Home network: Simply want to separate guest/toxic devices from the trusted ones

2

I want to configure my home network in a more "secure" way and can't seems to find any obvious way to do it, despite it seems to me a pretty common need.

The idea is that I don't want some of the wired and wireless devices connected to be able to communicate with to any other devices of the network. I only want them to have internet access. I will call theses devices "toxic" devices. I don't want to make difference if the device is connected using WiFi or wire, they may be "toxic" or not.

Here are the "optional" requirement but I would very much like theses to apply:

  • Avoid as much as possible to duplicate hardware or wire only to separate the "toxic" of the non-toxic.
  • If all this could be "soft-configured" which device is toxic or not, and be able to switch the device from toxic to non-toxic, without the need to manually change the underlying wires
  • Toxic devices wouldn't be able to communicate to each other (But I could tolerate that theses are all in the same subnet)
  • For performance reasons, keep only 1 WiFi device activated per Frequency range(ex. 1 x 2.4Ghz + 1 x 5Ghz)... (Doesn't 2 WiFi device next to each other have to split the bandwith ??)

Here is my hardware:

  • LinkSys BEFSX41 (old stuff, Wire Only router)
  • Cisco Linksys EA3500 (2.4Ghz, 5Ghz)
  • A ISP (Bell) custom router (2.4Ghz). The WAN port can't be used because it seems hardcoded to a specific Gateway. Actually used as a WiFi Access Point only.
  • (I also have a switch, but I don't think it is relevant here)
  • I would be willing to invest more money in some hardware (about 300$ max)

My actual Setup:

  • LinkSys BEFSX41 not used.
  • LinkSys EA3500: All WiFi is disabled.
  • Custom router used as an WiFi Access Point.
  • Every one have access to everything behind my Firewall.

Image:

Current NEtwork

NoNameStackExchange

Posted 2017-09-17T15:50:56.057

Reputation: 21

I do not expect anyone to "hack" my network. I just want to avoid broad spectrum viruses to infect my network's computers/devices – NoNameStackExchange – 2017-10-16T00:30:31.780

Answers

-1

Use VLANs

VLANs (virtual LAN) segregate devices into separate LANs, just as they would be if you set up distinct physical networks. Devices on one VLAN can not communicate with those on another VLAN, unless you specifically permit them to do so.

Because VLANs are implemented in your network switch(es), you don't need "extra" hardware, aside from a VLAN-capable switch, to implement such a configuration.

In your case you would be best served by a Layer 3 VLAN-capable switch. A layer 3 switch can act as a router, which is necessary on a VLANed network to route traffic between the various VLANs and the Internet (and other VLANs, if desired). Such switches often include the ability to create Access Control Lists (ACLs) which are like firewall rules, allowing you to control which traffic, if any, can move between VLANs.

Sample Configuration

Your switch setup might look something like this:

  • Port 1 connects to Internet router. It's in VLAN 1 and has an IP in the same subnet as your Internet gateway.

  • Ports 2-16 are in VLAN 10, untagged. This is your trusted network.

  • Ports 17-24 are in VLAN 20, untagged. This is your untrusted network.

  • VLANs 10 & 20 have separate IP subnetwork addressing.

  • The switch is configured as each subnet's default gateway. Attempts to access the Internet therefore go through the switch, which in turn is configured with your Internet router's IP as it's default gateway, facilitating a connection to the Internet.

Wireless Connectivity

To provide wireless services to each VLAN, you either need separate access points connected to each VLAN, or a wireless access point that supports VLAN tagging. In the latter case, such an AP would "tag" traffic for SSID "trusted" with VLAN ID 10, and SSID "untrusted" as ID 20. You would configure the switch port the AP connects to as being "tagged" in VLANs 10 and 20. Then depending on which SSID a client is connected to, it's traffic gets presented to the switch as part of its respective VLAN.

How you specifically configure a VLAN will depend on the switch you use.

Further Reading

I say Reinstate Monica

Posted 2017-09-17T15:50:56.057

Reputation: 21 477

@downvoter: Please explain how this post could be improved. – I say Reinstate Monica – 2017-09-19T09:32:27.943

-1

An important question here is if you own all of these devices yourself, and just want to separate out those you don't trust, or if you expect guests to bring your own devices, and you don't trust them and suspect them to be able to "hack" into your home network.

