Is a VOIP device on a Home LAN a security risk ?

I have used VOIP for a number of years, (via a Gigaset N300A and Gigaset phones), and the system works well via two separate VOIP providers, (Sipgate and Voipify).

However, I have a minor concern that the Gigaset N300a is on my Home LAN Network which means that other Devices on my Home LAN can access it and presumably visa versa. - (Obviously, I changed the N300a access password when I installed it so it has some password protection).

Is this a potential backdoor into my Home LAN ?

If I just used the ISA provided router I would not really have a choice, (without using additional ethernet port switch equipment), especially since the Gigaset N300a only has an ethernet connection but I have my own router so I do have a choice and I know how it can be done.

ie. On my own router I already have a WIFI Guest Network to isolate certain WIFI Devices from any devices on my Home LAN and yesterday I set up Ethernet Port 4 on my own router to be a VLAN Ethernet Port that is on my Guest WIFI Network and not on my Home LAN.

Is any of this necessary ?

Is a VOIP device on the home ethernet network a potential security risk ?

If so, what about Smart TVs ?

In reply to a post by Fido:

Is a VOIP device on the home ethernet network a potential security risk ?

If so, what about Smart TVs ?

I have used Voip for the past 10 years I have not encountered and security problems. One advantage is that the end point can be portable. Some Voip ISPs will ring more than one registered device for incoming calls.

I too have happily used VOIP for some years and I like the system.

Attached to my Gigaset N300a are six C575A Gigaset Phones that ring when calls are received and unused handsets can also ring when additional calls are received on my second VOIP Account so operation wise the VOIP System is great.

The query is about any potential security risk of VOIP devices being located on the routers Home LAN Network and the fact that if it is located on the Main Home LAN this means that it is on the same LAN as other devices that access internet banking etc.

Maybe this could never be a concern but if it is not ever a concern then why not?

The N300a does have a password but it is just a 4 digit numeric code number which is normal for VOIP but which may not be ideal from a Home LAN security viewpoint.

I do not know and that is why I asked the question.

As I said; I have already set up a VLAN on ethernet port 4 of my Asus RT-AX88U Pro Router and this VLAN is attached to my main WIFI Guest Network so it is isolated from the Main Home LAN Network but is this really necessary or even recommended for VOIP devices ?

On a separate issue; last year we bought a new all singing/dancing Cannon Printer/Scanner that actually works great as a device but in order to use the Cannon Software for it, we needed to agree to Cannon T&C that seemed to allow Cannon far more access to my personal information and my devices than I was comfortable with; so I located this Cannon Printer/Scanner on my Guest WIFI Network which means that my other devices need to login to my Guest WIFI in order to access the Cannon Printer/Scanner (which is a slight hassle) but it restricts its access to my Main LAN Network Devices.

Perhaps, I am being too cautious.

You can never be too cautious about security.

I'm using an N300A here with Gigaset handsets. I've got a Draytek router here so have set it up on a separate router port not used with anything else and given that port its own subnet numbering.

I vaguely remember some security issues around VoIP a number of years ago, but that was at the supplier level not the user level. I think it was about others gaining access to the system and making lots of expensive calls. Nowadays most providers allow you to set a maximumcharging limit on the account.

Generally speaking if you can't setup its own subnet then putting it on the Guest network is a good idea.
And yes, printers have historically been known as weak links in these networks.

Well in some ways I am pleased that I am not alone.

As I understand it; if we were just using the router that was supplied by the ISP, (in my case BT who provide a SH2), that would limit the options available to us, (if we did not add a Heath Robinson System of manager ethernet switches to the networks or a third party router behind the ISP Supplied Router), but since we use our own routers we have choices that are easier to adopt.

The potential problem may not just be limited to the VOIP System Devices and printers as can be seen from the attached link;

https://solutionsreview.com/wireless-network/wireles...

In some ways the potential problem, (if a recognised potential problem does actually exist), could be quite large in that there are many ethernet devices that have weak security and since our own house was fully wired up with Cat6A Ethernet Cabling some years ago we may be better off just putting all of the ethernet items in the whole house onto one IoT (Internet of Things) Network and keep the main WIFI Network separate for more security conscious devices which does seem counter intuitive but with a house already fully wired for with Cat6A Ethernet it may be a good policy.

The additional devices that I am slightly concerned about are;

(1). The Hive Heating Control System.

(2). The Smart TVs.

(3). The BSkyB Sky Q Boxes.

(4). The Xbox/s.

(5). etc.

Are any of the above devices potential security risks?

I suspect that most Third Party Routers will give their owners options: do not know a lot about the Draytek Router, (even though it has a good reputation) but the Asus RT-AX88U Pro offers large number of Guest Menu options including what it calls an IoT Network.

The N300A and the Cannon Printer/Scanner will definitely stay isolated but I am not sure how to proceed regarding the other devices listed above and a separate ethernet IoT Network for all these devices may be the best way forward. - I do not know.

