IoT SSID on G3100
Observer1
Enthusiast - Level 3

When I associate devices with my Guest SSID on the G3100 (and extender), they are assigned IP addresses on a separate guest subnet (192.168.200.x, router is 192.168.200.1) and are isolated from my primary subnet.

When I associate devices with the newly supported IoT SSID on the G3100 (and extender), they are still assigned IP addresses on the primary subnet (192.168.1.x, router is 192.168.1.1) and are not isolated from my primary subnet.

If one of the objectives of an IoT "network" is to isolate IoT devices from my devices containing sensitive information, then associating IoT devices with my Guest SSID would appear to be a better choice.  Although this is counter-intuitive and exposes my guests to misbehavior by my IoT devices.  

Also, I did enjoy being able to review all my devices by SSID (Primary, Guest, and IoT).  And collapsing IoT and Guest loses something.

I'd appreciate hearing from others more experienced in networking.  I appreciate Verizon attempting to bring some network isolation features to the masses, but perhaps someone could explain why they would make this deliberate choice, since the newly supported IoT "network" reasonably suggested it would include some form of isolation.  (Going above my pay grade...  Why not create another subnet for the IoT SSID?  If IoT devices must directly communicate with one another, they should be able to, residing on their own subnet.  If an IoT device simply must be able to access a primary subnet device, then could a special route be created to accomplish that?)

Re: IoT SSID on G3100
Cang_Household
Community Leader
Community Leader

As stated in the updated G3100 user manual:

The IoT Network is designed to provide an easier setup experience for your Internet of Things (IoT) devices which benefit from connecting to the 2.4 GHz band while keeping your Primary Network settings unchanged. IoT devices and Primary devices can communicate with no firewall restrictions separating them.

The addition of the IoT SSID is for allowing legacy IoT devices to connect to the 2.4GHz without being interfered by the Self-Organizing Network mechanism on the normal 2.4GHz and two 5GHz. Before the creation of the IoT SSID, legacy IoT devices frequently disconnects when connected to the main wireless radios with SON enabled.

Guest network on the other hand is created for isolation. The newest firmware not only separates the Guest SSID into a separate subnet, but also separates between guest devices (to align with G1100's Guest Network feature).

If you need isolation, simply put your IoT devices onto the Guest Network.

Re: IoT SSID on G3100
Observer1
Enthusiast - Level 3

...The addition of the IoT SSID is for allowing legacy IoT devices to connect to the 2.4GHz without being interfered by the Self-Organizing Network mechanism on the normal 2.4GHz and two 5GHz. Before the creation of the IoT SSID, legacy IoT devices frequently disconnects when connected to the main wireless radios with SON enabled...


While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met:

FBI Warning regarding IoT 

It seems to me that, until Verizon organizes the IoT SSID devices as a separate subnet (as it does in the case of the guest network), any user wishing to heed the FBI's advice should associate their IoT devices with their Guest SSID, disable SON, and disable the IoT SSID (because it is insecure).

The point I was trying to make is this:  Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.

I was hoping someone would pick up on this concern and comment. 

Finally:

Guest network on the other hand is created for isolation. The newest firmware not only separates the Guest SSID into a separate subnet, but also separates between guest devices (to align with G1100's Guest Network feature).

I read elsewhere in the forums that the G3100 Guest isolation does not isolate devices from one another (as had been the case in earlier routers supplied by Verizon).  The guest subnet is simply isolated from the primary subnet.

Re: IoT SSID on G3100
Cang_Household
Community Leader
Community Leader

@Observer wrote:
While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met.

In your FCC citation, they apparently simplifies the definition of IoT to "everything else in your home that connects to the world wide web." Users have the ability to disconnect any device on the network from the Internet through Firewall Access Control, long before the Guest wireless network and IoT network becomes a feature. Again, the Guest network is there for isolation. In fact, previous G3100 firmware and current G1100 firmware allows all wireless networks to be isolated through unbridging. In summary, there are at least 3 or more remedies available at customers' disposal to address FCC's concerns.


@Observer wrote:

Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.


Verizon never advertised the creation of IoT is for the purpose of enhancing wireless network security. Customers should take a deeper look than just making assumptions based off a new SSID name. Furthermore, the updated G3100 manual clearly states the IoT wireless network is not isolated from the primary network. How do you secure your home network without understanding the operating mechanisms of your networking devices? The same argument would go for how do you secure your home without understanding the operating mechanisms of your alarm system?


@Observer wrote:

I read elsewhere in the forums that the G3100 Guest isolation does not isolate devices from one another (as had been the case in earlier routers supplied by Verizon).  The guest subnet is simply isolated from the primary subnet.


I believe the user made that statement is jlg2. As our CLs pointed out over there that jlg2 pivots his point based on G3100's guest network operates differently from that of G1100. Now G3100's guest network is very similar in mechanism to G1100's, the scenario suggested by jlg2 will not work.

Re: IoT SSID on G3100
Observer1
Enthusiast - Level 3
While moving IoT devices to a separate SSID may remove undesirable side-effects on SON-enabled networks, the security isolation objective is not met.

