Advisory: put IOT devices on a separate LAN/vLAN for better security


  • Hero Member

    A little more than one year ago the FBI recommended that everyone put their IOT devices onto a separate LAN because.... that cheap LED lightbulb with built-in wi-fi can be a penetration point for hackers to gain access to your home network.
    https://www.zdnet.com/article/fbi-recommends-that-you-keep-your-iot-devices-on-a-separate-network/

    I wasn't aware of the FBI advisory until now, so I'm a little behind in setting up a solution. A brute force solution would be to setup a completely separate LAN for IOT, but a lot of savvy people seem to utilize vlans for network isolation instead.

    My current plan: run pfsense on a VM to act as a firewall/router and replace my current dumb ethernet switches with a couple of inexpensive netgear GS108Ev3 managed ethernet switches to configure the vlan. Apparently I can also run a security program (perhaps Security Onion 2. Any better suggestions?) that will scan incoming packets and do protection and/or detection of suspicious packets , but I'm not sure what kind of latency that might introduce or even whether there's enough added protected to be worth the effort. I've read some people use the Ubiquiti Dream Machine as an all-in-one to do these things, but I checked the Dream Machine specs and found that it's running on just a not very powerful ARM CPU. So, I'm guessing the same kind of security packet inspection software inside a vm powered by a decent Intel/AMD CPU should be no worse in terms of performance. That way I'd be free to choose whatever the best security software might be rather than be locked into whatever software the Dream Machine developers happened to pick.

    Well, that's my plan. What hardware/software are you all using to isolate your IOT devices and provide good overall security?


  • Admin

    For the paranoid. Just make sure to mitigate the VLAN hopping exploit risks.
    https://cybersecurity.att.com/blogs/security-essentials/vlan-hopping-and-mitigation



  • @NeverDie don't run pfsense or other firewall in proxmox or other virtualization. I tried it and it's a mess. You can buy cheap $100 Dell or HP compact office desktop and add network card and run firewall on that, if you're on a budget. But in any case firewall as the gateway to your network should always be standalone hardware.
    I am not saying that your setup in proxmox won't work, just think for when you'll want to restart your proxmox, or do any maintenance on it.



  • @NeverDie my setup consists of the mandatory modem/router from my internet provider with a Zywall 110 behind it and then a managed NETGEAR switch. The provider's modem/router acts only as a conduit.

    All my wifi enabled IOT devices like the heating, the energy Smappee, the sonoff modified ESPHome switches, etc are connected via a wifi access point to the specific IOT VLAN.
    The MQTT VM server for the MySensors environment is also connected to the same VLAN.

    Specific rules in the Zywall are permitting internet access for specific IP's on the VLAN. For example the heating, Smappee, the rituals dispenser, ... have internet access because they are cloud based vendor applications.

    The controller HomeAssistant is running in the normal LAN and has a specific firewall rule to allow access to the VLAN.
    Another rule is allowing only my desktop computer to access the VLAN for admin tasks like updating devices, etc

    The question is all about how far you want to go in protecting your network.
    There are still weak points in my setup. You can say that each firewall rule is a potential weak point...
    For example the smartTV and the Bose Touch speakers are in the normal LAN because I'm playing video and music from my NAS. But they are also IOT devices...
    Because I have touch screens with the home assistant (HA) GUI, the home assistant sits in the normal LAN.
    I want also be able to consult HA on my smartphone, etc.

    It's like securing your home, make it more secure than your neighbor and they will give up and visit him 😉


  • Hero Member

    As only just recently reported, even the Dream Machine got hacked:
    https://it.slashdot.org/story/21/03/30/2057237/ubiquiti-massively-downplayed-a-catastrophic-security-breach-to-minimize-impact-on-stock-price-alleges-whistleblower

    and that's a device meticulously designed to not be hacked!

    If even your security appliance may be insecure.... it's persuasive to have a decent air gap between whatever is vital and whatever is not.

    It may (?) also be an argument in favor of ditching IOT wi-fi in favor of roll-your-own radios that no one in the world is likely to understand but you, since IOT wi-fi devices can skirt around whatever defenses you may have put around the main gateway.


  • Mod

    @NeverDie reminds me of this quote

    Security software is not necessarily secure software



  • @NeverDie How can a system of radio connected systems be 'air gapped'? 😉

    I only use wifi for my phone and even then it is 802.1x PEAP with radius server as authenticator. Any phone can be used to hack wifi or bluetooth so those are key areas to consider before using them. I guess that encryption and signing will help keeping things safe in this domain for a while yet.

