Network Segmentation and Security

Brucehankins

So, I'm not a SysAdmin or Network Engineer, but I do have an interest in networking, security, and generally all things IT. I've been trying to learn more about network architecture, security, administration, and best practices from reliable sources like Trend Micro, Cyber Reason and other sources, but I'm curious what is your approach to network security?
I understand the trade-offs in privacy/security over convenience, and I want to maintain a balance. I use Google products and services, have smart devices, wifi lights, and a smart tv. I've set up my own mesh network with owned equipment, no ISP equipment in my network, and changed out my ISP DNS resolver for Cloudflare. I've set up a separate SSID for IoT devices without access to the intranet, but haven't fully segmented my home network. I want to maintain a level of usability and ease of use for everyone in my home. Both SSIDs use wpa2/wpa3, and WPS is turned off. I've also got traffic monitoring enabled, though I'm still new to that, and try and keep things pretty tidy. What is everyone else here doing to secure their home networks? Do you segment with a guest network/separate SSID for IoT devices? Do you fully segment your intranet? What are some other best practices or tips you'd have for someone new to this field on how to provide more security (not looking for full Enterprise level security)?

brent

Brucehankins
Security thru elimination. I eliminate everything on your list. Minimizing risk is my strategy. Ether cord. No wifi. I watch tv on my Smart tv. No cloud. The convenience point you make not really a factor. If I thought any of that was useful for my life I'd use it. And a firewall on the Solus end. You can't control your ISP in any way so we are all helpless on that side.
No google at all except youtube, not even search engine. No Microsoft at all in my life except Outlook (work).
**Would I gladly forsake every inch of my house and room patterns and footage usage and furniture positions to send to the fine Roombah people daily so I did not need to vaccuum anymore? Tempting😉.

brent

Brucehankins WiFi is a must for us, too many devices moving around the house all the time, but again, trying to do my due diligence and make sure it's secured the best I can. Anybody with any know how could probably beat my defenses, but hopefully it's enough to keep the low level traffic out.

I think segmentation is the right way to be thinking a for a home. I've dabbled in network monitoring but I don't know what the he** I'm looking at half the time. UFW is fine but someday I'd LOVE to write custom rules for my iptables. (Not there yet in my linux education.)

Brucehankins , and changed out my ISP DNS resolver for Cloudflare.]

I always see this recommended but I forget what it does.

Brucehankins

brent yeah I use Office365 and Edge for work, but that's a separate enterprise account and separate hardware. On the firewall side I have it set up on my mesh system and use UFW on my machines. Streaming services are the only way we get tv now, and I figure it doesn't matter much if it's LG's webOS, Roku, or Chromecast, it's all connected and vulnerable somehow. WiFi is a must for us, too many devices moving around the house all the time, but again, trying to do my due diligence and make sure it's secured the best I can. Anybody with any know how could probably beat my defenses, but hopefully it's enough to keep the low level traffic out.

Brucehankins

brent I always see this recommended but I forget what it does.

DNS resolvers are what take the IP address and make it human language friendly. So you type in getsol.us instead of 129.21.198.70. Changes from the default DNS resolver to one of the users choice, basically pulling just a tiny bit of your data away from the ISP. Also the DNS provided by the ISP (at least in the states) is typically slower and not as good as caching information as others available, so your web experience may be a little bit better.