i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Yeah, you’re absolutely correct here. But him having already made the investment and removing some of the control over his network from his ISP is a step in the right direction. It should also be noted that, for someone that does not have the knowledge yet, one step at a time is the sanest path, and I say this from my own experience. I went all in, and that led me to making many mistakes.
As you say, adding something like OPNSense or OpenWRT between the Eeros and the ISP modem is the next logical step. Then, getting a switch (or some switches depending on his needs) and ssid-vlan taggable APs to replace the Eeros. After that, its time to have 7 or more local networks in the house 🤣. It can get wild, and its so much fun. The feeling of empowerment this provides is second to none.
i’m sure that’s a fine setup for the average home user but devices that use proprietary firmware like that aren’t conducive to a security-first design where you hold all the keys. because it’s designed to be secure, even from you, it always has an asterisk on it (network is secure* according to eero). that and you have no way of verifying what data it’s phoning home (and a lot of devices soft brick themselves if you cut their connection to the cloud).
the most useful advice i can generally offer is to add a proper network security device running pfSense or OpenWRT to seize some control over internet access and DNS resolution and to implement VLAN segmentation to keep trusted devices secure from trusted* and untrusted devices.
Yeah, you’re absolutely correct here. But him having already made the investment and removing some of the control over his network from his ISP is a step in the right direction. It should also be noted that, for someone that does not have the knowledge yet, one step at a time is the sanest path, and I say this from my own experience. I went all in, and that led me to making many mistakes.
As you say, adding something like OPNSense or OpenWRT between the Eeros and the ISP modem is the next logical step. Then, getting a switch (or some switches depending on his needs) and ssid-vlan taggable APs to replace the Eeros. After that, its time to have 7 or more local networks in the house 🤣. It can get wild, and its so much fun. The feeling of empowerment this provides is second to none.