Review Index:
Feedback

Steve Gibson's Three Router Solution to IOT Insecurity

Subject: General Tech
Manufacturer: Various

Introduction

Even before the formulation of the term "Internet of things", Steve Gibson proposed home networking topology changes designed to deal with this new looming security threat. Unfortunately, little or no thought is given to the security aspects of the devices in this rapidly growing market.

One of Steve's proposed network topology adjustments involved daisy-chaining two routers together. The WAN port of an IOT-purposed router would be attached to the LAN port of the Border/root router.

View Full Size

In this arrangement, only IOT/Smart devices are connected to the internal (or IOT-purposed) router. The idea was to isolate insecure or poorly implemented devices from the more valuable personal local data devices such as a NAS with important files and or backups. Unfortunately this clever arrangement leaves any device directly connected to the “border” router open to attack by infected devices running on the internal/IOT router. Said devices could perform a simple trace-route and identify that an intermediate network exists between it and the public Internet. Any device running under the border router with known (or worse - unknown!) vulnerabilities can be immediately exploited.

View Full Size

Gibson's alternative formula reversed the positioning of the IOT and border router. Unfortunately, this solution also came with a nasty side-effect. The border router (now used as the "secure" or internal router) became subject to all manner of man-in-the-middle attacks. Since the local Ethernet network basically trusts all traffic within its domain, an infected device on the IOT router (now between the internal router and the public Internet) can manipulate or eavesdrop on any traffic emerging from the internal router. The potential consequences of this flaw are obvious.

View Full Size

The third time really is the charm for Steve! On February 2nd of this year (Episode #545 of Security Now!) Gibson presented us with his third (and hopefully final) foray into the magical land of theory-crafting as it related to securing our home networks against the Internet of Things.

Continue reading our editorial covering IOT security methodology!!

With this iteration Steve moved us from a two-router solution to a three-router solution. The new arrangement involves three fundamental elements to the network – an “external” or “border” router that has one purpose and one purpose ONLY; to move traffic back and forth between the public Internet and the two internal subnets underneath it. The second is an IOT-purposed router which houses all “Smart” / “Internet of Things” / “Internet-Enabled” devices whose uplink port is connected to an open LAN port of our border router. Devices such as PCs, laptops, phones and network storage devices have NO place inside this segment of the network. The third and last element is the “Secure” or internal router which, in similar fashion to the IOT router, has its uplink port connected to an open LAN port of the border router. Any valuable device (high value targets to hackers) such as desktops, laptops and network storage devices (a NAS of similar network appliance)) are all clustered together inside this subnet.

View Full Size

Maintaining three separate purpose-driven subnets affords our network some key protective features unavailable to us with both of our previous configurations.

1.   Separation of Ethernet Segments: Compromised devices and or malicious payloads no longer have the luxury of unfettered access to devices (either upstream or downstream) by exploiting the trusting Ethernet protocol.

2.   Damage control: Compromised devices and or malicious payloads are separated from higher value targets such as PC workstations and network attached storage devices. In the event of a breach, the damage an “expendable” IOT device can cause on the network will be contained and compartmentalized to the local subnet.

View Full Size

Although our proposed variation so far seems very bullet-proof (it is for the most part), we cannot neglect to briefly discuss one outstanding caveat. Even though corralling all of our less secure devices into a single subnet will dramatically improve our overall security, the threat of an already infected device hijacking or exploiting the vulnerabilities of an adjacent device in the same IOT subnet is still a very real possibility. For this reason, I would propose an additional modification to this blueprint (Which Steve also slightly alluded to). Whether built in software or (preferably) hardware, a per IP “virtual LAN pipe” should be constructed on the fly with each new IOT device connection that would allow IP-based communication to only one endpoint – the publicly facing Internet. It’s important to note that a VLAN does not provide the form of security we desire on a wireless interface. Our goal is to draw on the concepts of how a VLAN works while the implementation will most likely utilize some other method/protocol. In other words, a device would ONLY have the capability to transmit and receive as if it were the only device behind the protection of the NAT. The idea here isn’t to over-engineer a solution (even though it feels very much that way). This is about advancing our networking technology to address the very real threat IOT devices carry with them.

View Full Size

Router Configuration Walk-Through

The IT veterans among us are most likely already well acquainted with the concepts at work in this type of router configuration. In fact, I would wager that most of you also could easily purchase and configure a system like this blindfolded. Even though most of us might already understand the concepts and steps involved, there are several benefits all of us can take advantage of. Less experienced readers can get a grasp on some basic networking concepts while the IT veterans among us can fill-in some knowledge gaps (we all have them). As a community we can all fine-tune various aspects of this alternative approach to IOT security and begin implementing this network configuration at home or in the office.

