Nowadays many of us are using streamers to listen to music through Spotify, Qobuz, Tidal, etc. All this means that these devices are constantly connected to the internet, exposing them to risks and malicious attacks.
Are you concerned about these problems? Are you taking any form of precaution? Also, has anybody ever experienced any problems?
I’m curious to hear your point of view (especially from IT engineers as there are some in this forum).
Thank you very much in advance!
The question was asked of naim recently (because even newest streamers run quite an old unix kernel version, long out of LTS).
Devices are compliant with all applicable regs.
TBH it’s no different to having a PC on your network or any other device.
I run pfSense and have multiple VLANs, I place all my IOT stuff in it’s own VLAN, my NS-222 is on the normal LAN as the devices controlling it and NAS need to be on the same network.
All network routers would block incoming unsolicited connections unless they’ve been configured to allow external to internal connections.
Keep the firmware on your router updated.
I have a dedicated VLAN for Naim streamers (and another for IoT devices) isolated by firewall rules from the management LAN and main VLAN.
Depends how good and well setup your firewalls are. I am using the security gateway in my ubiquiti unifi network which is pretty good. I don’t open any ports on the firewall except for one specific app - I use vpn and splashtop for external access.
I drop all externally initiated traffic. And vlan to vlan traffic. All devices I don’t trust are on an Internet of Things (IOT) vlan. There are plenty of guides online about how to configure your firewall.
I could have put my linn onto its own music vlan but didn’t bother because it complicates things.
I use a Firewalla Gold Plus as my router & firewall. Works great so far. 
Thank you all for your replies. As far as I understand, the best thing to do is creating a dedicated VLAN for the streamer and the devices that are going to use it such as NAS, PCs, etc. Then all ports should be closed unless needed. Hopefully that’s should be enough!
How do you plan to do it? Do you mean you are going to set up 2 DHCH servers in the same household? Or a separate ‘guess’ network?
I think your defense key against the cyber-attacks would be your network router, because it is the gateway between your home network and whatever out there on the internet, you can of course add on some extra security by adding firewall to your individual devices.
It’s quite inconvenient placing your streamer in its own VLAN as you’d need to put the device controlling it and the NAS (if you use one) in the same VLAN.
You’d also need a router that is capable of supporting multiple VLANS and an access-point that supports VLANS.
I’m a Network Engineer and I don’t place streamer in a separate VLAN.
Just to add, most of my devices of significance - pcs, NAS etc have their own firewalls as well of course. And the network shares are password protected, for what it matters. Also got the ubiquiti security detection set to max (real time blocking).
Backups are equally or even much more important. The synology file system has versioning which makes it significantly harder to erase/lock data. And the backup features are excellent. I run a second NAS device onsite (switched off most of the day) and a third offsite. Plus some cloud backup storage for critical files.
I don’t really see the point if you put your PC on that same VLAN as well, then you’ve just created a new network that’s identical to what you had.
What (IMO) makes sense is to separate out the personal devices (laptop, phone, PC) from all the IoT devices where you have no clue what exactly they do and what the updates contain. So if the latter get compromised somehow, they can’t be used to compromise your personal devices.
I have three networks, one for my devices, one for all IoT devices (inc. Naim) and a guest network. All on different SSIDs/VLANs.
The only “issues” there are that you need a bit of networking knowledge (mDNS repeater and some firewall rules) to configure things correctly so your devices can still control/access devices like Naim’s. And of course accept that Naim provides no support for such a setup, they explicitly state only having all devices on the same network is supported.
So important backups. And of course people in IT know that
I do the same and one extra vlan only for my work computer - which I setup like the guest vlan with total device isolation
Synology has some smart device backup capabilities as well as share backups which I utilise so it’s easy to recreate a pc image if (when!) it crashes
I use a Synology, but I have had a corruption when trying to restore once. So now I do a Hyper backup, and then every month or so do a USB backup to a separate disk drive
Switching on versioning is your friend
More or less the same approach as @n-lot
One thing to also consider is having your music user access to your NAS (assuming this is where your music is stored) as a read-only user.
It’s pretty interesting to hear different approaches to this subject.
@sean86 I suppose the best way would be to use a managed switch to create different VLANs. However it’s easier to be said that done (I’m sure it would be a piece of cake for an IT engineer). I would agree about the firewall and router configuration, that’s the first important step.
@n-lot I would agree with what you said, but a PC might be used as a DLNA media server for instance. Other than that, it should be separated as you said.
Multiple VLANs is not offering any security in and of itself, they must be isolated from each other and frankly this then becomes a PITA. For IoT devices, not such an issue because in essence the requests you send to turn on lights or what ever goes via the web, not internally on your lan so their VLAN can be totally isolated through the firewall from your main VLAN. But for hifi etc, parking that in a cut off VLAN would be just not be very fun.
On unifi devices and I guess others, you can set a separate wifi SSID to only work on the VLAN, but what a pain in the vain belief you are protecting anything from the internet. The very best bet is to have control of the devices in your hifi, this means not relying on hifi manufacturers, particularly those that spend incredible amounts of time getting out updates.
There are lots of websites that can tell you what ports are open to your network, for the average home gamer if you are stealth then you should be fine. A semi decent firewall is going to refuse an unsolicited connection from WAN anyway.
I’ve 2 backups which run monthly plus two flight cases full of CDs as third backup.
Thought I’d check the integrity of the two GDDs last week. Gratified to see all is well.