Hi Folks,
As an ex- professional paranoid, I have been using Gigaset systems for decades - they work fine. As mentioned, the base station only has a four digit PIN to protect the settings on its web page (and only works with HTTP, so web connections with it are insecure). But ... why on earth would you make that web page accessible outside your local LAN? That would be unwise, so don't do it.
The DECT phones themselves do not use local IP network connections, so they are not a problem -- they only talk to the DECT base station using DECT radio signals (and those are protected using DECT's own point to point encryption). If you're a target for governments, worry about that -- otherwise the DECT radio side of things is not reaally an issue.
[Some DECT phones can also connect to bluetooth headsets, but again that's purely point-to-point between the phone and the paired headset and does not use the local IP network]
I AssUMe that your router is set up to block incoming IP connections and allow all outgoing IP connectioins -- that tends to be the default for most ISP-supplied routers. If not, really consider that, as that's your main problem.
If it IS set to block incoming IP connections, you should set a static local IP address for the base station, and you will have to set up port forwarding rules to allow just what's needed for SIP registration & VoIP calls. I set the DECT base station to use fixed port for SIP, and use a fixed range of ports for audio (RTP), make a note of those, and set the matchiing port forwarding rules in the router.
Note: I do NOT set port forwarding rules for port 80 (i.e., the base station's web page) to the DECT base station, so nothing outside the local IP network can see that page. For SIP registration & for VoIP calls, you only need SIP & RTP ports to be "visible" to the outside world, which the port forwarding rules you have set up will allow.
The remaining issues are:
- do you trust devices on your local IP network? That's a whole different question, so it's "left as an exercise for the student"
- in principle, any remote devices could attempt to make incoming VoIP calls to your DECT system -- not just your VoIP provider. To be honest, that's not really a problem for most people; the fashion for SPIT/lawnmower attacks went away years ago so it doesn't really happen any more. The Gigaset base stations are pretty simple, so remote attempts to SIP register with them will fail -- they just don't support that.
all the best, Lawrence

It depends on your threat model. What about your security relies on maintaining the network edge as the boundary between trusted and untrusted?

In reply to a post by jpm:

It depends on your threat model. What about your security relies on maintaining the network edge as the boundary between trusted and untrusted?

What threat model should I have ?

My router has a hardware firewall with Trend AI Network Protection fully Enabled and on my main browsing devices I use Kaspersky Premium.

I would like to say that I am well up on internet security and that I have a well thought out threat model but I am not and I don't.

Regarding internet security, I count myself as a just home user with very limited knowledge but I can normally find my way around electrical/electronic devices and could repair the hardware on them when I was younger.

Using Shields Up my home internet set up seems to be stealthed.

When I set my Nord VPN to another area, (to change my IP address from that used by my router), I could not access the Home LAN IP address of my N300A but I suspect that if I had spoofed it to my to my router IP address that it may have been accessible but I do not know.

I know that at least one device on my Home Lan Network seems to be accessible from the internet. ie. The Hive Heating Control System as when I set my Nord VPN to another area my Hive Control System is still accessible from so I plan to move that to a VLAN Port but I do not know if this is needed or not.

Should The Hive Heating Control System, The Smart TVs. The BSkyB Sky Q Boxes or The Xbox/s be considered as being potential security risks?

Edited by Fido (Sat 07-Feb-26 19:48:30)

@Fido,

IMHO, I would NOT use ANYTHING from Kaspersky as they are a RUSSIAN company and you could be, possibly, allowing Russia to gain access to UK networks. You should use a UK based suite that can allow you to feel safe on your main browsing device.

HTH,

In reply to a post by mking90031:

IMHO, I would NOT use ANYTHING from Kaspersky as they are a RUSSIAN company and you could be, possibly, allowing Russia to gain access to UK networks. You should use a UK based suite that can allow you to feel safe on your main browsing device.

This is a separate issue and it is not totally relevant to this thread but thank you for reminding us about the links between Kaspersky and Russia.

FWIW, I have used Kaspersky for over 10 years without any issues so they already have my info and since I bought about four years of Kaspersky Premium 10 devices licenses when they were cheap in the sales I already have the licences so I may as well use them.

That said; A few years ago, (due to the actions of Russia in Ukraine and the reported links between Kaspersky and Russia), I bought Norton 360 instead but Norton was rubbish.

https://forums.thinkbroadband.com/security/f/4733444...

Worst than that Norton destroyed the Windows 10 Operating System Restore Points when it was installed so I could not revert the PC back to where it was before Norton was installed and I had to carry out a clean install of the Windows 10 Operating System after Norton was removed to get the PC working properly again.

Using the Kaspersky removal tool at least Kaspersky can be removed without causing PC issues.

I already had a few years of Kaspersky Premium 10 devices that I had bought in the sales and I still have another 12 months left so I will keep using Kaspersky for the next 12 months.

I considered Bitdefender but that is from Romania which is probably as bad as Russia.

