Why aren't routers with preconfigured IOT network segregation a thing?

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
Because in order to determine what is IOT or not requires a lot more traffic inspections and large libraries.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
729
For the very same reason insecure portable wifi devices are not segmented off from wired. Consumer home networking is absolute and total crap. Many things consumers expect to work in home environments fall apart on a properly subnetted network as the protocols used expect a flat network. WTF does anyone allow their dual homed mobile phone, yes your mobile is dual homed, on the same network that contains say their tax records? There is reason my home uses gear from Checkpoint, Cisco, Fortinet, Juniper and Palo. This topic lies at the heart of that reason.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
Also segmenting IoT from your home network breaks things like smartphone integration, or PC integration without specific firewall rules... also, IoT devices should be locked down in their access to the internet as well...

Basically, people don't have the technical knowledge or even the desire put in the work to secure this stuff... Even technical people don't... I don't know how many times I've heard the suggestion to "just disable the firewall" while coming up with solutions to issues with controls problems, and these are professionals and often times engineers that are building these systems.

It's pretty atrocious
 

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Because most folks that buy consumer grade edge devices have no clue how to configure one. They just want to plug it in, connect a wire or two, and have it magically work. That was the point behind WPS. Look how well that turned out. Imagine a WPS feature for multiple different types of IOT devices, each with their own security faults. Now imagine all those WPS type auto config for IOT gizmos in a sub-$100 device. Now add in that it would likely get at best 2 or 3 firmware updates before being EOL for the next model in a year or two. Then the end user plugs in a new IOT thing that isn't supported by their two year old edge device, get pissed and just connects everything to the ISP device.

Really don't think there is enough margin in consumer grade edge devices to support the level of complexity needed to make it plug and play for the end user.
 

Ocellaris

Fully [H]
Joined
Jan 1, 2008
Messages
19,055
People will buy a smart light bulb, try to connect to it, then it will fail because it’s on a different network. Then they blame the router, security be damned.

Users can’t figure out even the simplest shit, have a separate network would make heads explode.
 

x509

2[H]4U
Joined
Sep 20, 2009
Messages
2,630
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
I'll bet that there are a lot of people who do care about IoT (in)security but don't have the time nor the inclination and maybe not even the technical skills necessary to truly understand all these issues. To a lot of people, learning about IoT security is like a fast trip down the rabbit hole. If some * consumer * vendor advertised that "we understand IoT security and our new, 2018 version routers protect you from those risks," they could probably charge a bit more than the commodity market price. Maybe even sell IoT as a pay-for extra, like 20-30 bucks. At that price, it would be a nobrainer. Maybe th at extra is just fpsense with lipstick and a bow, but that's OK.

There just has to be some middle ground between, "What, me worry? (bonus points if you catch the reference) and "man, I'm a bitbashing, steeldriving, 235% techie." I think there is a lot of money to be made in that middle ground.

x509
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
Don't need separate APs, a ubiquiti edgerouter x and unifi AP could do it out of the box
 

pek

prairie dog
Joined
Nov 7, 2005
Messages
1,741
But, still, your average consumer can't understand anything more than "plug and play", and telling them they need to plug their access point(s) into this port so iot things are segregated, then breaks their smartphone/tv/tablet because wireless is now segregated from the home lan. Now have the typical home user configure the router/firewall to allow just the smartphone/tv/tablet into the home network. after 60 )if that long) frustrating minutes, they go ahead and plug everything into the same router port. Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
 
  • Like
Reactions: x509
like this

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
But, still, your average consumer can't understand anything more than "plug and play", and telling them they need to plug their access point(s) into this port so iot things are segregated, then breaks their smartphone/tv/tablet because wireless is now segregated from the home lan. Now have the typical home user configure the router/firewall to allow just the smartphone/tv/tablet into the home network. after 60 )if that long) frustrating minutes, they go ahead and plug everything into the same router port. Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
and that's how we got uPnP, which is a big security risk now...

we need some sort of authenticated uPnP system with some actual cryptography backing it up...
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
729
Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.

LMAO!

Your dual homed mobile phone already makes your home network vulnerable, considerably more so than the iot.
 

IdiotInCharge

NVIDIA SHILL
Joined
Jun 13, 2003
Messages
14,679
Brainless would be having an app (potentially voice enabled and potentially Alexa etc. integrated) that controlled the segmentation and could be made aware of additions.

If you add said IoT lightbulb and the router is blocking it, getting that information to the user and getting information from the user to authenticate and secure the IoT lightbulb isn't terribly difficult; it's just that the knobs aren't really exposed, even in enterprise gear, and they certainly aren't automated.
 

OFaceSIG

2[H]4U
Joined
Aug 31, 2009
Messages
2,862
I will soon start creating a seperate VLAN and SSID for garbage devices. Between my pfsense router and my ubiquiti AP I'll be good. I already practice pretty good internet hygiene.
 
Top