Advisory: put IOT devices on a separate LAN/vLAN for better security
-
Originally I thought: why not just read the BIOS clock on the motherboard? Well, I suppose that would work if there were only one physical PC. For coordinating backups and file date stamps among multiple PC's, I can see how an NTP server might be helpful. I'm still doubtful absolute accuracy on a home network matters for that, as long as all the PCs sync to the same time. Then again extreme accuracy would cover all possible edge cases, including ones I can't even imagine. I could just turn the GPS clock on and forget it...forever, with no NTP port on the gateway firewall. So, after thinking it through while writing this, I can finally see how for $20 it might be worthwhile after all. For a home network you'd only need one, and it would last a lifetime.
@NeverDie I might be missing something. What is the problem exactly to get time from the internet? Sure you may not need precise sync, but why bother yourself with GPS clock, or setting clock by hand, if every OS can pull time from public NTP severs?
-
@NeverDie I might be missing something. What is the problem exactly to get time from the internet? Sure you may not need precise sync, but why bother yourself with GPS clock, or setting clock by hand, if every OS can pull time from public NTP severs?
@monte Good question! I'm completely new to security hardening, and so I just assumed that the guy who posted the GPS NPT suggestion was aware of some threat. But if you aren't aware of one, then maybe there's no reason for it. :blush:
-
@petter said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
If you do choose to use VM's you should use ESXi as a hypervisor.
Is ESXi essential? Basedon @monte 's recommendation above, I just recently made the leap from ESXi to Proxmox, and so far so good, including the ability to migrate VM's from one physical host to another. A bit of a learning curve, but so far it seems rock solid. The only downside I've noticed compared to ESXi is that booting from a USB isn't recommended, but that's minor.
@NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
https://pcengines.ch/apu4d4.htmT.Weeks
-
@NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
https://pcengines.ch/apu4d4.htmT.Weeks
@Thomas-Weeks said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
@NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
https://pcengines.ch/apu4d4.htmT.Weeks
You wouldn't... what? The pcengine you linked appears to be a 4 port router. What should I be learning/realizing from or doing with that piece of information? Is it meant for creating vlans or is it meant for getting the time from an atomic clock somewhere on the internet? Or something else?
-
@Thomas-Weeks said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
@NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
https://pcengines.ch/apu4d4.htmT.Weeks
You wouldn't... what? The pcengine you linked appears to be a 4 port router. What should I be learning/realizing from or doing with that piece of information? Is it meant for creating vlans or is it meant for getting the time from an atomic clock somewhere on the internet? Or something else?
@NeverDie that's not just a router it's a an x86 motherboard that you can install pfsense on. I think he meant, he wouldn't install pfsense in vm :)
It is also fairly priced, I have one of their products before, but didn't check them recently, that's a great choice for self-built firewall. -
I have an apu4d4. Started with Esxi and Opnsense in a vm, but esxi crashed when I was running a lot of traffic in opnsens. Instead I installed Debian on it and run just a basic nftables firewall. I run Proxmox on it as well. Here are performance benchmarks:
-
I have an apu4d4. Started with Esxi and Opnsense in a vm, but esxi crashed when I was running a lot of traffic in opnsens. Instead I installed Debian on it and run just a basic nftables firewall. I run Proxmox on it as well. Here are performance benchmarks:
-
@mfalkvidd you installed proxmox on apu4d4? I wonder why opnsense is so much slower, can it be some misconfiguration? Did you try pfsense, I'd like to know if it is any faster.
@monte yes I did.
opnsense is so much slower because of BSD. pfsense has the same problem. I don't know the details, but it boils down to some important part of the BSD networking stack being single-threaded. It seems to be a well-known problem in the router world. I applied multiple tweaks to the BSD kernel, but they did not make any significant difference.
-
@monte yes I did.
opnsense is so much slower because of BSD. pfsense has the same problem. I don't know the details, but it boils down to some important part of the BSD networking stack being single-threaded. It seems to be a well-known problem in the router world. I applied multiple tweaks to the BSD kernel, but they did not make any significant difference.
-
@mfalkvidd one more question. Did you measure throughput WAN-LAN or LAN-LAN?