    Even with military budgets things still get hacked and leak data. At home we can only do our best!



  • @NeverDie creating VLANs and restricting access of the IOT devices to must have access is the method I follow.


  • Hero Member

    @skywatch said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    @NeverDie How can a system of radio connected systems be 'air gapped'?

    I suppose you could run anything critical using only wired ethernet on a network that's isolated from anything that's wireless. By "critical" I mean anything fungible, like identity and access to financial accounts. With those out of reach, I can't think of anything that would keep an attacker interested other than possibly malice or very limited voyeurism or perhaps casing for a physical burglary, all of which strike me as highly unlikely.



  • FBI recommendation or not.. Never trust closed source, non-human (IoT/embedded) systems on your human network. Take most any Chinese IP webcam or similar device and set it up on a sniffer (wireshark or tcpdump) and you'll see many of these devices "calling home" to China (C&C?) and even exfiltrating your WiFi passwords. Not cool.

    I've been running a near-edge IoT DMZ for years now. All Bluray players, VoIP terminals, and even network printers (if you set up a reverse established related rule) should be pushed outside your human network.

    T.Weeks



  • @NeverDie You going to need an NTP Server. You can make one with an arduino nano, gps module and LAN module for under $20.



  • as noted before you should always move IoT stuff on a own VLAN, for security purposes you should always segregate traffic as much as possible and create different security zones.
    This will allow to control traffic flow with firewall rules and other systems such as IDS/IPS.
    The Firewall rules controls what traffic you allow between the zones, and an IDS will control and verify that traffic. They can scan the content of a data packet and look at the content of the message or recognize applications (such as SSH over port 80 as an example)

    back to your question, yes PfSense is a great "enterprise grade" firewall which gives you the toolset you need such as:

    • Firewall rules between zones/subnets
    • 2 different IDPS systems (Snort & Suricata)
    • DNS filtering & interception
    • RADIUS server for mac filtering, 802.1x EAP-TLS etc.
    • IGMP proxy and mDNS services for stuff like Sonos speakers etc.

    so the firewall gives you the ability to control and verify the traffic, however it offers no correlation, intelligence and management. for that you use something called a SIEM (Security Information Event Management) A SIEM will capture all the logs from your firewall, switches, endpoints, mirrored traffic etc. and do correlation and analysis.

    let say you have an outgoing HTTPS connection which you allowed in your firewall, (your IDS wont be able to analyze the content unless you decrypt the traffic which may break stuff). the only thing your IDS see is $&$#$&%^%*%$%^ a.k.a garbage. with a SIEM you can get open source threat intelligence etc. which will generate an alert IF a connection is made to a compromised IP/domain. A great example on a open source SIEM is Alienvault OSSIM. its an all-in-one and easy to install. Im running it as VM's in my system, together with PfSense (also VM) and some other firewalls.

    If you do choose to use VM's you should use ESXi as a hypervisor. this is free, very reliable and it is what most businesses are using in their server room or datacenters. on my PfSense VM I get about 800-900 Mb/s throughput with 1 IDS enabled, so if you set it up correctly you will get the performance you need.



  • @petter, When I read your reply, I notice that you are at home in this security matter.
    I think many readers, even on this technical forum, are already dropping out when reading so many jargon terms 😉

    As I said, how far do you want to go for your home security?
    Already, with my 'simple' setup (see above), I am the only person at home who can fix it if there are 'internet' problems for the other family members.
    Once everything is set up, there is the regular maintenance in the form of updates. If updates have breaking changes, then there is extra work involved to reconfigure everything, etc.

    In these covid times I had to face the facts, what if I drop out, what will my family members do?
    I have several colleagues who also have security measures set up at home and are also SPOF or Single Point Of Failure....
    I have also thought about it for my MySensors network.
    Actually, that is quite a complicated setup for an outsider: sensors connect to a gateway, then, in my case, an MQTT server and then a home controller (Home Assistant), all running in VMs on the NAS.
    This is also where I am the SPOF....
    And the family members are already starting to rely on Home Assistant. The kids have named it Lexa 😉

    So my advice, provide basic security, but don't overcomplicate it....


  • Hero Member

    @evb said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    @petter, When I read your reply, I notice that you are at home in this security matter.
    I think many readers, even on this technical forum, are already dropping out when reading so many jargon terms 😉

    As I said, how far do you want to go for your home security?
    Already, with my 'simple' setup (see above), I am the only person at home who can fix it if there are 'internet' problems for the other family members.
    Once everything is set up, there is the regular maintenance in the form of updates. If updates have breaking changes, then there is extra work involved to reconfigure everything, etc.

