Walling off IoT devices

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

MichaelRSorg

Well-known member
Nov 1, 2020
107
17
routersecurity.org
On the Jan 26th show Steve discussed the issue of isolating IoT devices.
  1. The simplest way to do this is a Guest WiFi network. Every router should be able to create one, some will create one on each frequency band. I have seen a number of Asus routers that let you create 4 Guest networks.
  2. Another option is to use two routers. I blogged about hiding the most important (work from home) devices behind their own router here, the big reason is to benefit from the firewall in the second router
  3. The most sophisticated way to do this is with VLANs, but consumer routers do not support VLANs. Steve uses pfSense which, I am sure does. So, too OPNSense should. I like Peplink routers and they all do VLANs. For more on the concept of VLANs see
 
  • Like
Reactions: rfrazier
I think the simplest for a security <have not>, i.e. someone who is a consumer with no clue is to use the guest network and ensure client isolation is turned on and no access to the host network is allowed. Given the person will be a technology and security <fill blank here>, it has to be easy (and they will not do it of course).

IoT devices you have to assume one will fail and when it does, the network will feel it.

In work, I am insisting that we segregate compute networks from building/infra and segmenting infra, in the context of IoT into two buckets:
  • Functional buckets based on criticality (i.e. what can be tolerated when it all goes down, contains no sensitive data, etc)
  • Provider buckets so that outsourcing can work and be replaced and that SLAs can be met. You don't want a service provider impacted when another service provider's kit goes postal!
In the context of a home network, I see it to continue to be flat and for people to be impacted when an IoT device goes into some kind of meltdown. It's all good ideas but the <have nots> will be exposed to this risk unless it's made baby-simple.
 
A better solution might be not to have any IoT devices at all.
Indeed. However, they can be necessary for various useful (non-frivolous) things. In those cases, keeping them isolated from the LAN is important and wise, particularly when they fail or are compromised or may do so (which is good to protect against, since IoT devices probably will fail or be compromised at some point, and isolating them adds both security and peace of mind.
 
Last edited:
I agree with your underlying statements. Could please enlighten me, and possibly others, what these useful things are? I think IoT things are an abomination and should be removed from the face of the Earth.
...and I agree with the sentiment you express regarding IoT things, mostly because of the general population's naiveté about and/or absence of concern for personal security and privacy. I want to rant about a few things now, but I'll forebear: you're just as aware of the annoyances caused by things left unsecured. Open the door even a crack and it's likely to be open WIDE before long. It's sad that the general population comprises the majority of the ownership of those things.

While I was writing about "various useful (non-frivolous) things" above, I was thinking of unknown future items that might prove useful to us in unknown ways when we're away from home, and, more specifically, the IoT things of Steve's that he mentioned in SN-803. They are useful in that they perform a function for him. He is careful to note that he keeps them isolated from his LAN. From the transcript:

[Steve:] I've got those $5 Govee plugs, and they work great. But there's no way I'm fooling myself that there's anything secure about them. It's getting a turn-on/turn-off signal from China twice a day. And as a consequence, it is well isolated on its own network. But I and some subset of the listeners of this podcast are probably the only people doing that today. Maybe we're being overcautious. But, boy, I would not want my internal home network exposed to IoT things that are reaching back to, I'm sure, well-meaning Chinese companies and their servers because there's no telling what they're able to do.​

He says, "Maybe we're being overcautious." I don't think so, because you never know... which is pretty much how he summed it up.

I thought he mentioned, in some relatively-recent episode, a temperature or humidity monitor used for safety, the status of which was viewable from his phone, but I can't find a reference right now so I must have misremembered that.
 
Hi All. Years ago @Steve talked about IOT security and introduced the "3 Dumb Routers" concept. He's revisited the topic from time to time.


This was in 2016. I wrote some blog posts around that time largely based off of @Steve 's work. While times have changed and technology has advanced, the 3 Dumb Routers process still works.

In this setup, you have one router for your IOT, one router for your trusted stuff, and a third router which joins the 1st two together and feeds to the internet in a "Y" fashion. I've been using a variation of this for years.

Physically, you wire the "WAN" or "internet" output of the IOT router to a LAN port of the edge router. You wire the "WAN" or "internet" output of the trusted router to a LAN port of the edge router. Then, you run the "WAN" or "internet" port of the edge router to your cable modem or dsl modem. If you're using WIFI, you can have a completely separate SSID and channel for the IOT and the trusted things.

Here are links to my old blog posts. Not only did I write them years ago, I read them then as well. Some things may be dated. Still, there should be some good info.




@MichaelRSorg Your 2 router article is cool. I didn't get a chance to read the VLAN article. That stuff about having to have an account with the router vendor or it checking in with the mother ship (other than for updates) is troubling.

For very techie people, you can replace the firmware, if you have a compatible router, with something like DD-WRT, OpenWRT, or Tomato. I've been using DD-WRT for years and I turn off all external services. If you do this wrong, you can turn your router into an expensive plastic brick. You've been warned.

May your bits be stable and your interfaces be fast. :cool: Ron
 
Last edited:
CaeVwfxVAAAogSs.jpg


I created this and posted to Twitter when Steve originally explained his 3 Dumb Routers idea.
 
  • Like
Reactions: rfrazier