My only beef with Kaspersky is regarding the actions of Russia in Ukraine but since I still have licences bought years ago so I and not buying new licenses and putting new money into their accounts.

@Fido,

Once your licenses expire, you should just use the builtin suite that MS provide, Defender and Firewall. It puzzles me why people, like yourself, choose to install a different suite when Windows comes pre-installed with an adequate suite. This is a bit like having a car with a suitable engine to get from point A to point B but deciding to use a different engine just because it "might" be better. What's the point???? Someone answer me that one!?! I can understand installing something if you were using a flavour of Linux but Windows (not sure about Mac OS...never used it as I can't really afford it), as already mentioned, has it's own in-built suite that does a pretty good job of protecting a PC.

Sorry about the rant but this is something that I do feel passionate about. There is not much good about Windows but at least they supply a FREE suite that does an adequate job. So why pay money unless there is a REAL need to protect something. Just implent a good backup plan and you shouldn't really need to spend any money beyond buying a large hard disk (> 2TB IMHO) and keeping important files off the internal storage. This is what I do and it's worked for a couple of decades now. If something happens to my device I just need to re-install the OS and apps and I haven't lost anything important. I do know that if something happens to the HDD then I might be gutted but the REALLY important files I do have cloud backup and a 2nd HDD (and several USB sticks) as a real fail-safe.

HTH,

In reply to a post by mking90031:

not sure about Mac OS...never used it

MacOS doesn't include a scanner or suchlike that you can run at will, but it does include built-in protections that are probably enough for most users.

Recent article from MacWorld here- https://www.macworld.com/article/670537/do-macs-need...

the biggest problem with Kaspersky was KSN, which could if it fell into the wrong hands turn into a bot.net. The whole thing about Kaspersky breaking usa state level viruses (which upset the usa) is the job its meant to do. Also an American security contractor was using a dodgy product serial generator for ms office and kaspersky found that. Of course thats its job but gov made out that kaspersky was going after security people.

But Eugine Kaspersky became more and more closer to the kermlin regime - especially after '22. So by nature Kaspersky software became a potential high grade risk.

As for microsofts AV, whilst is good and for most people thats fine, if you want better control, look else where.

The infection points for pcs, unknown storeage devices that are plugged in, downloaded files(programs, images, zips etc), infected emails and websites.

So for instance you don't really need realtime scanning on everything. Whilst ssds have reduces system sluggishness from scans its still present and you are wasting cpu cycles.


Voip is not a lan security risk but the security risk is in the encryption side. Say your calls have no encryption and somebody has snaffled your voip creditals.

What is considered to be the best alternative to Kaspersky Premium 10 Device, (even though we only use 4) ?

In reply to a post by Taras:

Voip is not a lan security risk but the security risk is in the encryption side. Say your calls have no encryption and somebody has snaffled your voip creditals.

The theory is that certain items have poor access security, eg. smart watches camera systems, printers, etc. and if these devices are located on the main Home LAN that these devices are security risks in the Home LAN.

To mitigate against the perceived risks an "Internet of Things LAN", (an IoT LAN), is created in order to separate the devices that are considered more risky to the Home LAN security can be separated onto their own Separate LAN.

Are you saying that there is no risk in having these devices on the Home LAN ?

Additional devices that I am concerned about are;

(1). The Hive Heating Control System.

(2). The Smart TVs.

(3). The BSkyB Sky Q Boxes.

(4). The Xbox/s.

(5). Smart Watches.

(6). Printer/Scanner.

(7). Security Cameras.

Could any of the above devices be potential security risks on the home LAN ?

Alternatively is there zero risk in just having one LAN ?

There's no such thing as Zero risk but if you are genuinly concerned about all that stuff then you want to enable client isolation on your WiFi and buy a switch which can do private VLANs - in other words that will ensure that everything on your "LAN" cannot talk to eachother. I would say however this is overkill and just not neccessary.

@Fido,

If you're that worried about security, then my advice would be to not have an internet connection at all. Airgap all your devices and, maybe, have just 1 device that has internet connectivity and all it has on it is a browser. No Office suite, no FTP software, etc. If someone needs to work on a document then they would need to transfer it to USB stick (or external hard disk) then work on it on an airgapped device. If you really need to have a network and worried about security then you could connect all your devices to a router but do not configure that router with access to the internet.

HTH,

In reply to a post by Pipexer:

There's no such thing as Zero risk but if you are genuinly concerned about all that stuff then you want to enable client isolation on your WiFi and buy a switch which can do private VLANs - in other words that will ensure that everything on your "LAN" cannot talk to eachother. I would say however this is overkill and just not neccessary.

Yes, I know how it can be done; in fact I pointed out earlier in the thread that I know how to do it via a managed switch and I can set up VLANs on the ports the router that I use, (ie. an Asus RT-AX88U Pro), and I have already set up a VLAN on one of its ports. - Since the whole house is already wired in CAT6A Ethernet I can easily put anything that could be suspect onto its own separate IOT VLAN so I know how. - I also already use Guest Networks to separate some of the devices on WIFI.

