This is going to be a multi-part post about securing your home/business network and separating your IoT devices into their own to keep them and yourself “safer”.
With the explosion of IoT in the recent years, it is hard to find anything without some sort of “smart” capabilities. Whether it is a TV, Sonos, Nest thermostat, or even a fridge or a washing machine, more and more manufacturers are adding internet capabilities to their devices. This could be a topic of its own, but we are here to discuss network security.
For most home owners with regular wireless gateways, there simply isn’t any possibility of creating a complex network with the stock firmware. To boot, most devices encourage or expect you to install the device on the same network as your PC or mobile so it can more easily connect.
You have to either be lucky enough to own a router that can be upgraded to one of the open source firmware options, or do your research and purchase a router that is supported. Of those supported devices, you still have to be lucky enough to have one that will work well with the custom firmware. In some cases, you may have poor WiFi signal or lose a WiFi band (more about this later). The other option, is to use a used/cheap business class router. Some of these are actually cheaper than the higher end wireless routers.
No matter the path you choose, you have to do lots of searching and learn a lot about networking to be able to do this sort of setup. So for the rest of this article, I’m going to provide an overview of the options and then get deeper into how the network should be setup. Follow up articles will detail specific applications or devices and how they should be setup.
Consumer grade hardware and custom firmware
This is the first option that we talked about. Here you could go with a router like the Asus AC-RT66U or the Linksys WRT series, but make sure to do your due diligence and confirm that the router you have or you want to get is supported. This includes reading the forums on other users that have setup these routers to see if they have run into issues or not.
Here are some of your options for custom firmware:
- DD-WRT – This is perhaps the most popular option and the one with the widest support for consumer grade routers. Its UI layout is smart enough that basic setup should be a breeze, but it is capable of so much more if you spend the time to dig into it.
- Tomato – This one has a few versions, but I’ve linked to the more popular version of it. This is like DD-WRT on Steriods since it also provides you live refresh and better statistics tracking right out of the box.
- Advanced Tomato – This is the same as Tomato but with much nicer UI. I really enjoyed using this briefly. If you like Tomato, you’e gonna love this.
- OpenWRT / LEDE – LEDE was a fork of OpenWRT, but they have recently announced that they are merging again. This has the least number of supported devices and relieves are less frequent, but if you know your networking, its the best option. This is the only one that includes a package manager UI to you can add other packages easily through the UI. This also makes it easier to add functionality that the other firmwares may not provide out of the box.
Note: This is not for the faint of heart. you could brick your router and have a hell of a time getting it back to its stock firmware, so proceed with caution.
Business grade hardware
As a stepping stone, I recommend you play around by installing one of the custom firmwares mentioned previously on the router that you have so you get familiar with the concepts, and once you get fed up of fighting to get things working, you move up to business grade hardware. I am assuming that you are not reading this far unless you’re a noob.
The options here are endless and so are the expenses, so I’ll stick to the option that I’ve had experience with (installing at costomer locations), which gives you a big bang for the buck. Ubiquiti!
They provide a range of wired and wireless products that are pretty much in line with high end consumer devices in price, but from a stability and functionality perspective, they are flawless (as much as can be). For example, an Edge Router Lite 3 plus a Unifi AC Pro model can cost less than a Linksys Max-Stream AC4000 MU-MIMO Wi-Fi Tri-Band Router and provide way more functionality and most probably better performance.
Setting up a network in a 2700sq.ft. space, I ended up replacing two wireless routers, with just the one Unifi AC Pro. Of course had to use the Edge Router Lite as well since the Unifi by itself does not have everything you need, and you may need a (managed) switch as well if setting up a more complex VLAN. The one downside to the Unifi line of products is that they require a controller software be running on a PC or the cloud key so you can control them (i.e. there is no web interface without the controller software), but still this is a great setup.
Now the real part. As Spiderman’s wise uncle Ben said, “With great power comes great responsibility.” So the more smart devices you have (more power), the more you need to be careful (responsible). There have been numerous articles about many smart devices that have been either communicating in the open (intentionally or otherwise) or are left open to hacking, so it only makes sense to separate these devices from the rest of your network.
We’ll start with the base setup and then make things more complicated optionally.
Lets talk in more detail about how this should work:
- VLAN 10 is the business/home network. Computers and devices on this network have full internet access, as well as full access to the IoT network (VLAN 20).
- VLAN 20 is the IoT network. This network is isolated from both the business/home network and the guest network. You could provide full internet access to this network or optionally limit access here as well to well known protocols like HTTP/S, DNS, NTP, etc.
- VLAN 30 is the guest network which should not have access to either of the other networks; just Internet. Again, internet access here could be limited to just a few protocols as well. You could further protect yourself and your guests by using the AP isolation feature of your Wireless Access Point if it has it.
Where things get complicated is when you try to setup the firewall rules to make all this work and depending on your router the instructions are different. I’ll cover the details of the setup in future articles.