-
Two things convinced me to have a box dedicated to pfsense (or whatever I end up using):
- @monte 's earlier advice on the subject, and
- The need for it to keep working during a lightning storm, during which I typically unplug any expensive or delicate machines but also during which I still want to maintain wifi internet access. Meaning: it could still get nuked by an electrical surge from a nearby lightning strike, but at least the replacement cost would be low. Hmmm... I suppose better still would be switching to some kind of completely wireless internet access during such storms, by maybe converting my cell phone into a hotspot or using a Verizon jetpack.... In that case, having the router be low power would be very nice indeed, because then it could run on batteries during the storm and thereby have no lightning risk at all.
-
My plan is to put pfSense onto this Supermicro motherboard, which has 6 software programmable gigabit ethernet ports plus a seventh for IPMI access:
https://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfmI'm not sure what "software programmable" means in this context, but it connotes that maybe not everything needs to be routed through the CPU.
It consumes at most 20 watts when under load, but, IIRC, roughly 6 or 8 watts when idling. The Intel atom processor is built-in to the motherboard. The atom doesn't have much single thread oomph, but it does have 8 cores and all the features required to run a hypervisor, which might be worthwhile, especially if it turns out that the software programmable ethernet ports can be configured to manage all the routing on their own.
If I didn't already own this board, I'd probably pick up a similar Supermicro board that has six 10-gigabit ports on it. Right now there are a ton of used ones on ebay for around $80 per board, some including an E3-1200 processor in the $80 price. i.e. they cost even less than the pcengine board. Probably more than 20 watts TDP, but considering its a SuperMicro motherboard and each of the six ports supports RJ45 10gbe.... Heck, at that price for a 10Gbe node, I should buy 3 and build an HA ProxMox cluster.
-
My plan is to put pfSense onto this Supermicro motherboard, which has 6 software programmable gigabit ethernet ports plus a seventh for IPMI access:
https://www.supermicro.com/products/motherboard/atom/x10/a1srm-ln7f-2758.cfmI'm not sure what "software programmable" means in this context, but it connotes that maybe not everything needs to be routed through the CPU.
It consumes at most 20 watts when under load, but, IIRC, roughly 6 or 8 watts when idling. The Intel atom processor is built-in to the motherboard. The atom doesn't have much single thread oomph, but it does have 8 cores and all the features required to run a hypervisor, which might be worthwhile, especially if it turns out that the software programmable ethernet ports can be configured to manage all the routing on their own.
If I didn't already own this board, I'd probably pick up a similar Supermicro board that has six 10-gigabit ports on it. Right now there are a ton of used ones on ebay for around $80 per board, some including an E3-1200 processor in the $80 price. i.e. they cost even less than the pcengine board. Probably more than 20 watts TDP, but considering its a SuperMicro motherboard and each of the six ports supports RJ45 10gbe.... Heck, at that price for a 10Gbe node, I should buy 3 and build an HA ProxMox cluster.
@NeverDie Quite a lot of this thread is very interesting even though it all goes way over my head. Do you think one of these would do?
:}
-
@NeverDie Quite a lot of this thread is very interesting even though it all goes way over my head. Do you think one of these would do?
:}
@skywatch said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
@NeverDie Quite a lot of this thread is very interesting even though it all goes way over my head. Do you think one of these would do?
:}
No.
-
@NeverDie I would like to know where did you find those for 80$ and even with cpu included?! I want one! :)
Anyway just to throw in this one if you haven't seen it yet, there are pfsense boxes from the netgate themselves https://shop.netgate.com/products/2100-base-pfsense. I know there is ongoing controversy with netgate as an entity, but you may consider this as an option even though I prefer to build things myself. -
@NeverDie I would like to know where did you find those for 80$ and even with cpu included?! I want one! :)
Anyway just to throw in this one if you haven't seen it yet, there are pfsense boxes from the netgate themselves https://shop.netgate.com/products/2100-base-pfsense. I know there is ongoing controversy with netgate as an entity, but you may consider this as an option even though I prefer to build things myself. -
@NeverDie oh yeah, of course I was looking for the wrong one :)
I personally have Intel DQ77KB that I use as my home server, but planning to make it a pfsense or opnsense box. It's also LGA1150 and has two ethernets onboard, and I don't think I really need to use a firewall as a switch. -
@NeverDie oh yeah, of course I was looking for the wrong one :)
I personally have Intel DQ77KB that I use as my home server, but planning to make it a pfsense or opnsense box. It's also LGA1150 and has two ethernets onboard, and I don't think I really need to use a firewall as a switch.@monte said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
Intel DQ77KB
It doesn't support ECC memory, but maybe it makes no difference, since each packet would contain its own error correction anyway.