Whether you're a beginner or a CISCO certified professional, we will all learn nuances of this alternative router configuration that we wouldn't have had we not walked through it together.

So, let’s assume we’re sold on the idea that Gibson’s router configuration will answer all of our IOT security woes. We’re going to un-box and configure three identical routers so they adhere to this alternative way of handling “insecure” and “secure” traffic. You can, of course, use three completely different router models. To keep things in the realm of sanity and because it’s much more efficient and easy to manage one unified interface, we will be using the same router model for all three.

For this setup we’ll be using three ASUS RT-N12 “3-In-1” Wireless Routers.

View Full Size

I have to pause a moment and chuckle at the advertising ASUS has come up with on this line of routers. The word “FAST” wasn’t good enough apparently – ASUS had to make an acronym out of it to really drive home the point that “this router be FAST, yo!”

View Full Size

This isn’t a Warranty Notice insert that I should just throw away. People, this is a “VIP Member” warranty notice! I am SO important to ASUS they had to include that specific verbiage just for me!

View Full Size

After unpacking all three units, lay everything out so it emulates the network topology we are creating – as shown below. I would HIGHLY recommend labeling each router to eliminate any confusion as to what that router’s purpose is in your network. Ten months from now when you hobble back into your server closet or re-approach the tangled rats-nest of wires we all know you have near your cable modem, you won’t remember why you have three identical routers or what each of them does!

View Full Size


August 15, 2016 | 12:02 PM - Posted by willmore

Guess you missed the SN570 podcast from Jul 26 where he revised this yet again. Do'ah!

August 17, 2016 | 11:28 AM - Posted by Anonymous (not verified)

I don't see anything about this subject in sn570 show notes.

August 15, 2016 | 01:33 PM - Posted by Anonymous (not verified)

It does seem bizarre to use three physically separate routers rather than just incorporating the rules into one slightly more advanced router, e.g. an ITX box with a low-power CPU and a handful of NICs. Or dual-NICs and a VLAN-aware switch. If you're worried about the router being compromised, the having three consumer routers just means you get three compromised routers.

August 15, 2016 | 03:58 PM - Posted by Anonymous (not verified)

I thought this sounded familiar. Doesn't Smoothwall have that capability? It has one NIC as the WAN side, then as many other NICs as you want, each one being it's own separate LAN. People on their forums typically had a hardwired lan subnet, a wireless subnet and a third for insecure stuff. I didn't keep up with it, but this article triggered the memory.

August 15, 2016 | 01:40 PM - Posted by Steve Gibson (not verified)

Great write-up! Thanks. I'll mention it on this week's podcast.

And I agree with the previous commenters: We now have a nice choice -- use "three dumb routers" or "one smart router" having multiple truly separate NIC interfaces which can be placed onto independent disjoint LAN subnets. :)

The podcast's current favorite "one smart router" is the Ubiquity EdgeRouter X. And amazing value for $49! But I still think there's a great case to be made for the "three dumb router" configuration when a user on a tight budget already has some old "el cheapos" in the closet.

/Steve.

August 15, 2016 | 02:18 PM - Posted by Anonymous (not verified)

IOT should stand for the Intranet Of Things, and not the Internet of things, with the Intranet Of Things devices only communicating over a dedicated Intranet Of Things router and a dedicated Intranet Of Things server. The Intranet Of Things server should only be able to be accessed read only from outside the intranet layer and should only pass encrypted files to any computer/s connected to the outside internet. Any specialized processing should be done on the dedicated Intranet Of Things server and passed as encrypted files to any outside computers that may be connected to the internet.

Too much smarts inside of too many devices connected directly to the internet becomes an unmanageable security risk so put all the smarts inside the dedicated Intranet Of Things server to post process all the IOT(Intranet Of Things) devices output. So the IOT(Intranet Of Things) devices are only able to use a dedicated Intranet router with a protocol that is only compatible with the dedicated Intranet Of Things intermediary server’s hardware/firmware layers. Pass encrypted files to any outside computers and let the outside(the secure Intranet layer) computers connect/pass encrypted files to the internet. Keep those Intranet Of Things devices dumb as nails and only able to pass their input to the dedicated Intranet Of Things server, and let the dedicated Intranet Of Things server have the brains for any other tasks or features.

