Making A Rabbit Hole In Your Home Network…For Security.

I originally got into networking because I obsessed over firewalls and making virtual networks as secure as possible – the physical and logical design of my home network was always a testing ground. Businesses consider network design all the time.  They consider the repercussions of cat5, 5e, 6, coax and fiber.  They segment subnets and VLANs for various reasons. But as a tech geek, I like doing a lot of work from home. Lately, though, I’ve been forcing myself to face a hard question — “at what point do I say, ‘that’s good enough.’?”

A few weeks ago, the Security Now podcast covered a segment called ‘Three Dumb Routers’ where the moderator-in-chief, Steve Gibson, made the recommendation to isolate a home’s Internet of Things devices from the remainder of your network. The long and short of it is that you have an edge router and two inner routers that are plugged into the LAN jacks of the edge router. The inter routers NAT all devices independently so you have isolation for Internet of Things devices (Nest, Smart TV, etc) and non-Internet of Things devices (like your computer, tablet, etc). For most people I believe this to be adequate advice. If one of those pesky IoT devices, which routinely needs to reach back to its mother ship on the Internet, has a critical vulnerability, you’re not going to end up with a bad guy and a reverse shell sitting in your juicy parts where you keep your finances, pictures, taxes, and other sensitive information.

As expected, though, there are a few things that the Three Dumb Routers solution doesn’t really address too well:

  1. Should your smartphones and tablets commingle with your desktops and laptops?
  2. Should your printer (assuming it is connected via ethernet or wifi) exist on the same network as your desktops/laptops? Isn’t it really just a comfortable IoT device?
  3. What about a guest network? Shouldn’t that be isolated too?
  4. Should a home security system be isolated from other IoT devices because of its importance?

So me being a paranoid person, I definitely decided it’s worth making isolated segments for my home network, especially after reviewing the non stop DoS attacks on my router logs every day, among other things, but more so when one of my VPS’s was hacked, which then led to the hacking of 200 domains names I owned at godaddy. The attacker pointed all 200 to spam sites, and I didn’t find out about it for 24 hours, there was some damage done..

Network design with security in mind is remarkably similar at both ends of the spectrum, and everywhere in between. Our ultimate “best design” that we would want is modeled after the capabilities offered in our S/I/PaaS cloud partner, Amazon Web Services.  There, you can define rules in (among other constructs) a Security Group, which acts as a network-resident host-based firewall.  What it ultimately comes down to is that unless a device has an explicit need to communicate directly to another device it should be isolated. The challenge?  That level of isolation with central control just doesn’t exist for the home network.

The bottom line is, without the big enterprise tools at our fingertips, home networks are just more difficult to design and secure – especially as more and more internet-leveraging devices are introduced.

So what can/should you do? Well, for starters…

  1. Secure your home network by protecting your wifi with a good STRONG password or disabling wifi if by some chance you don’t actually use it.
  2. This password should be changed periodically – much like your online account passwords.
  3. Monitor your wifi connections for unusual or suspicious traffic. Many modern routers allow you to view connections and connection history. If you feel particularly adventurous you should check out the capabilities of DD-WRT.

If you want to go the extra effort and protect your computer against the IoT vulnerability:

Isolate your IoT devices with a separate router. 

Enable MAC address filtering for all wifi connected devices (including IoT). This doesn’t protect against IoT vulnerabilities but it certainly will limit people from hopping onto your wifi without approval. Yes, this requires ongoing maintenance as new devices are introduced. Suck it up. Security and usability both have to give and take a little.

If you see suspicious connection attempts, identify the IoT device at fault, remove it from your network and change your wifi password.

Configure your router to limit the internet accessibility of IoT devices if they don’t require it. I don’t know why you would connect an Internet of Things device to a router but then limit its access to the Internet but in one case I found that a home security NVR had capabilities that were valuable only on a local network vs. the risk of giving it WAN access.

If you frequently host parties or have visitors who ask you for your home wifi password…

  1. Make sure your router supports a deep level of isolation for the guest segment.  If not, invest in a separate wifi router for the guest network.
  2. Plug its WAN link into the LAN port of your edge router. and make sure it is NATing the connections on a separate subnet from the rest of your home network.
  3. To limit usage when you’re not expecting it, find a router that allows you to schedule network uptime if possible. Configure that capability. There are several I found with a simple google search that are less than $50.
  4. If scheduling isn’t a capability of your existing router, physically unplug its WAN connection when guests don’t need internet access. This is the easiest thing you can do to lower the risk of someone downloading questionable content under your name via your ISP.
  5. Enable parental controls to limit the junk people can download. Don’t just give them a free pipe to the Internet. It’s dangerous out there!
  6. Change the password frequently – subject to your own discretion depending on how many shady people you have over for parties and how often.
  7. Keep your wifi security mode in WPA2 – CCMP-AES, don’t use the hybrid setting of WPA/WPA2. WPA-TKIP/CCMP-TKIP is not as secure as CCPM-AES.

For the ‘money-is-no-object’ folks out there… this is where it gets ugly interesting…

  1. Isolate everything to the point where functionality isn’t impacted adversely.
  2. Printers that don’t need to be connected to your network and can be connected directly to your computer via USB cable should be. Again, dial back your network risk by removing potentially vulnerable devices from your network.
  3. Don’t share your printer via your computer, unless you absolutely have to. Sharing a printer via your OS requires a port to remain open and the goal is to have as few ports open at all times. If you have to do it, secure it.  Good IAM is always good practice.
  4. In the spirit of true isolation, isolate IoT mesh networks from each other. If you have a Nest/Fire Detection system and a set of IoT LED mesh-network light bulbs, they probably have zero reasons to be sharing the same network. Don’t let them. The light bulbs might make it easy to obtain the credentials to your network. Ugh…
  5. I vote to keep your tablets and phones on a separate network than your laptops/desktop computers. You used to need them to co-mingle… not so much anymore. And if a vulnerability exists on your iPhone or Android your computer could be at risk. (Editor’s note:  Tread lightly here. Internal peer-to-peer connectivity isn’t dead yet…)
  6. Don’t connect your Smart TV or DVD player to your network UNLESS YOU NEED THEM TO ACCESS THE INTERNET!

“But I have a NAS for storing all my important data, backing up all my files, hosting my media content for my living room, hosting a VPN server, etc… What am I to do?”

This is where it gets really tricky, and there is no single great solution. The key to remember is this: For every device or service you enable on your network, at least one port needs to be open to support it. That device and/or protocol may have a vulnerability and it is incumbent on the owner of that device to maintain it. This means that if you host a VPN server on your network, you must patch it frequently and not just let it sit there unmonitored. If your media server is running Plex – stay up-to-date with releases. They don’t just enable new features… they fix bugs. Patch and update your systems. Disable unnecessary services.

Isolation is good.  But isolation for isolation’s sake, which leaves your network brittle, error-prone, and unsupportable is not good.  Just like we tell all of our customers — identify risks, prioritize them, and remediate the biggies.  The enemy of perfect is good enough.  Make your home network good enough.  And no, it doesn’t come that way out of the box.


Partial Credits: https://www.alpinecyber.com/2016/04/07/home-network-segmentation-how-deep-doesshould-the-rabbit-hole-go/

Dana Onyshko
Security Researcher
dana@informationhacker.com