However, the queries are not about the "HOW" the queries are about the "WHY".

There is a lot of discussion on the internet about the vulnerability of certain devices, (with weak passwords), being on a Home LAN in which devices can then potentially communicate with each other and since my personal knowledge of internet security is not expert, (it is certainly a lot better than average and like you I can put forward a gut feeling but certainly not expert), I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

Is there anyone else seeing the irony here that is jumping out at me. The OP wants to go right into the depths to ensure that the domestic network is safe from bad actors while continuing to use as the main defence an anti-virus program which has generated a considerable amount of internet traffic in regard to its integrity and which has a number of governments and their security agencies advising against its use.

In reply to a post by GonePostal:

Is there anyone else seeing the irony here that is jumping out at me. The OP wants to go right into the depths to ensure that the domestic network is safe from bad actors while continuing to use as the main defence an anti-virus program which has generated a considerable amount of internet traffic in regard to its integrity and which has a number of governments and their security agencies advising against its use.

Actually I see the main defense as being the router setup and the Hardware Firewall in the Router followed by our taking care as to which websites are visited and what apps are used and from where. - Kaspersky is near to the last line of defense..

If someone has a good, reasonably priced, alternative to Kaspersky then I would like to know which one but I mostly accept the argument that Windows Defender provides already reasonable alternative for windows and for the IPAD and IPhones Antivirus is considered to be unnecessary. - I use a Google Pixel Pro but a free anti-virus would probably do for that..

However, this tread is not about Kaspersky.

This thread is mainly about the potential vulnerabilities or not of having certain types of devices, (with poor passwords), on the Home LAN.

In reply to a post by Fido:

Actually I see the main defense as being the router setup and the Hardware Firewall in the Router

This thinking is probably a decade out of date. The network edge isn't the security perimeter, your router is not doing anything for your security because it cannot see encrypted traffic. At best it is preventing outbound botnet C&C connections but even then probably not, and by the time you have clients talking out to C&C things have already gone badly wrong.

In reply to a post by jpm:

In reply to a post by Fido:

Actually I see the main defense as being the router setup and the Hardware Firewall in the Router followed by our taking care as to which websites are visited and what apps are used and from where. - Kaspersky is near to the last line of defense.

This thinking is probably a decade out of date. The network edge isn't the security perimeter, your router is not doing anything for your security because it cannot see encrypted traffic. At best it is preventing outbound botnet C&C connections but even then probably not, and by the time you have clients talking out to C&C things have already gone badly wrong.

That is not surprising to me since I am now getting old and since I retired over 15 years ago I do not usually give it much thought.

The Asus RT-AX88U Pro Router that I use has a number of AI Security Features that I have taken up and these are monitored by Trend Micro, so there are other router features and security features in the router that already help protect my system.

I fully realize that I do not know enough about internet security as it was never my field and that the more that I do know, the more I realize how little I do know, even though I am confident that my system is far more secure than most others.

Working on the basis that the companies that sell and who manage security software have published information about the risks of smart devices, (including TVs), on the Home LAN I have concluded that my using three separate LANs may be a good policy for me and I intend going down that route.

The following links may provide useful information to anyone who is interested in finding out more about smart devices on the Home LAN.

https://www.kaspersky.co.uk/blog/how-to-secure-smart...

https://www.bitdefender.com/en-gb/blog/hotforsecurit...

https://www.google.com/amp/s/www.pandasecurity.com/e...

https://www.trendmicro.com/vinfo/gb/security/news/in...

Therefore, I plan to only use my main WIFI for devices that browse the web, my guest wifi will be for visitors and for our printer/scanner and the house CAT6A Ethernet Network, (which will have all of the Smart TVs, Hive System, N300A, XBoxes, Sky QBoxes, etc on it), will be attached to single a 2.5GHtz Router Ethernet Port 5 that operate on a separate VLAN Network that I will call IOT.

It won't cost me a penny since I already have the equipment to set it up in this way.

Regarding Kaspersky; I see the biggest danger could be with Kaspersky gaining access to personal information but since I have already been using Kaspersky for over 10 years, if there is a risk, that ship has already sailed and in some ways the same applies to anyone who has used it previously.

Other than the Russian Connection, Kaspersky is very good Internet Security Software and up to now no-one has given us any alternatives to compare it with other than Windows Defender which is good for Windows PCs.

Just to stir the pot a little.

The following falls into the category of known unknowns

In reply to a post by Fido:

On a separate issue; last year we bought a new all singing/dancing Cannon Printer/Scanner that actually works great as a device but in order to use the Cannon Software for it, we needed to agree to Cannon T&C that seemed to allow Cannon far more access to my personal information and my devices than I was comfortable with; so I located this Cannon Printer/Scanner on my Guest WIFI Network which means that my other devices need to login to my Guest WIFI in order to access the Cannon Printer/Scanner (which is a slight hassle) but it restricts its access to my Main LAN Network Devices.

