Network Segregation

0 Members and 1 Guest are viewing this topic. Read 1772 times.

skunark

  • Full Member
  • Posts: 1434
Network Segregation
« on: 15 Feb 2018, 05:37 am »
The other day i was unaware of how many networked devices I have in my house, 40...   My router only really reports what has been powered on or recently powered on. But it hit a milestone that i was unaware of and this number doesn't count the mesh nodes and access point i have in the house. 
 
I ended up creating a table of listing out all of the network devices identifying the following:
* How do the update: automatically or can i control when the device updates - if i can disable the auto-updates i counted that as controlled updates
* Do they phone home: Do they inform me when an update is available or content is available, etc
* Do they advertise: I'm not a fan of paying a company to advertise to me.

I have five devices that either don't update or they autoupdate, either way how they updated is out of my control and this doesn't count my mesh routers which I also believe they auto-update without my control.   So 35 of my devices I can control most of those I do allow for auto-updates as I have trust in the manufactures, others I will initiate the updates.

Seven devices don't phone home and they are all Linux devices where even the network time protocol (NTP) is pointing to the NAS, DNS is pointed to the router.   All of the other devices I'm confident they checks in with the mothership to report updates, upgrades, new content, etc.

Fifteen devices serve ads, most through a web browser, but six devices have advertisements built into the their user interfaces.  Two of them are TVs, and I can easily just unplug them and the ads disappear, i don't use their smart app/features since I prefer other interfaces.  For all other devices they have web browsers where you can easily install adblockers but there are other applications that have advertisements of sorts.


With all of these devices I'm curious if I need to start to look into home network security.   Options are: 1) segregate IoT devices to another network/subnet; 2) setup something like http://pi-hole.net to block DNS lookup to the advertisers and from phoning home to the mothership;  or 3) something else?   

I know of one commercial product is unsecured from the get go (username and password is the company name), both TVs are no longer receiving firmware updates by the manufactures. A printer and two of the IoT devices will fail the nessus security scan with high security bugs identified.     All it takes is one compromised device to wreck havoc in my network and that could be a guest or any device that auto-updates or phone homes.   It's been very rare, but at work there has been a compromised device that ended up shutting down the network or infected other network computers.   I wonder how far off are we from seeing this type of issue at home.

Jim

GentleBender

Re: Network Segregation
« Reply #1 on: 15 Feb 2018, 10:18 am »
Well you need to do some more research to decide how much protection you want. That Pi-Hole only blocks advertisements and doesn’t offer any sort of security or port blocking. If you want security you may want to look into a hardware firewall to setup as your internet bouncer. They can be very complicated to setup, but can offer deep levels of protection to your network. I’ve used Watchguard for almost two decades at work and they have been reliable and have great manufacture support. They don’t come cheap and the support is subscription based.

I’m sure there are quite a few options out there.

Doublej

  • Full Member
  • Posts: 2687
Re: Network Segregation
« Reply #2 on: 15 Feb 2018, 12:21 pm »
If I had 40 devices in my house I would be more worried about my brain being fried than an exploited vulnerability on a device that is being auto updated.

Wireless networks and devices are huge vulnerability. Any device that a hacker can see can be exploited. So someone could sit outside your house and have a field day.

Standard protection approaches include installing and configuring a next generation firewall, creating multiple network segments, where you are able to implementing host based firewalls, closing all unused/unneeded ports on devices, and remove uneeded software.

I would look at products targeting small and medium businesses (SMB). You'll wind up routing all traffic through this device and likely making tweaks over time as you'll find sites being blocked that you want access to.Many to choose from.

This one appears to be free. https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

Good luck.




skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #3 on: 15 Feb 2018, 09:31 pm »
Watchdog is probably out of my budget, so i'm hoping to keep this all open source.  Do you know how Watchdog compares to DD-WRT/OpenWRT?   

I do try to keep the number of wireless devices to a minimum, but there are products that are wireless only and i'm sure that will just continue to grow.   I can easily enable a second physical wired network, some work but house is plumbed for changes like this. 

