IoT Network Security Help

[Horizon_Galaxy]

This spring I finally upgraded my home router from the ISP router to a higher end consumer router. I have fiber and I was able to get the router to connect directly to the ONT. I was happy because I finally had a network with a separate guest SSID! Fancy!

Now I'm realizing I should also segregate my IoT devices (over a dozen of them) to their own group, since having them on the main network appears to be a security risk. Most commonly I see this done using VLAN groups.

My consumer router can't do VLAN tagging on the LAN ports. I could shuffle all my IoT devices onto the guest network, but then I either have to put guests on my IoT network or my secure home network.

I was thinking I could get a router that can tag VLAN groups on the LAN ports. Could I continue to use my current router in AP mode to act as an access point for one of the VLAN tagged LAN ports. I'd also need to get APs for my guest and IoT network...

Am I missing another way to secure my IoT devices?

 

[Motley]

Ok for what you need, all you need to do is add a managed switch that supports VLANs. Like this Netgear 16 port switch here: https://www.newegg.com/Product/Product.aspx?Item=N82E16833122599

Just use one of the ports from your router, and uplink it to the switch. Configure the VLANs on the switch for all your loT hosts. And set the default route on the switch to the IP of your router.

Nothing else will need to be changed on your wireless router.

 

[Dead Parrot]

Does your current router have a default rule to block all traffic? If not, your IOT devices are probably sending data on who knows what to who knows where. I ask because a lot of consumer grade routers make really poor edge firewall devices.

If you are really worried about security, your IOT network, your personal network and your guest network all need to be segregated from each other, have their own AP points, and have different rules on access to the Internet.

Are some of your IOT devices wireless only? If so, I think they will be bypassing the VLAN since they will connect to the non-VLAN router.

 

[Horizon_Galaxy]

Does your current router have a default rule to block all traffic? If not, your IOT devices are probably sending data on who knows what to who knows where. I ask because a lot of consumer grade routers make really poor edge firewall devices.

If you are really worried about security, your IOT network, your personal network and your guest network all need to be segregated from each other, have their own AP points, and have different rules on access to the Internet.

Are some of your IOT devices wireless only? If so, I think they will be bypassing the VLAN since they will connect to the non-VLAN router.

Yes - many of my IoT devices are wireless only. So unfortunately a switch won't be enough as I'll need segregated VLANs on wireless too.

I have not done extensive work with the firewall rules on my router. I've done basic things like turning off WPS and setting secure passwords, but I'm sure my IoT devices are happily sending data wherever they want.

This is also concerning because if one IoT device is comprised, it is sitting on the same network as my primary computers and cell phones.

The best solution seems to be to get a VLAN router with access points that can setup different SSIDs for each VLAN. Or at a more basic level get a VLAN router and add a different AP for each VLAN tagged port.

Are there any more simple ways to handle IoT security or is this type of segregation the best solution?

If that's the best solution, you mentioned consumer routers make bad edge firewalls. What would you recommend as a good router that is a decent edge firewall? And then what APs should I use (my current router could serve as one AP)? I'm decent with computers but I'm no network engineer.

 

[bman212121]

I'm no network engineer.

Unless you want to spend a lot of time for little gain, putting your IoT on your guest wireless network would be my vote. You can segment them and setup vlans and replace all of your network components, but I don't think it's going to be a huge benefit. See if you can do guest isolation on Wifi, because if you can then none of the guests or IoT will be able to see each other directly. Everything will just be going straight to the internet at that point, and you'll basically have a trusted and an untrusted network. Put the stuff you don't think is going to blow up on trusted, and the stuff that's vulnerable on untrusted. Obviously if your IoT is controlling things like lights, heat, etc you want to make sure they are somewhat secured so other people can't start messing with them.

 

[Horizon_Galaxy]

Unless you want to spend a lot of time for little gain, putting your IoT on your guest wireless network would be my vote. You can segment them and setup vlans and replace all of your network components, but I don't think it's going to be a huge benefit. See if you can do guest isolation on Wifi, because if you can then none of the guests or IoT will be able to see each other directly. Everything will just be going straight to the internet at that point, and you'll basically have a trusted and an untrusted network. Put the stuff you don't think is going to blow up on trusted, and the stuff that's vulnerable on untrusted. Obviously if your IoT is controlling things like lights, heat, etc you want to make sure they are somewhat secured so other people can't start messing with them.

Interesting. So if I can do guest network isolation, I could put my IoT devices on the guest network and they wouldn't be able to be seen by guests also using that network? I didn't know that was an option! There is one issue though, two of my IoT devices are connected via Ethernet... so I'd need to find a way to isolate them separately as well.

 

[Dead Parrot]

Unfortunately, this is why the IOT world is already a security nightmare. Most consumer edge devices are designed for a simple ISP -> modem -> router -> computer setup. Not for a multiple internal but separate networks setup that should be implemented. The OP is ahead of the game by even being aware that this is a problem.

What you really want an edge firewall/router that allow multiple wired networks. Zone 1 is WAN and connects to the ISP modem. Zone 2 is the LAN and is the internal secure owner's network. Zone 3 is the IOT network. Zone 4 if needed is the Guest network. The firewall needs to provide a separate DHCP service to each Zone to allow different IP address ranges for each zone.
In this example:
Zone 2 - LAN gets 192.168.0.x/24.
Zone 2 - IOT gets 172.16.1.x/24 (or however many are needed).
Zone 3 - Guest gets 10.10.1.x/24.