What kind of switches are you using to create and manage your vlans? In an earlier post I mentioned I was planning to use relatively cheap 1gbe managed netgear switches, but if I could get 10gbe transfer rates using the ebay supermicro boards for just a little more money plus some memory and a powersupply, I'm inclined to do it. I could certainly live with 1gbe, but to speed along backups or vme migration or restoration from a backup server, 10gbe would be a nice luxury because it's a good match for the read/write rates of pci-e 4.0 nVME drives. Or, some of these older ebay Supermicro boards can be had with gobs of ram (128GB or even 192GB of RAM), where you could easily run entire virtual machines inside of just RAM. Then there's no nVME drive to wear out, and you could pretty much transfer files or VM's as fast as the ethernet will carry it. Or a file server with such outlandish amounts of RAM could have a positively enormous RAM cache to facilitate ultra fast file transfer rates. Then maybe you don't need much nVME on the local machine and just boot from the network instead. It might be a good way to amortize the cost of the RAM expenditure. I don't know for sure how well it would work in real life, as I haven't tried it, but that's the theory. Anyway, for doing those kinds of things, 1gbe just wouldn't be fast enough compared to local nvme, but 10gbe just might be, even after deducting for the ~20% ethernet overhead. This back of the envelope calculation assumes no meaningful network contention, but I'm comfortable with that assumption, because on a home network there wouldn't be.
-
@monte said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
Intel DQ77KB
It doesn't support ECC memory, but maybe it makes no difference, since each packet would contain its own error correction anyway.
What kind of switches are you using to create and manage your vlans? In an earlier post I mentioned I was planning to use relatively cheap 1gbe managed netgear switches, but if I could get 10gbe transfer rates using the ebay supermicro boards for just a little more money plus some memory and a powersupply, I'm inclined to do it. I could certainly live with 1gbe, but to speed along backups or vme migration or restoration from a backup server, 10gbe would be a nice luxury because it's a good match for the read/write rates of pci-e 4.0 nVME drives. Or, some of these older ebay Supermicro boards can be had with gobs of ram (128GB or even 192GB of RAM), where you could easily run entire virtual machines inside of just RAM. Then there's no nVME drive to wear out, and you could pretty much transfer files or VM's as fast as the ethernet will carry it. Or a file server with such outlandish amounts of RAM could have a positively enormous RAM cache to facilitate ultra fast file transfer rates. Then maybe you don't need much nVME on the local machine and just boot from the network instead. It might be a good way to amortize the cost of the RAM expenditure. I don't know for sure how well it would work in real life, as I haven't tried it, but that's the theory. Anyway, for doing those kinds of things, 1gbe just wouldn't be fast enough compared to local nvme, but 10gbe just might be, even after deducting for the ~20% ethernet overhead. This back of the envelope calculation assumes no meaningful network contention, but I'm comfortable with that assumption, because on a home network there wouldn't be.
@NeverDie my setups are quiet simpler. On one location I don't use vlans at all, as I don't use third-party iot devices that I need to actively separate from my network. On the other location I use Mikrotik RB260GS as a managed switch plus I have 3 LAN ports on my pfsense server, where one of them is used for dedicated subnet for outdoor cameras and wifi's.
I would like to have hardware that could take advantage of 10gbe network, but for now I just keep things simple and slow :) -
@NeverDie said in Advisory: put IOT devices on a separate LAN/vLAN for better security:
@monte https://www.ebay.com/itm/X10SLH-N6-ST031-Supermicro-E3-1200-v3-LGA1150-Motherboard-3x-X540-T2-6x-10GbE/184546263249?hash=item2af7d080d1:g:CCUAAOSwoP1gSWhO
Lest I mislead anyone, I subsequently contacted to the seller and, despite the wording, it doesn't include an E3-1200 with the board. He just meant that as shorthand to refer to the processor family that's compatible with the board. That said, there are a ton of inexpensive used LGA1150 CPU's on ebay that could serve the purpose.
