
Designing a Home Network for Hostile Devices - edent
https://shkspr.mobi/blog/2016/03/designing-a-home-network-for-hostile-devices/
======
88e282102ae2e5b
I guess we're beyond even considering that having an internet-connected smoke
detector isn't necessary or desirable.

~~~
username223
Or that automatic software updates are a security problem. "Software will eat
the world," and every device around you will be controlled by software
downloaded from somewhere on the internet.

~~~
derefr
They're the least bad alternative. Without automatic software updates, you
instead have permanently-vulnerable devices (like most old home routers are
today—they can _be_ updated, but it's a manual process so users don't bother.)

~~~
username223
I think they're a wash. Without them, you don't get patches unless you
explicitly check for them. With them, you might not get patches anyways (like
many Android phones), and are forever vulnerable to server-side breaches, or
the manufacturer going out of business. Worst of all, an attacker only has to
compromise the update server to compromise every associated device, rather
than having to hack said devices one at a time.

------
SixSigma
IP alias - multiple IP subnets on one physical interface

[http://www.openbsd.org/faq/faq6.html#Setup.aliases](http://www.openbsd.org/faq/faq6.html#Setup.aliases)

and a firewall to control them with

[http://www.openbsd.org/faq/faq6.html#PF](http://www.openbsd.org/faq/faq6.html#PF)

Not OpenBSD only, Linux with IP aliasing and IPtables will do the same.

btw. you have PHP misconfigured, it is spewing its error log

Warning: Missing argument 2 for polldaddy_show_rating_comments(), called in
/var/sites/s/shkspr.mobi/public_html/blog/wp-includes/plugin.php on line 235
and defined in /var/sites/s/shkspr.mobi/public_html/blog/wp-
content/plugins/polldaddy/rating.php on line 6

~~~
nickhalfasleep
This is a good start, but since they are on the same wifi channel and
encryption, a lightbulb could go promiscuous and listen to all the traffic on
other subnets, and interrogate them in turn.

I don't know if we need _secure_ lightbulbs that only communicate with strong
encryption..

As always, there is no use in just depending on "gateway" defense of networks,
and you should always assume that any network is open to the internet in one
way or another.

~~~
SixSigma
hmm, yeah, the wifi angle does confuse things. One wifi AP in a lead box with
every device !

~~~
dboreham
Lead is for ionizing radiation. Simple chicken wire, or tinfoil for 5GHz will
suffice.

------
GICodeWarrior
If you buy a business type router, a similar wireless AP, and some "smart"
switches, you can actually segregate things pretty well.

Examples:

Ubiquiti EdgeRouter Lite [https://www.ubnt.com/edgemax/edgerouter-
lite/](https://www.ubnt.com/edgemax/edgerouter-lite/)

Ubiquiti UniFi AP AC Lite [https://www.ubnt.com/unifi/unifi-ap-ac-
lite/](https://www.ubnt.com/unifi/unifi-ap-ac-lite/)

Netgear Web Managed Plus switches
[http://www.netgear.com/business/products/switches/unmanaged-...](http://www.netgear.com/business/products/switches/unmanaged-
plus/gigabit-plus-switch.aspx#tab-models)

$238.98 on Amazon (before tax/shipping) for the ER Lite, UniFi AC Lite, and
the GS108E 8-port switch.

The key here is to have network gear that supports VLANs and VLAN trunking
(802.1q).

On the ER Lite, you setup separate VLANs (networks) for each class of device
just as you said. You can control what traffic can go from one network to the
others via firewall rules. So, just as you said, your laptop can access
everything, while your wall switches can't get anywhere.

Each VLAN will have a number associated with it, I recommend starting at 100
or something and going up from there (the netgear switches treat vlans 1-3 as
special). There are up to 4096 vlans available.

Tell each switch about which VLANs are coming and going on each port. For
actual devices (eg. an IP camera hard-wired) you want to have the port
Untagged with the PVID and Untagged vlan being the vlan for that class of
device. For traffic between switches and the AP, mark every VLAN in use as
Tagged on those ports.

Tagging puts an extra header on the Ethernet frames so that the devices on
either end know the traffic is for a different network.

On the wireless AP, send all the VLANs into it as tagged. Then create separate
SSIDs for each VLAN with separate credentials. I recommend hiding the SSIDs
(disable SSID broadcast) for this, not for security, but for sanity.

With all that setup, you can set arbitrarily broad or specific rules on your
router as to which traffic will be routed between vlans and the internet.

As said in another comment, you can use "dumb" switches still, but they won't
understand VLAN traffic. So every device on the switch will have access to the
same network(s).

One important caveat about separation like this is that devices normally
discover each other via broadcast traffic. Since each VLAN is a separate
broadcast domain, only devices on one VLAN with discover each other. This may
or may not matter for your devices. For example, you probably connect to an IP
camera directly rather than via discovery. However, for a Chromecast there
would be discovery needed.

For many devices, they use mDNS for discovery. There is a mDNS reflector
service on the Edgerouter that can be used to replicate discovery packets on
another network. That way your laptop can discover devices on other VLANs.