In dealing with this known unknown, you have now opened up a networks path between your House network and your Guest network.

ie you have increased your exposure to unknown unknowns on your Guest network.

In reply to a post by DFScale:

Just to stir the pot a little.

The following falls into the category of known unknowns

In reply to a post by Fido:

On a separate issue; last year we bought a new all singing/dancing Cannon Printer/Scanner that actually works great as a device but in order to use the Cannon Software for it, we needed to agree to Cannon T&C that seemed to allow Cannon far more access to my personal information and my devices than I was comfortable with; so I located this Cannon Printer/Scanner on my Guest WIFI Network which means that my other devices need to login to my Guest WIFI in order to access the Cannon Printer/Scanner (which is a slight hassle) but it restricts its access to my Main LAN Network Devices.

In dealing with this known unknown, you have now opened up a networks path between your House network and your Guest network.

ie you have increased your exposure to unknown unknowns on your Guest network.

You have completely missed the point of benign hardware meeting privacy evading software rather than crossing vlans

ie, nice door bell cam meeting some dodgy software which can send information anyone requesting it - even thiefs ..

In reply to a post by Taras:

You have completely missed the point of benign hardware meeting privacy evading software rather than crossing vlans

ie, nice door bell cam meeting some dodgy software which can send information anyone requesting it - even thiefs ..

I am starting to feel a bit like the Coconut in the "Shy".

Just saying that it is the wrong way is in a small way helpful.

However, letting us all know what the correct method is would be much more helpful.

I started the thread because it seemed like there is a potential issue regarding access to Smart Devices on a Home LAN Network and I was seeking helpful input from those who fully understand internet security; which I do not.

Good practice for Internet Security moves on. - At one time some people used Open WIFI while most of us used WEP, which then became WAP and which is now WAP3 - Personal: for Home Users.

If Smart Devices are NOT a weakness in a Home LAN Network then OK. - There is no issue. - All is Good!

If there are potential issues then using multi routers or managed ethernet switches would probably work well and it may be a way forward if a Smart Device issue actually exists. - (However the SH2 would need to be connect to the ONT to be in control (if I used both of my routers) but the SH2 is a Lada when compared to the RT- AX88U Pro which is a sports car.

My plan to use the IOT Network Setup option on my Asus RT-AX88U Pro Menu with an Ethernet VLAN, Separate from the Main Home LAN, just seemed to make the RT-AX88U Pro Router GUI inaccessible and I needed to carry out a Router Factory Reset to recover it. - (Upon google this could be a known issue with high end Asus Routers when the IOT is created so that plan needs more thought).

At present we do not have any door cameras or other cameras but if we did have door cameras we would want them to be secure.

Is just having all devices on one Home LAN considered to be the best way forward ?

I am sure that many of us would benefit from knowing the answer to this this, (especially those who just use the ISP Supplied Routers.

While all we wait patiently for helpful solutions from the security experts from amongst us who know what not to do; it may be useful to consider if there is a potential issue with having Smart Devices on the Home LAN Network or not.

I have just discovered this webcast from Steve Gibson who I have always considered understands internet security much better than I do and it may be worth checking this video out:

Here is the link;

https://www.google.com/search?q=steve+gibson+IoT+net...


It seems that Steve Gibson had come to the same conclusion as I have in that it may be useful if we had at least one separate Home LAN Network for Smart Devices.

To me separate WIFI Networks are much easier to achieve than separate Ethernet Networks but most of my Smart Devices use Ethernet.

Separate ethernet networks can be achieved by using an additional third party router (a type of slave router for the IoT LAN Network), but I am still presently exploring if it can be achieved by my just using my Asus RT-AX88U Pro Router but I suspect I will end up with another device.

Yet more googling has revealed Steve Gibson's Three Router Solution to IoT Security;

https://pcper.com/2016/08/steve-gibsons-three-router...

There is a lot to think about as having one Home LAN for WiFI and Ethernet and a separate WIFI Guest Network for the most part has been OK and it works seamlessly so a one router solution would be easier if it worked properly but I can see the benefits of a three router solution.

Edited by Fido (Mon 09-Feb-26 22:03:46)

In reply to a post by Fido:

To me separate WIFI Networks are much easier to achieve than separate Ethernet Networks but most of my Smart Devices use Ethernet.

vLANs give you separate ethernet networks over the same cable. And vLANs can extend over ethernet, although possibly not so easy with consumer routers

In reply to a post by Fido:

Separate ethernet networks can be achieved by using an additional third party router (a type of slave router for the IoT LAN Network), but I am still presently exploring if it can be achieved by my just using my Asus RT-AX88U Pro Router but I suspect I will end up with another device.

vLANs give you more networks than you can shake a stick at from a single managed switch

In reply to a post by Fido:

There is a lot to think about as having one Home LAN for WiFI and Ethernet and a separate WIFI Guest Network for the most part has been OK and it works seamlessly so a one router solution would be easier if it worked properly but I can see the benefits of a three router solution.

