Wednesday, April 06, 2016

Three Dumb Routers


Securing your network from IOT (Internet of Things)
IOT is the latest buzzword and a main feature when you go to buy a TV, fridge, thermostat, basically anything you want to buy it is all connected to the internet and that is a bad thing.   
First let me say based on manufacturer’s track records with routers, phones and other devices that connect to the internet this is just crying out to be exploited.
Second, manufacturers will not keep these devices up to date with the latest security patches to fix flaws that could allow a third party to intercept information, or worse gain access to these devices.
Third, unlike traditional computers, where there are alternatives to “throwing out” the device at the end of life, these devices are only good for a short while typically 3 years then you're expected to go buy a new one.


To best protect yourself and your home network I recommend using the “Three Dumb Routers” solution that is described by Steve Gibson in Episode 545 of the Security Now Podcast.


You need three routers, the make and models don’t matter, what matters is the network settings.  It would be best if you configure the other 2 routers before you connect them to your main network to do that consult the setup guide that came with your router.


One of them will be the “Root/Gateway” router or the router that you purchased or lease from your ISP is the Root router (Address Range 192.168.0.x/24) typically the default for all ISP gateway modem/routers; it provides the common link to the Internet for all your connected equipment in this case routers. This router is set up on what’s called a NAT configuration, which stands for Network Address Translations, and means that things on the Internet side, can’t access addresses on the “inside” of that router’s network directly.  The only thing that you would connect to this router on the Local Area Network side (the “inside”, not the Internet or WAN side) are the other two routers as shown in the diagram.  You shouldn’t connect any other devices to the inputs of the Main Gateway router, and it should have wif-fi turned off, if possible. In fact, it may just as well be a non-wifi router or a custom firewall like a PC running PFSense.

The Trusted Network


The trusted network we have on the address 192.168.1.x/24 and should also be set up for NAT-ing, which means anything on its Internet side won’t be able to access things on its LAN or “inside” segment.


The Untrusted (IOT) Network
Finally, we have the untrusted or IOT network; .again, this router is set up with NAT-ing and we have the address range set to 192.168.2.x/24. So, you will never have any trusted devices on the same segment as your untrusted devices. And the devices in each segment won’t be able to see the ones in the other segment.  Also on this network the only thing we want to allow in/out on this router are ports 80 and 443 as IOT devices most commonly only use those ports and if a IOT device requires additional ports it is best to add those ports as they are required.


Why this configuration provides the lowest risk
The reason that this set-up should be secure is that even if any potentially untrusted device is maliciously configured to scan its LAN environment, and if your important devices are not on that segment, they shouldn’t be visible to that untrusted device. There is a slight chance that the untrusted device might be able to find a way to “see” the network segment that is under the “Root” Gateway router but if the only things connected would be the trusted router.  Then there be no other computers or devices (e.g printers, NAS devices, etc.) that can be easily seen or exploited.


DISCLAIMER:
Routers have their own issues, such as vulnerabilities, and you should always check for updates to your routers do a backup of your settings before any upgrade.  Remember routers are your first defence to anything out there in cyberlan.

For additional information please consult Security Now Episode 545

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...