All that said, while it isn't outrageously expensive to accomplish this, it
will be time consuming to configure properly. ;-)

~~~
roel_v
I tried this. I have a reasonable ap and a reasonable switch (don't remember
brand ans type by heart) but getting vlans and wifi nets configured correctly
and so that all devices work correctly, _and_ easy enough to use is very hard.
I'm no networking expert but I like to think I know the basics, but I gave up
on vlanning after several days of getting nowhere.

------
gvb
You can do it with a capable (read enterprise grade) router that does packet
filtering. You can do it with a linux box and a lot of ethernet network cards
as well, but your speed will suffer because every packet needs to be inspected
before being forwarded. Hardware assist in packet inspection makes a major
difference. See also Software Defined Networking[1].

You probably won't need "deep packet inspection" for a few years, until the
IoT people get smarter about hiding their traffic. That was sarcasm. Maybe.
The fact that they cannot do secure networking competently implies they won't
be able to hide their traffic competently either, but the incentives are much
stronger for the latter.

Anyway...

Step 1: _FORCE ALL THE TRAFFIC THROUGH THE ROUTER._ Shouting here because, if
the traffic does not go through the router, you cannot control (block) it.
Forcing the traffic through the router can be difficult. You need to "home-
run" all ethernet (wired and wireless) to the router.

1a) Hard-wired ethernet is simple. Home run it to the router.

1b) Do not permit any small network switches on any of the ethernets (this
principle is breakable if you understand that all units on the satellite
switch will be unprotected from each other).

1c) Best: Do not allow _any_ wireless. This is unrealistic today. Better: have
a _separate_ wireless access point (with WPA encryption and good passwords)
for every group (class) of wireless devices that then gets home-runned to the
filtering router. The filtering router can then prevent your light bulbs on
the light bulb[2] WiFi AP from talking to the refrigerator on the kitchen
appliance AP. "Better than nothing" is to have multiple SSIDs on one WiFi AP.

Step 2: Create a shitload of subnets by either using all of the Class C
networks 192.168.0.0/16 or subnetting 10.0.0.0/8[3] Put each device or logical
grouping (class) of devices on a separate subnetwork.

Step 3: Disallow all packet routing by default. Bask in the glory of a
perfectly secured (albeit perfectly useless) network. Crack open a beer. Drink
it fast... the local residents won't let you finish it because they will
impress on you their pain of not being able to "facebook" because your network
is too secure.

Step 4: Re-allow all packet routing to tamp down the mutiny.

Step 5: Write a shitload (more) routing rules defining which device (class of
devices) can talk to which other device on which physical ethernet ports on
which ethernet IP addresses (subnets) and IP ports (i.e. whitelist only the
necessary traffic).

Step 6: Re-enable the packet filtering in the router. Crack open a beer, you
deserve it.

Step 7: Goto step 4.

After a few iterations, you might be able to finish your beer in step 6. After
a few weeks, you might even get enough time to enjoy your beer.

[1] [https://en.wikipedia.org/wiki/Software-
defined_networking](https://en.wikipedia.org/wiki/Software-defined_networking)

[2] Most light bulbs are not directly on WiFi but are instead on a low power
network like Zigbee or Z-Wave. They come with a ethernet-to-Z* gateway. This
is actually pretty good, because you can plug the gateway into your filtering
firewall and be in pretty good shape because you can treat all of your
lightbulbs as a device class and filter them with their ethernet attachment to
your router.

[3] Subnetting 10.0.0.0/8 can be a problem because your internet provider
thinks that they need to use 10.0.0.0/8 for the two IP networks on your side
of their internet attachment point. This is really stupid because their ToS
probably specify that you can have only one computer on their precious network
(that was sarcasm again. maybe.), so they are blocking 16777214 IP addresses
so that they can have one for themselves (10.0.0.1) and provide 1 for you.

~~~
edent
Yes, but what _sort_ of beer? ;-)

Any suggestions for hardware which can accomplish this? Might scour eBay for
some company discards.

Good point about the light bulbs, although the Lifx ones I have _are_ direct
WiFi connections. Was wary of Hue after their compatibility shenanigans, but
there's a certain simplicity in having them all hang off a central hub.

~~~
ryan-c
I have an EnGenius EAP600 as my access point which allows for up to 8 SSIDs,
each of which can be mapped to a different VLAN. It also supports a feature
called client isolation, which prevents clients from talking directly to each
other. These features make what gvb suggests a little easier. My router is
simply a Linux box running Debian (currently a Supermicro SYS-5018A-TN4,
previously I had a Soekris net4801, then a Dreamplug).

All of my ethernet switches are Netgear SOHO models that support most
enterprise features (I use RSTP, VLANs and LACP). I have a couple GS108Ts, a
GS716T and a S3300-28X. With these switches I can maintain isolation via VLANs
even with multiple switches, and most of the VLANs go into my router via a
cheap 10Gbe SFP+ card I got on eBay.

Currently, I've got the following "smart" devices:

WiFi Scale

Smart TV (ethernet)

Roku (ethernet)

PS3 (ethernet)

PS2 (ethernet)

Raspberry Pi 2 running OpenELEC (ethernet)

None of them are allowed to talk to each other.

------
tomc1985
Can Tomato do this?