Beyond your router, you only need a managed switch and a vLAN aware Wireless Access Point [or more for physical coverage, but if you have the physical coverage, a single WAP will give you the vLANs]

Expecting a straightforward answer on exactly what should be done is a bit like voting for a politician.
We know what they say up front. But real life experience is usually much different from expectations.

If someone came on and said do this, this and this, and all will be perfect, it's a red rag and the black hatters would have those things usurped toute suite.

Security is mostly about trying to stay one step ahead of others. Update, upgrade and stay on top of it all the time. It's a lot of work.

You mentioned Kaspersky. That has been one of the better ones for years, probably still is. But it's being put down because of the founder's nationality. Personally I would rather use that than some of the alternatives.
Keep on doing what you have been doing. Obfuscate. Introduce "physical" barriers like Vlans, separate subnets, even maybe VPNs if you like. The more complications, the harder it would be for intrusions. Avoid wireless whereever possible. Use a multitude of email addresses, separate passwords for every application. If viable make use of cheap PAYG Sims and alternative broadband connections.

But there never will be perfection in security.

I tend to take a modular approach to any potential problems and at first I just sought to find out if a potential issue does actually exist.

Then as the discussion progressed and after more googling from me it seemed that my suspicions that there could be potential security weaknesses, (in the Home LAN Network), if every device in the house is on the same LAN, which is why I then explored other options. (To me the video from Steve Gibson makes a discussion about the question if any potential security issues could potentially arise is now mute but some may disagree).

It could be argued that Anti Virus/Internet Security Software defends the browsing devices on the Home LAN Network if a Smart Device on the Home LAN Network gets hacked, so I mentioned that I use Kaspersky Premium.

My Asus RT-AX88U Pro router also has AI Protection monitored by Trend Micro ad one of its security features.

The fact that I use Kaspersky Premium was then homed in on but as you say Kaspersky Premium is usually at the top or is very near to the top in all AV Comparisons and it is only the Nationality of the founder that is used to criticise it. - I did point out that a few years ago I tried to change to Norton, (which inexplicably removed my Windows 10 restore points as it was installed ****** and Norton worked badly and had features I could not turn off). - I asked about what other users, who criticise Kaspersky, considered to be reasonably priced viable alternatives to Kaspersky Premium and so far no one has put forward a good alternative but I still have up to February 2027 to find one.

We have very few home devices that use WIFI because the whole house was wired in CAT6A Cable some years ago. - The Guest WIFI is mostly used by immediate family and our grandchildren when they visit).

Since I was always more comfortable with hardware rather than software solutions my instinct is to use hardware to create separate the LANs but since my router is supposed to support VLANs I tried that method but so far that was not successful and I had to carry out a Factory Reset to regain access to my router. (Perhaps, Merlin Firmware would make setting up VLANs without losing router access easier, I don't know if it would but I am reluctant to use third party firmware).

We have Nord VPN.

I'm no expert on networking but my thought on this are that every device on a (V)LAN is a potential risk to other devices on the same (V)LAN.

If I had the kit I would do the following:-

Create multiple VLANs on the router to separate out certain categories of devices e.g. camera's and other more vulnerable devices. This would also need setting up access controls between the VLANs so those more vulnerable don't have free rain across all networks. Remember there is also the issue with network broadcasts spanning different LANs so you would need to take that into consideration and that may affect what devices can be separated out

I would use switches capable of tagging ports for specific VLANs so I can have each devices on the network where I need it.

Ref AV & other security software.
I used to install Norton all round, but gave up on that around 2006. Eventually settling on Eset - which has served very well.
But Eset has been changing for some time now. The company I mean, the software might still rank very well. They seem to have fallen into the same hole as many previously good companies/products which were taken over by the venture capitalists. Raising prices and locking in users by one way or another.

I'm not able to recommend any particular AV brand any more.

In reply to a post by Fido:

The additional devices that I am slightly concerned about are;

(1). The Hive Heating Control System.

(2). The Smart TVs.

(3). The BSkyB Sky Q Boxes.

(4). The Xbox/s.

(5). etc.

Are any of the above devices potential security risks?

Yup - all of them are potential security risks - it's all about your particular risk appetite.

Everything in my house that I don't/can't personally manage the security of, is in its own VLAN (essentially the "guest" network) that cannot get to the regular VLAN where things like my PC & phone go.

In reply to a post by Fido:

There is a lot of discussion on the internet about the vulnerability of certain devices, (with weak passwords), being on a Home LAN in which devices can then potentially communicate with each other and since my personal knowledge of internet security is not expert, (it is certainly a lot better than average and like you I can put forward a gut feeling but certainly not expert), I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

In simple terms

All the connected devices on your LAN will tend to be protected from "the internet" in terms of inbound attacks because they will be behind NAT or the firewall on your router. Yes there are elaborate ways to evade that but it's irrelivant so for one moment just assume that anything on your LAN cannot be compromised from an inbound connection from the internet.

