Why aren't routers with preconfigured IOT network segregation a thing?

Because in order to determine what is IOT or not requires a lot more traffic inspections and large libraries.
 
For the very same reason insecure portable wifi devices are not segmented off from wired. Consumer home networking is absolute and total crap. Many things consumers expect to work in home environments fall apart on a properly subnetted network as the protocols used expect a flat network. WTF does anyone allow their dual homed mobile phone, yes your mobile is dual homed, on the same network that contains say their tax records? There is reason my home uses gear from Checkpoint, Cisco, Fortinet, Juniper and Palo. This topic lies at the heart of that reason.
 
Also segmenting IoT from your home network breaks things like smartphone integration, or PC integration without specific firewall rules... also, IoT devices should be locked down in their access to the internet as well...

Basically, people don't have the technical knowledge or even the desire put in the work to secure this stuff... Even technical people don't... I don't know how many times I've heard the suggestion to "just disable the firewall" while coming up with solutions to issues with controls problems, and these are professionals and often times engineers that are building these systems.

It's pretty atrocious
 
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
 
Because most folks that buy consumer grade edge devices have no clue how to configure one. They just want to plug it in, connect a wire or two, and have it magically work. That was the point behind WPS. Look how well that turned out. Imagine a WPS feature for multiple different types of IOT devices, each with their own security faults. Now imagine all those WPS type auto config for IOT gizmos in a sub-$100 device. Now add in that it would likely get at best 2 or 3 firmware updates before being EOL for the next model in a year or two. Then the end user plugs in a new IOT thing that isn't supported by their two year old edge device, get pissed and just connects everything to the ISP device.

Really don't think there is enough margin in consumer grade edge devices to support the level of complexity needed to make it plug and play for the end user.
 
People will buy a smart light bulb, try to connect to it, then it will fail because it’s on a different network. Then they blame the router, security be damned.

Users can’t figure out even the simplest shit, have a separate network would make heads explode.
 
Red Squirrel said:
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
Click to expand...
I'll bet that there are a lot of people who do care about IoT (in)security but don't have the time nor the inclination and maybe not even the technical skills necessary to truly understand all these issues. To a lot of people, learning about IoT security is like a fast trip down the rabbit hole. If some * consumer * vendor advertised that "we understand IoT security and our new, 2018 version routers protect you from those risks," they could probably charge a bit more than the commodity market price. Maybe even sell IoT as a pay-for extra, like 20-30 bucks. At that price, it would be a nobrainer. Maybe th at extra is just fpsense with lipstick and a bow, but that's OK.

There just has to be some middle ground between, "What, me worry? (bonus points if you catch the reference) and "man, I'm a bitbashing, steeldriving, 235% techie." I think there is a lot of money to be made in that middle ground.

x509
 
Red Squirrel said:
It does seem like it would be a half decent opportunity for them, essentially consumer routers are just a router with a switch, so they could just make that switch semi managed, even if all it really does is vlans. Then do the same with the wireless AP portion, have it so you can setup different SSIDs on different vlans.

Then you could setup firewall rules between each vlan, but by default everything would be blocked from each other.

I guess the type of people that actually care enough about basic network security are just going to use better gear like a Pfsense firewall, managed switches and separate wireless APs. But it would still be useful if all this was available in a single package as it would at least make it easy to secure a very small network where all that gear is overkill. Heck even before IOT, this would be useful for say, stores that have IP based interac machines. You don't want those on the same network as say, public wifi.
Click to expand...
Don't need separate APs, a ubiquiti edgerouter x and unifi AP could do it out of the box
 
But, still, your average consumer can't understand anything more than "plug and play", and telling them they need to plug their access point(s) into this port so iot things are segregated, then breaks their smartphone/tv/tablet because wireless is now segregated from the home lan. Now have the typical home user configure the router/firewall to allow just the smartphone/tv/tablet into the home network. after 60 )if that long) frustrating minutes, they go ahead and plug everything into the same router port. Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
 
  • Like
Reactions: x509
like this
pek said:
But, still, your average consumer can't understand anything more than "plug and play", and telling them they need to plug their access point(s) into this port so iot things are segregated, then breaks their smartphone/tv/tablet because wireless is now segregated from the home lan. Now have the typical home user configure the router/firewall to allow just the smartphone/tv/tablet into the home network. after 60 )if that long) frustrating minutes, they go ahead and plug everything into the same router port. Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
Click to expand...
and that's how we got uPnP, which is a big security risk now...

we need some sort of authenticated uPnP system with some actual cryptography backing it up...
 
pek said:
Not until the mfr's can make the setup completely brainless, iot devices will make your home network vulnerable.
Click to expand...

LMAO!

Your dual homed mobile phone already makes your home network vulnerable, considerably more so than the iot.
 
Brainless would be having an app (potentially voice enabled and potentially Alexa etc. integrated) that controlled the segmentation and could be made aware of additions.

If you add said IoT lightbulb and the router is blocking it, getting that information to the user and getting information from the user to authenticate and secure the IoT lightbulb isn't terribly difficult; it's just that the knobs aren't really exposed, even in enterprise gear, and they certainly aren't automated.
 
I will soon start creating a seperate VLAN and SSID for garbage devices. Between my pfsense router and my ubiquiti AP I'll be good. I already practice pretty good internet hygiene.
 
You must log in or register to reply here.
Back
Top