The bulletproof way to do this for WLAN is to configure a single device to offer two access points (APs) with different SSID and different pre-shared key (PSK). Most modern hardware is able to do that. If the firmware on your existing hardware doesn't offer this option, try installing something like OpenWRT. OpenWRT also already has documentation on how to configure it.

As you can see in this documentation, you configure the different APs differently: You can add the "isolation" option to the guest AP so guest devices can't communicate with each other. Of course you don't bridge the APs, so they are not in the same network segment. You update the firewall settings (iptables rules) so devices from the guest AP can't contact the devices in the rest of the network. (Just like you'd do it for the "endpoints" of the two different LANs below).

For LAN, things are more difficult. If you own all the devices, or if you don't suspect anyone will be using them to "hack in", you can use VLAN: Untagged for the "toxic" devices (because usually they woun't expect VLAN), and a single tag for the "non-toxic" devices.

However, this is unsafe: Nothing prevents someone from reconfiguring a toxic device to react to VLAN, possibly after sniffing the LAN to discover the tag. For that case, you need to physically separate the LAN that is accessible to "toxic" devices from the general LAN for "un-toxic" devices, and make sure the wall sockets etc. for the latter are not generally accessible. For a home network, this is overkill, so it really depends on what level of security you want.

I repeat: VLANs are not a security feature (even if some people think so). The security relies on controlling physical access to network ports. Once you have this, it doesn't really matter if you implement different policies on different group of network ports by connecting them to different switches/routers, or by connecting them to a switch with VLANs so you have different "virtual switches", or by connecting them to a piece of hardware that treats different ports differently.

You don't need to be new expensive switches etc. for VLANs; most routers will support VLANs with the existing hardware (again with OpenWRT etc. installed, or rooted, if necessary).

If you can't control physical access to the network ports, the only way to achieve security is if the "non-toxic" devices share some kind of cryptographic secret with the router, that the "toxic" devices don't share.

So another option for LAN is IPSec or some other sort of secure tunnel: Basically you share a secret key between the "non-toxic" devices and the router, and "tunnel" all traffic between the non-toxic devices and the router over a secure connection. That's not so easy to set up, though, and also needs support on the "non-toxic" devices (more than VLAN, anyway). Again, OpenWRT has documentation.

dirkt

Posted 2017-09-17T15:50:56.057

Reputation: 11 627

Nothing prevents someone from re-configuring a toxic device to react to VLAN... This is incorrect (unless the VLAN has been incorrectly configured). Untrusted devices should be connected to untagged ports in the untrusted VLAN. Only untagged traffic is accepted on these ports, and that traffic will not be able to escape the untrusted VLAN. Should the toxic device tag its traffic with the trusted VLAN's ID, the switch will simply reject those packets since it's not accepting tagged traffic on said port. – I say Reinstate Monica – 2017-09-19T02:00:27.767

@Twisty: This only works if you can guarantee that tagged ports are not physically accesssible. Nothing prevents me from unplugging a trusted device which is connected to a tagged port, plugging in my untrusted device, sniffing the network to find out the VLAN tag, and then configuring the network interface to accept the VLAN tag. So it's correct, not incorrect. :-) And it depends on physical security, as I've said in the answer. – dirkt – 2017-09-19T05:50:23.197

@Twisty: Yes, of course you need further configuration to treat the APs differently. For example, you don't bridge them ... – dirkt – 2017-09-19T05:51:07.810

@Twisty: It's a home network. As I wrote at the beginning of the answer, you need to decide on the level of security you want to have, so NoNameStackExchange will have to explain what kind of "toxic" devices he expects and wants to proof against. – dirkt – 2017-09-19T10:04:01.030

@Twisty: Included a high-level overview of the two AP configuration (as described in the linked documentation in detail) in the answer. – dirkt – 2017-09-19T10:14:24.217

Your added info is better. However, claiming VLANs or any other technology that can be defeated by physical access is not a security feature is false. It's a security feature that can be defeated by physical access. – I say Reinstate Monica – 2017-09-19T10:19:12.493

Asked: 2017-09-17T15:50:56.057

Viewed: 671 times

Active: 2017-09-19T10:13:12.797