    In these covid times I had to face the facts, what if I drop out, what will my family members do?
    I have several colleagues who also have security measures set up at home and are also SPOF or Single Point Of Failure....
    I have also thought about it for my MySensors network.
    Actually, that is quite a complicated setup for an outsider: sensors connect to a gateway, then, in my case, an MQTT server and then a home controller (Home Assistant), all running in VMs on the NAS.
    This is also where I am the SPOF....
    And the family members are already starting to rely on Home Assistant. The kids have named it Lexa 😉

    So my advice, provide basic security, but don't overcomplicate it....

    I get what you mean, but it's nonetheless helpful to at least have a target to aim for. Ideally there would be something entirely turn-key that one could either just buy like an appliance (as Dream Machine tried to be) or else download and run, but AFAIK neither is available yet. The problem is that quality matters, and the consumer marketplace tends to attract junk, so I'm not sure it will ever get sorted out like it should be.


  • Hero Member

    @OldSurferDude said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    @NeverDie You going to need an NTP Server. You can make one with an arduino nano, gps module and LAN module for under $20.

    Is an NTP truly essential?


  • Hero Member

    @petter said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    If you do choose to use VM's you should use ESXi as a hypervisor.

    Is ESXi essential? Basedon @monte 's recommendation above, I just recently made the leap from ESXi to Proxmox, and so far so good, including the ability to migrate VM's from one physical host to another. A bit of a learning curve, but so far it seems rock solid. The only downside I've noticed compared to ESXi is that booting from a USB isn't recommended, but that's minor.



  • I have 2 hp servers at home running esxi from an SD card, and it has been working fine for 2 years now.
    I also tried proxmox for a few months, but encountered some stability issues and bugs.
    Both solutions have pros and cons, but now I clearly prefer esxi.
    Datastores and network are easier to manage and it is very easy to passtrought hardware to virtual machine. All the hard disks of my servers are managed by VM (Open Media Vault, Raid 5 software), without any problem.
    I also use a Pfsense VM to manage all my networks, with different VLANs. It is very easy to manage VLAN under esxi with vSwitch.
    In the next few weeks, I will be switching to OPNsense.
    I chose this solution to mutualize the material resources, knowing that this solution can pose problems in certain cases.


  • Hero Member



  • @NeverDie said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    Is an NTP truly essential?

    I use my pfsense box as NTP relay and pass it's port in firewall rules for unsecure subnet. I don't think it can be as much a problem in home networks.


  • Hero Member

    Originally I thought: why not just read the BIOS clock on the motherboard? Well, I suppose that would work if there were only one physical PC. For coordinating backups and file date stamps among multiple PC's, I can see how an NTP server might be helpful. I'm still doubtful absolute accuracy on a home network matters for that, as long as all the PCs sync to the same time. Then again extreme accuracy would cover all possible edge cases, including ones I can't even imagine. I could just turn the GPS clock on and forget it...forever, with no NTP port on the gateway firewall. So, after thinking it through while writing this, I can finally see how for $20 it might be worthwhile after all. For a home network you'd only need one, and it would last a lifetime.



  • @NeverDie I might be missing something. What is the problem exactly to get time from the internet? Sure you may not need precise sync, but why bother yourself with GPS clock, or setting clock by hand, if every OS can pull time from public NTP severs?


  • Hero Member

    @monte Good question! I'm completely new to security hardening, and so I just assumed that the guy who posted the GPS NPT suggestion was aware of some threat. But if you aren't aware of one, then maybe there's no reason for it. 😊



  • @NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
    https://pcengines.ch/apu4d4.htm

    T.Weeks


  • Hero Member

    @Thomas-Weeks said in Advisory: put IOT devices on a separate LAN/vLAN for better security:

    @NeverDie I wouldn't.. check out this dedicated/embedded hardware.. used in many pieces of high end network appliances:
    https://pcengines.ch/apu4d4.htm

    T.Weeks

    You wouldn't... what? The pcengine you linked appears to be a 4 port router. What should I be learning/realizing from or doing with that piece of information? Is it meant for creating vlans or is it meant for getting the time from an atomic clock somewhere on the internet? Or something else?


Log in to reply
 

Suggested Topics

242
Online

10.0k
Users

10.5k
Topics

108.4k
Posts