My initial thought is three wireless networks:
Guest Wifi: For this that only need internet access - no access to local network or IoT devices.   Force them to use pi-hole
IOT Wifi: Devices that only reports to the mothership - security cameras and thermostat are probably the only two groups, this would shift two devices to wireless.  I hope that SSID and restricted MAC with monitoring is enough security and segregation. 
Home Wifi/Wired:
* enable some device restrictions that checks MAC, vendor identification etc.  I'm not sure how this can be done, but something i plan to investigate
* What i'm curious here is that if i created subnets or just divided the subnets, can i prevent various IoT devices from discovering other IoT devices but let them still connect to the controlling app/smartphone?
* pi-hole as the default DNS, certain devices on the router dns (effectively google/isp DNSs) or a less restrictive pi-hole.  (i really hate that name)
* DD-WRT/OpenWRT to be the key firewall to the outdoors and block devices that don't use pi-hole or the build-in DNS service.

All it's going to take is a smart TV to get hacked with a random advertisement or rogue app to hit the news for companies to offer home solutions like this.    I've already been through the Synology ransomware scare a while back and that is from an active tech company vs the smart appliances where the half-banked solutions are outsourced.

Jim

FullRangeMan

  • Volunteer
  • Posts: 19853
  • To whom more was given more will be required.
    • Never go to a psychiatrist, adopt a straycat or dog. On the street they live only two years average.

skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #5 on: 16 Feb 2018, 04:16 am »
Thanks for the health concerns, but it's off topic.

rif

  • Full Member
  • Posts: 794
  • Not a cowboy
Re: Network Segregation
« Reply #6 on: 16 Feb 2018, 01:28 pm »
I'm no expert, in fact I couldn't follow some of your posts, but take a look at ubiquiti/ unifi products.  I use them (ac-lr access point, erx-sfp router/switch)  and they're more robust than I'll ever need.  They are not, however, open source.

www.ubnt.com
www.community.ubnt.com

randytsuch

Re: Network Segregation
« Reply #7 on: 16 Feb 2018, 03:50 pm »
I was thinking about segregating my network before, but never did it.
I have some DIY IOT devices, ESP and Pi based for some home automation stuff.  Plus everyones PCs, phones, ipads etc lol.  Also directtv, blu ray player, and probably a couple other things.  And a bunch of cameras I installed.

Cameras had a reputation for being hackable, and having backdoors that can be exploited.  So I put my cameras on vlans, and the cameras can only talk to the PC that is recording the video.  The cameras have no direct access to the internet, and vice versa.  The PC can access the internet though.  It takes a managed switch to do this, and then you have to figure out how to configure it.  I bought a POE switch that is managed, didn't even plan to do this when I bought the switch, but then I ended up using the vlan feature so it worked out for me.

I may separate my network, but I think its pretty secure so I'm not too worried.

One other thing is not to port forward from your router, that makes a hole that can be exploited.  I setup my asus router as a VPN server, and so I can VPN into my home network when I'm out.  This is a much more secure way to access your home network from outside.  And this is different from the VPN services that are out there.  Those services are to hide your activity.

Randy

skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #8 on: 17 Feb 2018, 04:26 am »
I did check out a ubiquiti switch a few years back to enable LAG, but felt their software was significantly lacking and returned it for a netgear switch.   Their software was lacking as well, but i managed to get it to work.   I haven't looked out their routers, but i remember them being proud.

I went for security cameras that records straight to the cloud.   Two have builtin batteries, one is on a UPS and the fourth unfortinutely turns off if the power went out.  But yeah, probably the most hackable IoT devices i have next to the digital media player, printer and thermostat.   The end goal is home security, if someone hacked them would probably get bored quick spying on me. 

My IPS blocks the VPN ports, and i don't port forward after the NAS ransomware scare.  I do want to configure a VPS to do VPN and could work around the ISP block with that approach, but I don't have a need to VPN back home.

Anyone with experience using OpenWRT/DD-WRT to secure IoT devices?

rif

  • Full Member
  • Posts: 794
  • Not a cowboy
Re: Network Segregation
« Reply #9 on: 17 Feb 2018, 04:40 pm »
I did check out a ubiquiti switch a few years back to enable LAG, but felt their software was significantly lacking and returned it for a netgear switch.   Their software was lacking as well, but i managed to get it to work.   I haven't looked out their routers, but i remember them being proud.


Take a look again, they have updated their software, firmware, and hardware since then.  They do regular software and firmware updates and have an active forum where many of their technical employees are very active members.  I'd be interested in hearing your thoughts.


skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #10 on: 19 Feb 2018, 04:30 am »
Take a look again, they have updated their software, firmware, and hardware since then.  They do regular software and firmware updates and have an active forum where many of their technical employees are very active members.  I'd be interested in hearing your thoughts.

