Let’s talk about ‘IoT’, ‘Servers’ and ‘Other’ stuff on your home network.
Keep your network components separated. Let me say that again but re-worded. Keep the devices on your network away from each other.
I’m not talking about VLAN’s here. Yes, that’s one way to do the trick but for a home user that can be a bit out of reach. We’ve seen the meme where the super-tech guy doesn’t want any tech in their house because it “could be listening” and if the toaster makes an odd noise they’ll throw it out the window. Not this guy. I’m all about not getting out of my bed to flip the light switch that’s 8 feet away from me. I’ll grab my phone and trigger it to turn off. This of course comes with a security risk.
Now that you know the basis of what I’m talking about, let’s jump right into the meat and potatoes of this post.
1. Put your IoT devices onto their own access point. Yes. Physical access point. VLAN hopping is real and again, VLAN’s can be out of reach for your mom & pop.
2. Put your servers into their own network also. The servers are probably ok behind a router and then a VLAN/etc. but remember that we’re talking about home setup or mom & pops house. It’s not too far fetched these days to apply the same principle of putting your servers behind their own router.
3. Put your phones/laptop/etc onto their own device also.
4. Put gaming devices on their own WiFi. I have a personal preference here for the last one about putting my gaming devices on their own WiFi network. I have no evidence to back-up the “speed gains” but it gives me a warm & fuzzy that they’re not competing with other devices as much.
How do you make this happen? There is a cheap route and an expensive route. They both come with trade-offs in security though.
- The cheap route:
Go to your local thrift store and find a couple of old routers. The trade-off here is that the firmware is probably going to be way out of date and have it’s own potential threat vectors. The upside is that if an IoT device is compromised, it probably doesn’t matter if the router for it has a couple of issues. We’re separating that network completely anyway. I’m not advocating for opening some security issues but it might be possible to flash it with DD-WRT to get it a bit more up-to-date. Just pull up the compatibility list while you’re in the store to see if it’s on the compatibility list. Another downside to this route is that the hardware could only be 10/100 Mbps. That’s ok for your IoT network, but not so great for other stuff you may be working with. Whatever you do, just configure your router to disable the 5Ghz network if possible. Every IoT device I’ve worked with has utilized 2.4Ghz. Thus by disabling the 5Ghz band, you’re not sending out junk wireless signal for other access points to compete with. What about the other hardware that I want 1Gbps or faster? Well, the next option then.
- The less-cheap route:
Buy an off-the-shelf router or re-use what you have for your gaming and/or other devices network. Sometimes, you can even use this same router with a “DMZ” component for your server network. A DMZ is basically just another subnet that you’ve locked down to allow specific access to. Fancy word, basic security. This router will probably still get security and/or firmware updates from the vendor so it’s a good chance that it’s ok to leave as is, as long as you’re actually applying those updates. If it’s reached end-of-life, check the HCL (hardware compatibility list) for DD-WRT because you might find you can squeak out a few more years with what you’ve got.
- The server network:
When it comes to your servers, this probably depends on the size of your home network. I have a router/access point that I use for my server network but then disable the WiFi of it. This way I’m not sending out useless signals. Also, nothing in my server network utilizes wifi… but maybe I could experiment with this. Another angle is that it reduces the attack vector of your server network as not wireless exploits could be used against it if you’ve disabled it.
Why do all this for your home network though? With the increase in IoT devices and so many phones, laptops, gaming consoles, fridges, etc. making their way onto our networks, it’ll be better to have a secure approach to utilizing them instead of it being a problem later if something gets compromised. Security comes with additional steps such as port-forwarding from the phone/laptop network into the server network but once it’s setup, you don’t really have to think about it again until a new server is setup. A little bit of work early on makes me sleep easier at night and if we all do something similar to this, we could greatly reduce our attack footprint.
One final note that’s not needed but potentially a good idea. Each router could be a different brand. That way if a flaw is found in TP-Link, your Linksys isn’t impacted. Again it introduces a layer of vendor confusion learning new setups for various devices but might help prevent an attack. Also could just be dumb because one second-hand device I snagged is limited to only 16 ports forwarded. odd
No comments:
Post a Comment