However, if any of these devices have bugs or backdoors in them, or make calls to the internet and then end up compromised, they can in themselves be untrusted. These devices, sitting on your LAN, DO have the ability to connect to the other devices on your LAN, because they are on the same network.

This is what is known as lateral movement.

It's a bit like locking your front door on your house - that stops strangers from outside stealing things, but it doesn't stop rogue family members who are inside the house from doing that and then unlocking the door and leaving with your posessions.

So by implementing a private VLAN approach you are effectively locking every room in the house and each person in the house can only steal things from their own room and leave the house, they can't steal things from other rooms.

But realistically are your family members going to do this and would they be able to steal things easily from other rooms? In the case of your devices on the LAN - it's very unlikely. These devices would need to become compromised (unlikely) and then be able to leverage an exploit on the other device. It's just not going to happen.

In reply to a post by Fido:

I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

My advice to you would be its not worth the hassle. It will cause more problems than its worth and unless you know what you are doing it will result in problems. For example as soon as you want to connect your phone to your TV or control your home lighting, anything that relies on direct connectivity will fail or go wonky. Here's my guess as to what happens with your devices if you start segmenting them etc.

(1). The Hive Heating Control System. - Will be OK

(2). The Smart TVs. - Won't be OK if you interact with them on your phone

(3). The BSkyB Sky Q Boxes. - Won't be OK

(4). The Xbox/s. - Will be OK

(5). etc. - Who knows

In reply to a post by Pipexer:

In reply to a post by Fido:

I was hoping that someone who does fully understand internet security would be able to advise as to the best practice regarding these devices and why separate LANs would/could be recommended or would definitely not be necessary.

My advice to you would be its not worth the hassle. It will cause more problems than its worth and unless you know what you are doing it will result in problems. For example as soon as you want to connect your phone to your TV or control your home lighting, anything that relies on direct connectivity will fail or go wonky. Here's my guess as to what happens with your devices if you start segmenting them etc.

(1). The Hive Heating Control System. - Will be OK

(2). The Smart TVs. - Won't be OK if you interact with them on your phone

(3). The BSkyB Sky Q Boxes. - Won't be OK

(4). The Xbox/s. - Will be OK

(5). etc. - Who knows

At present the way that I have things set up does work seamlessly with fast internet and good WIFI everywhere so any changes are a hassle.

Personally, I prefer to restrict the amount of my personal information that is collected, I avoid social media and I certainly would not miss the lack of access between the Sky Box and my phone, and other interconnectivity etc. as I do not bother with any of that but do I accept the point that it may not be worth the hassle as I do not see it as being likely. - (Definitely possible but not likely).

The problem is ALL Security setups are a bit like an insurance policies in that you do not know how good or bad the insurance policy is until after you need to make a claim which may never happen.

A person may choose to have Open WIFI, (it is a lot less hassle, it is simpler and easier), and they may never have a problem with Open WIFI but these days we all use the most secure types of WIFI that our routers etc. can handle because there is no point taking unnecessary risks.

I do not plan to revolutionize my setup but I will tweak it.

My present plan is to keep my Router's Home Ethernet LAN Network and my Home WIFI completely separate just for our PC's , IPads and Phones, - to have a separate WIFI Network for Guests and to put all ethernet devices onto one or two Separate Ethernet LAN/s Networks either via a VLAN/s system , (if I can ever get that to work), or via hardware devices set up to provide separate Ethernet LAN/s.

It does not need doing overnight but it is sensible that we are all aware of the potential issues and as we update our systems we do so in a way that minimizes or eliminates the unlikely risk.

Obviously you are free to do as you wish - but just to play this back - you have essentially asked in here is it worth it - everyone has told you no, provided sound reasoning and advice, and warned you about all the pitfalls, and the fact it's not really going to improve your security, and yet it seems you are going to proceed to do it anyway.

Meanwhile use of Kaspersky, Nord VPN, and your so-called router's AI security is highly questionable.

As long as you enjoy tinkering then by all means have a go - nothing wrong with having a play with things - but it's not the security answer you are looking for.

In reply to a post by Pipexer:

everyone has told you no, provided sound reasoning and advice, and warned you about all the pitfalls, and the fact it's not really going to improve your security

Actually almost the complete opposite is true.

The expert advice, (as per the supplied video from Steve Gibson), is that there is a potential problem that needs to be thoughtfully considered.

Laymen like you and I, who have much less understanding of internet security, (even though I was a professional engineer for 45 years and was Registered with The Engineering Council), are less concerned but the sensible person will consider tweaking the Home LAN setup over time especially as new smart devices are bought and they are added to the home network.

Edited by Fido (Wed 11-Feb-26 21:56:12)

In reply to a post by Fido:

The expert advice, (as per the supplied video from Steve Gibson), is that there is a potential problem that needs to be thoughtfully considered.

Laymen like you and I, who have much less understanding of internet security, (even though I was a professional engineer for over 45 years and was Registered with The Engineering Council), are less concerned but the sensible person will consider tweaking the Home LAN setup over time especially as new smart devices are bought and they are added to the home network.