They seem to have one around $100 with the a reasonable amount of features so I will probably give them a try.   There is a 3 port version, so i can split my network if I felt that was required.

Jim

rif

  • Full Member
  • Posts: 794
  • Not a cowboy
Re: Network Segregation
« Reply #11 on: 19 Feb 2018, 05:21 pm »
They seem to have one around $100 with the a reasonable amount of features so I will probably give them a try.   There is a 3 port version, so i can split my network if I felt that was required.

Jim

I should also note that they have 2 product lines unifi and edgemax.  With unifi, all the devices are controlled through one central controller (free ubiquiti software for a computer),  whereas each edgemax device has it's own built in web page.  You can mix and match.  They are designed to handle an order of magnitude more than home use.

Sorry if I sound pushy, but it's the only commercial devices I'm familiar with.

skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #12 on: 19 Feb 2018, 07:38 pm »
I should also note that they have 2 product lines unifi and edgemax.  With unifi, all the devices are controlled through one central controller (free ubiquiti software for a computer),  whereas each edgemax device has it's own built in web page.  You can mix and match.  They are designed to handle an order of magnitude more than home use.

Sorry if I sound pushy, but it's the only commercial devices I'm familiar with.

The central controller app requires Java on the desktop, which to me is an antonym of security and speed; so I will look at the edgemax both are around $115 and hope their browser interface is better than the switch I tried a while back.   This seems to be cheaper than the pc engines solution I was considering for openwrt, but I will set up a raspberry pi3 and give it a go.

randytsuch

Re: Network Segregation
« Reply #13 on: 21 Feb 2018, 12:17 am »
I went for security cameras that records straight to the cloud.   Two have builtin batteries, one is on a UPS and the fourth unfortinutely turns off if the power went out.  But yeah, probably the most hackable IoT devices i have next to the digital media player, printer and thermostat.   The end goal is home security, if someone hacked them would probably get bored quick spying on me. 

My IPS blocks the VPN ports, and i don't port forward after the NAS ransomware scare.  I do want to configure a VPS to do VPN and could work around the ISP block with that approach, but I don't have a need to VPN back home.

Once they hack into your cams, they have a unix pc running inside your network to spy on you.  They don't care about the cam feeds, they just use the cam as a base to run their software from, to try to grab information from inside your network.

Your ISP is probably blocking VPN services.  They shouldn't care if you run a VPN server from your router (or from another machine in your network).  They don't want you to use a VPN service to hide what you're doing.

skunark

  • Full Member
  • Posts: 1434
Re: Network Segregation
« Reply #14 on: 2 Aug 2018, 05:42 am »
At this point i've decided to create a pseudo subnet via the firewalls on the devices I control reserving those IP addresses and pushing the more IoT devices to a different subnet via DHCP.  This won't prevent the IoT devices from hacking those IP since i'm not configuring the switches to do the separation, but it effectively closes off any open ports outside the subnet. I'm sure it all can still be spoofed but hopefully it's a harder hack.   

dolsey01

Re: Network Segregation
« Reply #15 on: 2 Aug 2018, 04:53 pm »
If I had 40 devices in my house I would be more worried about my brain being fried than an exploited vulnerability on a device that is being auto updated.

Wireless networks and devices are huge vulnerability. Any device that a hacker can see can be exploited. So someone could sit outside your house and have a field day.

Standard protection approaches include installing and configuring a next generation firewall, creating multiple network segments, where you are able to implementing host based firewalls, closing all unused/unneeded ports on devices, and remove uneeded software.

I would look at products targeting small and medium businesses (SMB). You'll wind up routing all traffic through this device and likely making tweaks over time as you'll find sites being blocked that you want access to.Many to choose from.

This one appears to be free. https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

Good luck.

This a great product and I've used it since the early days when it was Astaro Security Linux.  We had a pair of their TOTL applainces at work until I switched to Palo The only downside is hardware requirements.   It really needs an i5 processor if you want to enable all the features and still have decent throughput.  Also, it seems to work the best with Intel NICs.

Bizarroterl

Re: Network Segregation
« Reply #16 on: 3 Aug 2018, 04:26 pm »
I run a pfsense firewall and use that to determine what has remote internet access and what doesn't.   A firewall can have a small learning curve but once you figure it out the flexibility and features really make it worth it. 

I really like the pfsense firewall.  It can be your DNS, NTP, DHCP, VPN, etc server and gives you more detail control than you'll ever need.  A base one with WAN/LAN is $150.  You can also build your own, though at $150 it would be hard to do better.