3

I bought a new router and I'm thinking to make my network a bit smarter from the security aspect.

My question is now: How can I make sure that an attacker cannot get into my "secure" network with properly insecure IoT devices (like SmartTVs, IP-Cameras, printers, smart speaker or zigbee gateways).

For example I have a NAS with 2 LAN ports which should be accessible from e.g. an untrusted SmartTV and my "secure" computer. I would create a read only account for the TV, and only read write access for my trusted devices. On the other side I might want to sync files from the internet to my NAS so that devices needs access to the internet and the intranet.

That TV can be easily plugged into a different port on my router so I could build some kind of DMZ (not sure if that make sense).

Then I have also a couple of WiFi devices like smart speakers which should not be able to harm my trusted devices, but should be able to be controlled by my "trusted" mobile.

I have also a "untrusted" printer which I need to access from my "trusted" computer how should I handle this?

How would you setup a network where are devices with different trust levels? VLANs? Routing? And how can I make sure that I still can control my "smart" devices while they cannot harm my computers or NAS?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
rekire
  • 133
  • 3
  • You could separate things into VLANs depending on their type (e.g. personal, IoT, servers, guest etc.). Then, you can configure firewall rules to determine which network(s) are allowed to talk in which direction. – multithr3at3d Mar 13 '21 at 23:45

1 Answers1

2

To keep attacks out of a secure network, limit the ways they could break-in. For example, don't put a WiFi router on the secure network because anyone can connect to it even from outside your house. Also if the devices on either network don't need to talk to each other, create a firewall that restricts that traffic.

If you're creating VLANs on the router, make sure that you can't access the admin interface over WiFi. Anyone can just hack your wifi signal and login to the admin interface, and undo all of the security, and jump between VLANs. Look into VLAN hopping if you're creating VLANs on the same switch.

https://en.wikipedia.org/wiki/VLAN_hopping

All smartphones should be put on an untrusted network because any device that you walk around with every day in unknown environments can never be trusted. If you need to access something on the secure network from your phone, create a firewall rule if your router supports it.

I would recommend installing a dedicated router like pfSense or OPNSense on an old PC and use that as a router instead of a WiFi/router combo. Then put your WiFi router in bridge mode (which means it gives out IPs from pfSense and assigns them to the devices on WiFi).

IP cameras should also go on the untrusted network and shouldn't have internet access or access to any other device on your network. A firewall rule should take care of that easily.

https://www.forbes.com/sites/zakdoffman/2019/08/03/update-now-warning-as-eavesdropping-risk-hits-millions-of-chinese-made-cameras/?sh=1930561d6bf2

Make sure your router is secure by ensuring your Wifi network has a strong password. And installing the latest firmware (should be on the manufactures website). Don't buy routers from companies you've never heard of, however, even routers from reputable companies can also be plagued with security vulnerabilities.

https://www.fortinet.com/blog/threat-research/fortiguard-labs-discovers-vulnerability-in-asus-router

https://nakedsecurity.sophos.com/2020/07/24/asus-routers-could-be-reflashed-with-malware-patch-now/

To regulate who has access to the network, most routers have a feature where you have the router only give out IP addresses to devices that you have whitelisted. That way if someone were to plug in an untrusted device, it wouldn't get an IP and couldn't connect to the internet.

https://helpdeskgeek.com/networking/how-to-whitelist-specific-devices-on-your-home-network-to-stop-hackers/

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#mac-address-control

Here's a diagram of what I was talking about above.

enter image description here

Marc Woodyard
  • 139
  • 8
  • Thank you very much about your input. You just leaving out one for me important point: How do I managed the access from the trusted network to the untrusted network. Just with "simple" firewall rules? – rekire Mar 14 '21 at 06:52
  • What do you mean by manage access? The router should be able to separate the two networks and you should be able to manage both networks from the PC on the trusted network (it should have access to the router's admin interface). – Marc Woodyard Mar 14 '21 at 08:21
  • I mean that I can control from the mobile and my computer my smart speakers, but they should not be able to connect to my nas for example. For multi room support they smart speakers might need to talk to each other but maybe not with my smart tv. I'm not sure how I should manage that or even if that doesn't make sense at all what I'm thinking about. – rekire Mar 14 '21 at 08:26
  • You could create a firewall rule that allows a device to cross over to another VLAN. Here's an article that details how to set up multiple VLANs for different devices on a home network https://netosec.com/protect-home-network/ – Marc Woodyard Mar 14 '21 at 08:34
  • 1
    That makes sense so far. Now I need to find out what what I can do with my current hardware to create that security setup. Thank you for you valuable links. – rekire Mar 14 '21 at 09:14