In your FCC citation, they apparently simplifies the definition of IoT to "everything else in your home that connects to the world wide web." Users have the ability to disconnect any device on the network from the Internet through Firewall Access Control, long before the Guest wireless network and IoT network becomes a feature. Again, the Guest network is there for isolation. In fact, previous G3100 firmware and current G1100 firmware allows all wireless networks to be isolated through unbridging. In summary, there are at least 3 or more remedies available at customers' disposal to address FCC's concerns.

In that citation the FBI, not the FCC, recommended isolating IoT devices from sensitive data in our home networks.  They did not recommend disconnecting the devices from the network was a solution, which you appear to be suggesting could have worked long before Verizon decided to support an isolated Guest subnet and its new IoT SSID.  I'm not sure how you envisioned the IoT devices would have worked though, disconnected from the Internet (the "I" in "IoT").

When someone writes "in summary", it usually follows detailed information that is then summarized.  Please share with the forum the "at 3 or more remedies available" to G3100 users that may be used to isolate their IoT devices.

Since you present yourself as an expert w.r.t. the G3100, would you mind also explaining how we users can configure the G3100 ethernet ports, such that all devices connected to that port would be on the isolated subnet(s).  (Using an earlier Verizon-supplied router that did not support 1Gb/s speeds, I was able to do this using VLANs and my own access points connected via ethernet.)

Thank you.

Re: IoT SSID on G3100
Observer1
Enthusiast - Level 3


@Observer wrote:

Verizon may be misleading consumers into thinking they are addressing security recommendation by offering an IoT SSID.  If they have created a false sense of security, they have done consumers a serious disservice.


Verizon never advertised the creation of IoT is for the purpose of enhancing wireless network security. Customers should take a deeper look than just making assumptions based off a new SSID name. Furthermore, the updated G3100 manual clearly states the IoT wireless network is not isolated from the primary network. How do you secure your home network without understanding the operating mechanisms of your networking devices? The same argument would go for how do you secure your home without understanding the operating mechanisms of your alarm system?


If you carefully read my original post, you will realize that you are restating things that I have either already stated, or posing a  straw man argument. While I appreciate you taking the time to respond to my queries, your desire to "explain" (in this thread and another) appears to sometimes cloud comprehension of the underlying issue raised.

When we get into a discussion of human factors, and how consumers behave, we should think through the inferences of design and product decisions.  I doubt as many as 1% of G3100 users read the manual.  Instead, they use the UI and infer and assume.  If they have ever heard -- somewhere -- of the need to isolate IoT devices, and discover that the G3100 offers a dedicated IoT SSID, it would be quite reasonable to assume it was for the purpose of isolation (and not to address some geeky, SON-related radio inefficiencies).  I jumped to that conclusion myself.  However, after some experimentation, I realized that no isolation was included.  That is why I posted my note.  I wanted to alert those who read forums to beware, and perhaps (long shot) entice Verizon to consider including isolation as a feature of a separate SSID for IoT devices.

Re: IoT SSID on G3100
gs0b
Community Leader
Community Leader

Creating a dedicated "IoT" network and expecting users to know it's just a separate 2.4Ghz radio is like calling ADAS features "Auto Pilot" and expecting drivers to know they have to keep their hands on the wheel at all times.

Bottom line is folk who want to create a truly isolated network for IoT devices can't do it with Verizon hardware.

Re: IoT SSID on G3100
Observer1
Enthusiast - Level 3

@gs0b wrote:

Creating a dedicated "IoT" network and expecting users to know it's just a separate 2.4Ghz radio is like calling ADAS features "Auto Pilot" and expecting drivers to know they have to keep their hands on the wheel at all times.

Bottom line is folk who want to create a truly isolated network for IoT devices can't do it with Verizon hardware.


I agree that it's misleading and confusing.  But we should expect awareness to slowly improve that IoT devices should be isolated, and Verizon dangling that new IoT SSID (that doesn't isolate) in front of naive users will make things worse.

Simply putting it on a separate subnet would provide some isolation, at least, and would presumably be trivial to implement, with side-effects that could be mitigated.  And then Verizon could have trumpeted it as part of their new routers, thereby influencing and educating the public to do more than the "nothing" they are in the process of cementing under the guise of "use this special IoT SSID" for your IoT devices.

I created an isolated VLAN with earlier Verizon gear and a managed switch, but frankly it's a bit fiddly for home use.  And my old gear didn't handle the new 1Gb/s speeds I now enjoy.  I'd accept the limitations of merely isolating the traffic on a separate subnet in exchange for the ease of trivial and "standard" config.  For now, I guess I'll stick my IoT devices on the guest network and disable SON (and the misleading IoT SSID).

Re: IoT SSID on G3100
Cang_Household
Community Leader
Community Leader

Our CLs proposed long ago to bring back the VLAN feature included in the BHR3. VLAN feature did not make it to the BHR4 (Quantum Gateway Router, or G1100), and is still missing on BHR5 (G3100).

Speaking as a customer myself, bringing back the VLANs and expand the Firewall features will solve the IoT issue/dilemma once for all. Let's see whether our customers can influence the engineering to embark this tough VLAN upgrade journey.

Re: IoT SSID on G3100
jlg21
Enthusiast - Level 3

Is the Guest network still limited to 10 connections?  If so, using it to comply with FBI security guidelines is only useful for user who don't have many IoT devices and guests.

0 Likes