Why aren't routers with preconfigured IOT network segregation a thing?

Discussion in 'Networking & Security' started by Oubadah, Aug 27, 2018.

  1. Oubadah

    Oubadah [H]ard|Gawd

    Messages:
    1,544
    Joined:
    Apr 16, 2009
    The idea that IOT devices are an insecure menace is fairly well circulated these days. I'm wondering why router manufacturers haven't seized on this as a marketing gimmick, selling consumer-oriented routers with preconfigured segregated IOT networks.
     
  2. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,282
    Joined:
    Oct 4, 2007
    Because in order to determine what is IOT or not requires a lot more traffic inspections and large libraries.
     
  3. Nicklebon

    Nicklebon Gawd

    Messages:
    521
    Joined:
    May 22, 2006
    For the very same reason insecure portable wifi devices are not segmented off from wired. Consumer home networking is absolute and total crap. Many things consumers expect to work in home environments fall apart on a properly subnetted network as the protocols used expect a flat network. WTF does anyone allow their dual homed mobile phone, yes your mobile is dual homed, on the same network that contains say their tax records? There is reason my home uses gear from Checkpoint, Cisco, Fortinet, Juniper and Palo. This topic lies at the heart of that reason.
     
  4. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,270
    Joined:
    Nov 4, 2005
    Also segmenting IoT from your home network breaks things like smartphone integration, or PC integration without specific firewall rules... also, IoT devices should be locked down in their access to the internet as well...

    Basically, people don't have the technical knowledge or even the desire put in the work to secure this stuff... Even technical people don't... I don't know how many times I've heard the suggestion to "just disable the firewall" while coming up with solutions to issues with controls problems, and these are professionals and often times engineers that are building these systems.

    It's pretty atrocious
     
    Ocellaris likes this.
  5. Mr. Baz

    Mr. Baz 2[H]4U

    Messages:
    2,796
    Joined:
    Aug 17, 2001


    That pretty much sums it up.
     
  6. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,362
    Joined:
    Nov 29, 2009
    It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

    Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

    I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
     
    FNtastic, IdiotInCharge and Oubadah like this.
  7. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,908
    Joined:
    Mar 4, 2013
    Because most folks that buy consumer grade edge devices have no clue how to configure one. They just want to plug it in, connect a wire or two, and have it magically work. That was the point behind WPS. Look how well that turned out. Imagine a WPS feature for multiple different types of IOT devices, each with their own security faults. Now imagine all those WPS type auto config for IOT gizmos in a sub-$100 device. Now add in that it would likely get at best 2 or 3 firmware updates before being EOL for the next model in a year or two. Then the end user plugs in a new IOT thing that isn't supported by their two year old edge device, get pissed and just connects everything to the ISP device.

    Really don't think there is enough margin in consumer grade edge devices to support the level of complexity needed to make it plug and play for the end user.
     
    /dev/null likes this.
  8. Ocellaris

    Ocellaris Ginger @le, an alcoholic's best friend.

    Messages:
    19,010
    Joined:
    Jan 1, 2008
    People will buy a smart light bulb, try to connect to it, then it will fail because it’s on a different network. Then they blame the router, security be damned.

    Users can’t figure out even the simplest shit, have a separate network would make heads explode.
     
  9. x509

    x509 [H]ard|Gawd

    Messages:
    1,585
    Joined:
    Sep 20, 2009
    I'll bet that there are a lot of people who do care about IoT (in)security but don't have the time nor the inclination and maybe not even the technical skills necessary to truly understand all these issues. To a lot of people, learning about IoT security is like a fast trip down the rabbit hole. If some * consumer * vendor advertised that "we understand IoT security and our new, 2018 version routers protect you from those risks," they could probably charge a bit more than the commodity market price. Maybe even sell IoT as a pay-for extra, like 20-30 bucks. At that price, it would be a nobrainer. Maybe th at extra is just fpsense with lipstick and a bow, but that's OK.

    There just has to be some middle ground between, "What, me worry? (bonus points if you catch the reference) and "man, I'm a bitbashing, steeldriving, 235% techie." I think there is a lot of money to be made in that middle ground.

    x509
     
    Oubadah likes this.
  10. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,270
    Joined:
    Nov 4, 2005
    Don't need separate APs, a ubiquiti edgerouter x and unifi AP could do it out of the box
     
  11. Red Squirrel

    Red Squirrel [H]ardForum Junkie

    Messages:
    9,362
    Joined:
    Nov 29, 2009
    Oh my bad I meant to say separate SSIDs.
     
    FNtastic and IdiotInCharge like this.
  12. pek

    pek prairie dog

    Messages:
    555
    Joined:
    Nov 7, 2005
    But, still, your average consumer can't understand anything more than "plug and play", and telling them they need to plug their access point(s) into this port so iot things are segregated, then breaks their smartphone/tv/tablet because wireless is now segregated from the home lan. Now have the typical home user configure the router/firewall to allow just the smartphone/tv/tablet into the home network. after 60 )if that long) frustrating minutes, they go ahead and plug everything into the same router port. Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
     
    x509 likes this.
  13. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,270
    Joined:
    Nov 4, 2005
    and that's how we got uPnP, which is a big security risk now...

    we need some sort of authenticated uPnP system with some actual cryptography backing it up...
     
  14. Nicklebon

    Nicklebon Gawd

    Messages:
    521
    Joined:
    May 22, 2006
    LMAO!

    Your dual homed mobile phone already makes your home network vulnerable, considerably more so than the iot.
     
  15. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,928
    Joined:
    Jun 13, 2003
    Brainless would be having an app (potentially voice enabled and potentially Alexa etc. integrated) that controlled the segmentation and could be made aware of additions.

    If you add said IoT lightbulb and the router is blocking it, getting that information to the user and getting information from the user to authenticate and secure the IoT lightbulb isn't terribly difficult; it's just that the knobs aren't really exposed, even in enterprise gear, and they certainly aren't automated.
     
  16. OFaceSIG

    OFaceSIG [H]ard|Gawd

    Messages:
    1,753
    Joined:
    Aug 31, 2009
    I will soon start creating a seperate VLAN and SSID for garbage devices. Between my pfsense router and my ubiquiti AP I'll be good. I already practice pretty good internet hygiene.