The last few weeks showed us that the Internet-of-Things can be pretty dangerous, e.g.: Mirai Again: DT Outage a Precursor to Larger DDoS Attack. Especially if the devices are able to communicate with the internet there is a high risk! But I think this is not the only hazard. What happens if someone gets into your network because of an insecure device? This posting will list some actions the possible of such an attack.
Put your IoT-devices in a DMZ (demilitarized zone).
Ideally you are working with VLANs to split the complete traffic of your two networks. Switching should be possible in only one direction: from your personal network to the IoT-network. The other direction should be blocked, because if somebody hacks your devices (s)he could access your private devices like your laptop or tablet. Additionally to this separation on wire-level you need an access-point which is able to work with multiple SSIDs and VLANs.
Block the management-interfaces from the IoT-network.
Make sure all the management-interfaces of your access points, firewall, routers and switches are not accessible from the IoT-network.
Use the safest wireless security level which is compatible with your devices.
Some IoT-devices do not support the latest security protocols. But please use at least the strongest compatible with your devices and do not forget to configure it! Site-note: Please do not use a similar password like you have it on your personal network.
Hide your SSID.
Not all threats come from the internet. Some of them may be near you. To make it a bit more complex to crack your network you should think about hiding your SSID. So a potential attacker first has to find out your network name. And now get into his sight: "Why should I waste time when there are so many wireless lans where I do not have to find out the network name in advance?" Right => from this point on you can be sure that you are not the easiest catch! (Even if you are not safe with only this action.)
Only allow known MACs.
Additionally you should restrict the network to known MAC-addresses. You can do this on two levels. Firstly you should restrict the potential communication partners of the access point. Secondly you can tell your DHCP to ignore unknown devices. Due to the fact that you will not change your nodes every day I think this is a pretty neat additional action.
Don't communicate with service in the internet / Cut the devices from the internet.
If you do not communicate with services in the internet the risk of getting hacked drops drastically. There are alternatives to many popular services. I think I am going to write an extra post on this topic. As a short excerpt: You may know data.sparkfun.com. You can host the project behind this website yourself locally! And the best thing about it: You do not need to run a powerful server. You can do this for example with a raspberry pi.
Do not open ports for external access.
Okay, the last point is very important! Some of you guys may think "Why am I collecting data? Because I would like to access it everywhere." Basically that is a great idea. But I think you should be pretty careful with the way you access your stored data. The simplest way is to open a port to your server. But that will not be a secure solution! If you are not an expert in network-security and webserver-configuration I would like to advise you to set up a VPN-tunnel. You may have a look at a virtual appliance if you do not want to do all the work.