate explanation. Thanks for your help. The diagram is very helpful.
Regarding the IoT feature of your router, according to their help pages it’s only for wireless devices connected to that special SSID and does not mention any option to assign Ethernet ports to the IoT VLAN.
At least AmpliFi isolates the IoT network, TP-Link also has an IoT network but does not isolate anything, it’s just marketing.
Matter over WiFi devices will not work in your configuration if the hub belongs to one network and the devices to another. Although you also mentioned a “Samsung Station”, did you mean a SmartThings Station or a DeX Station? Just to confirm that you don’t have two hubs in different networks.
I find that there are a couple of issues that are particularly prominent when working with smart devices:
Band steering might not work and even if it does you might not want it because …
Various ‘discovery’ processes that are used in the installation of devices can be confused if they cross access points (including 2.4G and 5G bands), though once installed it is usually enough to be on the same IP network.
So I find it better to have multiple SSIDs to provide clarity. There might be some appeal in separating the IoT/smart devices out from the well behaved devices but it certainly wouldn’t be a single SSID for them.
However I don’t see any particular security benefit there. I think for that you need something a little more ‘advanced’ along the lines of separate IP networks and VLANs. Separate SSIDs would be largely incidental.
In my previous comment it’s the link to that IoT network feature, it’s indeed a separate network with isolation, not just a separate SSID.
It only works for wireless devices though. Still, it’s a good fit if there’s any untrusted cloud based device, like a cheap generic no-brand device purchased to an unknown vendor in a marketplace. That device will work through the cloud just fine but will not be able to communicate to the main local network, thus minimising any risk of the device having backdoors, spyware, vulnerabilities, etc.
Yes, there are models of routers and/or Wi-Fi access points that can provide isolation with relatively little configuration required. Case in point, the ST Wi-Fi hub (Plume). There are three SSID types supported; full local access plus Internet, limited local device access plus Internet, and Internet only. The limited local access SSID type would be ideal as an IoT network since it prevents lateral movement between devices but allows devices to connect to the hub only.