I used 3 different IP ranges to make log viewing much simpler. Much easier to tell the difference between 10.10 and 192.168 when looking at long lists of stuff then it is 192.168.1 and 192.168.0

You define routes from each zone to the WAN. And rules that allow desired traffic out and blocks the rest.
Each zone that needs WiFi gets a simple AP that uses the firewall for its IP DHCP address handout.

When I setup my network, no IOT devices yet, I used a Juniper SSG-5 device commercial grade device since my employer at the time used them and I already knew how to set one up. It allows 6 independent zones. I don't recommend it for new setups as it is now near or at EOL by Juniper and is only a 100mbs device. Works fine for me due to ISP speeds(Curse you AT&T!).

One of the Ubiquiti Edgerouter Lites might work for you. It only has 3 Zones but if you are OK with the Guest and IOT networks co-existing it could work. And it has gig speed ports. Might be able to use a 2nd Wifi/wired router for the IOT stuff and put a rule in the Edge Lite to prevent the IOT addresses from accessing the rest of the Guest network.

PITA, yes. Welcome to the new IOT universe. Of course, if you don't mind that your security cameras have become the latest Jennicam site and your thermostat just stole your aunt's CC info, then don't worry about it.

 

[Horizon_Galaxy]

Unfortunately, this is why the IOT world is already a security nightmare. Most consumer edge devices are designed for a simple ISP -> modem -> router -> computer setup. Not for a multiple internal but separate networks setup that should be implemented. The OP is ahead of the game by even being aware that this is a problem.

What you really want an edge firewall/router that allow multiple wired networks. Zone 1 is WAN and connects to the ISP modem. Zone 2 is the LAN and is the internal secure owner's network. Zone 3 is the IOT network. Zone 4 if needed is the Guest network. The firewall needs to provide a separate DHCP service to each Zone to allow different IP address ranges for each zone.
In this example:
Zone 2 - LAN gets 192.168.0.x/24.
Zone 2 - IOT gets 172.16.1.x/24 (or however many are needed).
Zone 3 - Guest gets 10.10.1.x/24.

I used 3 different IP ranges to make log viewing much simpler. Much easier to tell the difference between 10.10 and 192.168 when looking at long lists of stuff then it is 192.168.1 and 192.168.0

You define routes from each zone to the WAN. And rules that allow desired traffic out and blocks the rest.
Each zone that needs WiFi gets a simple AP that uses the firewall for its IP DHCP address handout.

When I setup my network, no IOT devices yet, I used a Juniper SSG-5 device commercial grade device since my employer at the time used them and I already knew how to set one up. It allows 6 independent zones. I don't recommend it for new setups as it is now near or at EOL by Juniper and is only a 100mbs device. Works fine for me due to ISP speeds(Curse you AT&T!).

One of the Ubiquiti Edgerouter Lites might work for you. It only has 3 Zones but if you are OK with the Guest and IOT networks co-existing it could work. And it has gig speed ports. Might be able to use a 2nd Wifi/wired router for the IOT stuff and put a rule in the Edge Lite to prevent the IOT addresses from accessing the rest of the Guest network.

PITA, yes. Welcome to the new IOT universe. Of course, if you don't mind that your security cameras have become the latest Jennicam site and your thermostat just stole your aunt's CC info, then don't worry about it.

Thanks. At least I have an idea I'm going about it the right way, even if it is as much of a pain as I feared it might be. Like so many developments, IoT devices seem to be racing far ahead of reasonable consumer security.

I made a quick diagram of a layout to see if I'm thinking about this right. Does the attached file make sense? I could also reduce some of the switches by getting a router with more zones/ports.

Now I just have to figure out how to implement this as simply as possible (and without costing a fortune).

 

[Dead Parrot]

If on the edge router, you call port 0 WAN, port 1 LAN, and port 2 IOT:
No need for VLANs on LAN. You can just use simple dumb gig switches and a good WAP. The edge router will keep the traffic separate between LAN and IOT if you setup the routes and rules properly.
You could use a VLAN switch for the IOT side to keep the IOT and guest separate.

Might look at some of the Ubiquiti Access points for your wireless. They might play well with the edge lite router and simplify things. I haven't looked at them in a while and never used one of the APs but several folks seem to like them.

 

[Horizon_Galaxy]

If on the edge router, you call port 0 WAN, port 1 LAN, and port 2 IOT:
No need for VLANs on LAN. You can just use simple dumb gig switches and a good WAP. The edge router will keep the traffic separate between LAN and IOT if you setup the routes and rules properly.
You could use a VLAN switch for the IOT side to keep the IOT and guest separate.

Might look at some of the Ubiquiti Access points for your wireless. They might play well with the edge lite router and simplify things. I haven't looked at them in a while and never used one of the APs but several folks seem to like them.

Thanks! I'll look into Ubiquiti. I was originally thinking I'd need to make a trunk connection from the router to a switch with 3 VLANs. Then the switch would separate the 3 VLANs. An updated diagram is attached.

From what you said it sounds like I could just assign a secure LAN to port 1, then use port 2 for guest and IoT (seperated by VLANs).

Anyway, I think that's the route I'll likely go unless another way to secure my guest and IoT devices shows up in the next few weeks. Now I just have to decide which pieces of hardware I'm actually looking at!