Serious question, do you take the same approach to your cars security? much has changed since the 1970s.

Do you have extra security installed including a ghost immobiliser, tracker, air tag and sim based cameras installed? as it only takes a theft a few seconds to nick a modern day car if you don't!

It's not a security risk in any measureable amount - I have explained why. It would first of all require one of those devices to become compromised (unlikely), and then once compromised to be able to then leverage an exploit against another device, the chances of that happening are practically zero as it would require 2 unlikely events to happen in conjunction. It would likely require human intervention to be able to conduct something like that, and that sort of effort is reserved for nation-state activity.

To put this another way - what security risk do you think there is / are you looking to mitigate?

What does Steve Gibson actually say about this? Is it all conjecture? Does it make sense to you? Is it rationalised?

That was a very good rant.

I accepted the viewpoint that it may not be worth the hassle as I do not see it as being likely. - (Definitely possible but not likely).

You seem to be confusing a discussion about potential security issues with potential acolytes having the audacity to make their own minds about their own internet security having listened to a range of views, mainly from people who work in this field but also from laymen like you and me.

I do not plan to revolutionize my Home LAN setup but I will tweak it and that is my choice!

You mentioned my router having optional AI Security via Trend Micro as if that was bad ?

It also has optional DoS Protection, optional QOS, network monitoring features/traffic analysis, excellent WIFI and a generally excellent overall performance.

We all choose our own routers for different reasons: your choice is Draytek which is considered to be an excellent router choice for different reasons - Not for its WIFI performance as that is inferior, not for its speed and not for its user menus but for it VLAN capabilities but why would anyone, who does not see the point of separating certain devices onto separate LANs, choose a router which only really excels in that feature ?

The problem is that ALL Security setups are a bit like an insurance policies in that you do not know how good or how bad the insurance policy is until after you need to make a claim which may never happen.

I have explained that I do not see it as being a huge risk, however, the more that I looked at it the more obvious it became that certain devices could become a risk and separating these devices on the Home LAN Network seems sensible.

In reply to a post by Fido:

That was a very good rant.

There is always so much stuff out there on the internet to support whatever view you have on a particular subject matter. As you have clearly made your mind up about what you're going to do why not just get on with it.

Interesting you didn't confirm your risk appetite for protecting your car like you want to do your home network😎

In reply to a post by PCJM40:

There is always so much stuff out there on the internet to support whatever view you have on a particular subject matter. As you have clearly made your mind up about what you're going to do why not just get on with it.

he has, but he wants others to help him. In life you will always find people who support your idea. The net just makes it soo much easier to find "like minded people"

In reply to a post by Taras:

In reply to a post by PCJM40:

There is always so much stuff out there on the internet to support whatever view you have on a particular subject matter. As you have clearly made your mind up about what you're going to do why not just get on with it.

he has, but he wants others to help him. In life you will always find people who support your idea. The net just makes it soo much easier to find "like minded people"

Sometimes the quantity of post from board members is Inversely Proportional to the Quality.

These days, on these boards, some opinions are expert and in some are really just "Monkey See Monkey Do".

Personally I have always welcomed and I always consider all of the opinions of others but at the end of the day we all need to decide for ourselves. - Posts that say what is wrong are helpful but posts that indicate best practice are even more helpful.

In my OP, I suspected that the presence of some devices, (with very weak passwords), on the Home LAN Network could be a potential security risk inside the Home LAN Network and the more I have checked the more that it seemed possible. - (It is unlikely but it is possible).

I then concluded that some devices, (eg. Hive System, etc), would be better off on a separate LAN which triggered the response that it was not necessary - Well thank you for your opinion but that is my decision.

On this "thread on this board" I have sought alternative viewpoints but I have not asked "Others to Help Me".

From my OP I was open minded towards what I saw as a "Minor Concern" and I still am.

In reply to a post by Fido:

....However, I have a minor concern....

At the time I just using the WIFI Guest Network to separate certain devices, however, if inexpensive minor network tweaks could eliminate an unforseen future system weakness then it would be sensible to consider them and if my use of the guest network was not considered to be good practice then obviously I would modify it.

On a separate issue: Obviously, we all know how to create separate LANs using additional hardware devices but the modern way is to use VLANs and I did seek and I received assistance, (on the Network Board), how to get my router to work with VLANs but that is a separate issue.

In reply to a post by Fido:

On this "thread on this board" I have sought alternative viewpoints but I have not asked "Others to Help Me".

I am amazed you think you're not asking for help, you may be to proud to accept it but by posting the questions below in this thread thats exactly what you are doing. Help comes in many forms.

In reply to a post by Fido:

Is this a potential backdoor into my Home LAN ?

In reply to a post by Fido:

Is any of this necessary ?

In reply to a post by Fido:

Is a VOIP device on the home ethernet network a potential security risk ?

If so, what about Smart TVs ?