azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aaf4172b3c298060884c5bddce1d0d8bd79db1c3
claudetools/projects/wrightstown-smarthome/documentation/network-security.md
Mike Swanson aaf4172b3c sync: Add Wrightstown Solar and Smart Home projects 
New projects from 2026-02-09 research session:

Wrightstown Solar:
- DIY 48V LiFePO4 battery storage (EVE C40 cells)
- Victron MultiPlus II whole-house UPS design
- BMS comparison (Victron CAN bus compatible)
- EV salvage analysis (new cells won)
- Full parts list and budget

Wrightstown Smart Home:
- Home Assistant Yellow setup (local voice, no cloud)
- Local LLM server build guide (Ollama + RTX 4090)
- Hybrid LLM bridge (LiteLLM + Claude API + Grok API)
- Network security (VLAN architecture, PII sanitization)

Machine: ACG-M-L5090
Timestamp: 2026-02-09

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 18:44:35 -07:00

211 lines
6.4 KiB
Markdown
Raw Blame History

# Network Security - VLAN Architecture & Privacy
**Created:** 2026-02-09
**Purpose:** IoT isolation, private data protection, PII sanitization for cloud APIs
---
## VLAN Architecture
```
+---------------------------------------------+
| VLAN 1: Trusted (192.168.1.0/24) |
| Laptops, phones, tablets |
| Full internet access |
| Can initiate connections to all VLANs |
+---------------------------------------------+
| (can access)
+---------------------------------------------+
| VLAN 10: Infrastructure (192.168.10.0/24) |
| Home Assistant Yellow |
| LLM Server |
| NAS (if applicable) |
| Can access Trusted + IoT VLANs |
+---------------------------------------------+
| (can access)
+---------------------------------------------+
| VLAN 20: IoT (192.168.20.0/24) |
| Zigbee coordinator (HA Yellow) |
| WiFi cameras, sensors, smart plugs |
| BLOCKED from initiating to Trusted |
| Internet restricted (DNS/NTP only) |
+---------------------------------------------+
| (restricted)
+---------------------------------------------+
| VLAN 99: Guest (192.168.99.0/24) |
| Guest devices |
| Internet only, no internal access |
+---------------------------------------------+
```
---
## Firewall Rules
### Rule 1: IoT Isolation (Critical)
- **ALLOW:** Trusted --> IoT (control devices from phone)
- **BLOCK:** IoT --> Trusted (prevent compromised device probing network)
### Rule 2: Infrastructure Bridge
- **ALLOW:** Infrastructure --> IoT (HA controls devices)
- **ALLOW:** Infrastructure --> Trusted (send notifications)
- **ALLOW:** Trusted --> Infrastructure (access HA web UI, LLM)
### Rule 3: IoT Internet Restriction
- **ALLOW:** IoT --> DNS (port 53) and NTP (port 123)
- **BLOCK:** IoT --> Internet (all other ports)
- **EXCEPTION:** Whitelist specific cloud services if device requires it
### Rule 4: mDNS Control
- **BLOCK:** Broadcast protocols across VLANs by default
- **ALLOW:** Selective mDNS reflection for HA discovery
---
## Hardware Options
### Budget: TP-Link Omada (~$150)
- ER605 router ($60) -- VLAN routing, firewall rules
- TL-SG2008P managed switch ($90) -- VLAN tagging, PoE
### Mid-tier: Ubiquiti UniFi (~$760)
- Dream Machine Pro ($379) -- Router + controller + IDS
- USW-24-PoE switch ($379) -- 24 ports, VLAN, PoE
- Better UI, more features, IDS/IPS built in
### Existing Gear
- Most Netgear managed switches support VLANs
- OpenWRT on consumer routers adds VLAN capability
- pfSense/OPNsense on old PC is free and powerful
---
## Privacy: Keeping Data Local
### Core Principle
**Private data NEVER leaves the local network.**
| Data Type | Route | Why |
|---|---|---|
| Sensor readings | Local LLM only | Reveals activity patterns |
| Camera feeds | Local LLM only | Obvious privacy concern |
| Device names/locations | Local LLM only | Reveals home layout |
| Presence detection | Local LLM only | Reveals who's home |
| Personal names/addresses | Strip before cloud | PII |
| Energy usage patterns | Sanitize before cloud | Activity inference |
| General questions | Cloud OK | No private data |
| Internet searches | Cloud OK (Grok) | No private data |
### PII Sanitization Pipeline
For queries that go to cloud APIs, scrub private information first:
```python
from presidio_analyzer import AnalyzerEngine
from presidio_anonymizer import AnonymizerEngine
analyzer = AnalyzerEngine()
anonymizer = AnonymizerEngine()
def sanitize_for_cloud(query):
"""Remove PII before sending to Claude/Grok"""
# Detect sensitive entities
results = analyzer.analyze(
text=query,
entities=["PERSON", "LOCATION", "PHONE_NUMBER",
"EMAIL_ADDRESS", "DATE_TIME"],
language="en"
)
# Anonymize detected entities
sanitized = anonymizer.anonymize(text=query, analyzer_results=results)
# Hard block certain categories
blocked_keywords = ["camera", "location", "address",
"password", "who is home", "alarm"]
if any(kw in query.lower() for kw in blocked_keywords):
return None # Block query entirely, handle locally
return sanitized.text
```
### Cloud API Data Policies
**Anthropic (Claude):**
- API inputs are NOT used for training by default
- Can explicitly opt out
- Data retained 30 days for safety, then deleted
**xAI (Grok):**
- Data sharing program is opt-in ($150/month credit if you opt in)
- Can opt out and keep data private
- Standard API usage not used for training if opted out
---
## Remote Access
### Recommended: Tailscale (Zero-Config VPN)
```bash
# Install on LLM server and HA
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up
```
- WireGuard-based mesh network
- No port forwarding needed
- Free for personal use (up to 20 devices)
- Access HA + LLM from anywhere securely
### Alternative: WireGuard (Self-Hosted)
- Run on router or dedicated server
- Full control, no third-party dependency
- Requires port forwarding (one UDP port)
- More setup, more control
### Home Assistant Cloud (Nabu Casa)
- $6.50/month, official HA remote access
- No VPN config needed
- Supports HA development team
- Simplest option
---
## Security Hardening Checklist
- [ ] Disable UPnP on router
- [ ] Enable 2FA on Home Assistant
- [ ] Strong passwords (16+ chars, random) on all services
- [ ] Regular updates: HA, Ollama, OS, router firmware
- [ ] Monitor failed login attempts in HA logs
- [ ] Daily automated backups (HA + LLM configs)
- [ ] Firewall rules reviewed quarterly
- [ ] IoT devices on isolated VLAN
- [ ] No camera feeds sent to cloud APIs
- [ ] PII sanitization active on cloud-bound queries
---
## Data Retention
| System | Retention | Notes |
|---|---|---|
| HA sensor data | 30 days raw, indefinite aggregated | Purge in Settings > System > Storage |
| Camera recordings | 7-14 days | Local storage only (NAS or NVMe) |
| LLM conversation logs | Purge monthly | Ollama logs stored locally |
| Cloud API logs | Disable or redact PII | Check provider settings |
---
## Sources
- https://newerest.space/mastering-network-segmentation-vlans-home-assistant-iot-security/
- https://www.xda-developers.com/vlan-rules-every-smart-home-should-have/
- https://thehomesmarthome.com/home-assistant-security-vlans-firewalls-ids/
- https://tailscale.com/
Reference in New Issue View Git Blame Copy Permalink