What is a “Guest” Wi-Fi network and what home network segmentation can do for you

I have seen some confusion related to what a Guest network at home can do for you, and when you should use it. Let’s see if we can get this clarified. I am talking about home networking scenarios here.

You will need to understand a few concepts related to computer networking. I suggest that you read my previous article on Fundamental computer network connection concepts. I am quite convinced that anyone can follow and understand this.

“Main” vs. “Guest” network

Most home routers allow for the creation of at least two different networks, and the intent behind this is:

Main network: this is where you place all your home devices that you trust, devices that you want permanently connected to your home network. Devices on the home network can talk to each other inside of your network, if needed. They can also talk to the Internet.

Guest network: when someone visits, instead of sharing your main network password with them (and possibly giving them access to other devices on your main network) – you share access to your Guest network instead. Guest network devices typically do not talk to main network devices but can still talk to the Internet.

This will help illustrate:

There are other types of network segmentation (separation of devices). A network is sometimes called a LAN (Local Area Network). Some home routers can create Virtual LANs (VLANs) which allow us to further segregate devices into “separate network segments.” Just imagine having the ability to create additional “groups” for your devices and devices on those different groups cannot talk to devices that are a part of other device groups.

To a degree, it is this network segmentation that leads to a misunderstanding that if you have devices that you do not trust, you should put them on your Guest network (or a separate VLAN) and that makes those devices “safe” to use in your home.

This is incorrect and I will now explain why it is so.

What is the risk?

Before continuing, we need to discuss a matter of risk. What are risky or untrusted devices?

Pretty much every device you can think of today can connect to your home network. From laundry washers, ovens, cameras and sensors all the way to fridges and robot vacuums. And everything in between. Most of those devices require access to the Internet to perform some sort of function (this is important, as it is many times why we’d want to add those devices to the network to begin with). We want to get notifications when things happen. When the baby moves, we want to get a notification from the baby monitor. When laundry is done, we want to know, even if we are in the back yard. If the outside grill reached the required temperature, you want to know that too. All those things will typically require Internet access.

So, to summarize what we covered so far:

• ‘Main network’ devices are typically allowed to talk to each other.
• ‘Guest network’ (or a separate VLAN) typically put devices on their own network segments, and there is usually no talk between devices on different network segments (Main to Guest or VLAN1 to VLAN2).
• Both main and Guest (or VLAN) networks typically require access to the Internet for devices to do what we want them to do.

Therefore:

• Segmentation of devices addresses the risk of untrusted devices trying to talk to or exploit vulnerabilities of trusted devices.
• Segmentation of devices does not address the risk of untrusted devices sending or receiving information to the Internet.

That is important. What is the risk that you are worried about?

• If you are worried that your electronic device will try to infest your home computer with a virus or be used as a place from which other devices on the network could be attacked or probed, then network segmentation can be a way to mitigate this risk.
• If you are worried that your baby monitor camera might send either video or audio data to some untrusted place on the Internet, or worse yet – allow strangers to access the video feed, then network segmentation does nothing to mitigate this risk.

It does not matter if data is taken from your home using the main, Guest or VLAN network. The issue is that the data is taken from your home.

In other words – network segmentation can address some risks but not the others. Putting untrusted devices on a separate network does not magically make them trusted or well-behaved devices because this does not address all types of risks.

If you think that this is a matter of spy movies and is not real life, I invite you to use your favorite search engine and search for publicly available cameras. There are MANY sites out there that provide access to cameras that are currently in people’s homes, and anyone can access the video feed. This was almost certainly not the intention of the camera user when they installed it in their home. Does it matter if they are on a segregated network segment?

How then, to deal with untrusted devices?

My best advice for untrusted device use is:

Don’t. Don’t use untrusted devices and don’t put them onto your network (no matter what type of network or network segment it is). Be aware of what devices you use and replace them as they become “untrusted” (let’s say they go out of support).

There could be situations where it is “relatively safe” to use an untrusted device that does not need access to the Internet on your local network segment, but you should do this only if you have thought through risks involved and know how to mitigate the risk. Network segmentation does not make all devices “trusted devices”!

Summary

People might think that using untrusted devices on a separate home network make those devices “safe”. But this does not address all types of risk. I hope this explanation helps you make better choices!

Stay safe!