It’s a lot easier to keep on top of a single server than dozens of “Smart” devices that are themselves servers/processors in their own right. Too many different “Smart” devices have their own dumb firmware/software programming vulnerabilities and proprietary methods. It’s much better to go with an open source managed dedicated Intranet Of Things server with one set of open source firmware/software to manage. Really any command and control of any IOT devices should be isolated from and data acquisition functionality by using a dedicated command and control processor in its own hardware/software/firmware isolated environment run from the dedicated Intranet Of Things server over its own separate command and control link to any Intranet Of Things devices.

Who the hell would want all these “smart” devices with vulnerabilities all their own running cameras and other data acquisition tasks and blabbing all that information out over the internet. I’d only accept an Intranet Of Things server that I have full control over as opposed to many 10s of devices that I have very little control over, and never would I have these devices connect to the internet directly. Wireless is a big hell no also, with shielded cables/receptacles only!

August 15, 2016 | 06:14 PM - Posted by Anonymous (not verified)

Who wants IoT? People who like spying on you probably.

August 15, 2016 | 09:10 PM - Posted by BillDStrong

Don't the newest routers allow you to create multiple wireless networks that don't talk to each other? Why would we need more than that?

August 15, 2016 | 09:30 PM - Posted by HammerSandwich (not verified)

Editor: The stock Asus firmware allows AP isolation. You can see the setting in the "Wireless - Professional" screenshot.

August 16, 2016 | 12:37 AM - Posted by Havor (not verified)

Hmmm, i/we all ready have the same setup for years, only i use my server as a root router for the different secure wifi/wired and insecure wifi networks.

https://tweakers.net/ext/f/i7bWs4JyUeB6BUfCVQzFN5xa/full.jpg

August 16, 2016 | 12:37 AM - Posted by Havor (not verified)

Hmmm, i/we all ready have the same setup for years, only i use my server as a root router for the different secure wifi/wired and insecure wifi networks.

https://tweakers.net/ext/f/i7bWs4JyUeB6BUfCVQzFN5xa/full.jpg

September 17, 2016 | 10:37 AM - Posted by Charlie Tuna (not verified)

I not IT but I is EE and your JPG gave me a headache. ;^)

August 16, 2016 | 03:12 AM - Posted by DaVolfman (not verified)

If modern routers are built anything like the old WRT-54G then it should be possible to separate each port on the router's internal switch into it's own VLAN and pseudo-interface (provided you're using something like openWRT). It's not perfect, and expansion might end up a little expensive or obtuse (either business-grade switches, or more hacked routers for additional switches). That makes wired a little easier to isolate compromised devices.

August 16, 2016 | 03:39 AM - Posted by lott11

I have been running this for years, I use two PC’s low power and modest capacity.
On the first unit I run a Linux firewall server with 3 1000 Ethernet cards plus the built in card.
The built in is use for the second PC witch is the honey pot, in a virtual setup, where if it gets over loaded it reboots.
And this PC has a 3 way WIFI antenna that are extended with cables to the public areas of my home, the only use is for the home guest.
And be for you jump all over my case they are in a virtual net on the second PC with it’s own firewall.
What makes this simple I change the password every 2 weeks. plus I print a bar-code to let them access the WIFI network.
They never look up the password, and since the password is 34 characters long they do not like it.
Now the other 3 cards the fast ones is the line in from the ISP, the first thing I tell them is to disable WIFI.
The next 2 cards go to the home networks they are to 2 routers witch both have DDWRT, one is linksys and the other is a Tp-link.
They both are on different networks and WIFI is also active with the same protocols for password.
Yes my kids think I am nuts, and because the passwords are so long and they all have fixed IP even the cellphones and tablets.
Windows is just like a Swiss cheese, if you think that you have plugged all the holes they just make new ones.
I have use things that I have purchased in my past, like for a time the honey pot was a AMD low power PC I mean 15 watts.
Is it secured for the most part yes, there is one more thing in my one PC there is a peace of software.
That if persist in hacking your way in it warns you to back off, it has kill 12 PC’s as a last resort.
So you can take it for what it is worth, that is my way of doing security.
There is only one more thing every room has fixed Ethernet plugs there are 2 per room or a switch to expand what is missing.
Ho there is a total 4 laptops, 3 tablets, 2 printers, 9 PC's and one Is FreeNAS server.
Hope this help some one, and like I say use what you have smartly.

August 16, 2016 | 12:23 PM - Posted by Anonymous (not verified)

This sound really interesting. I'm interested in setting something like this up. Do you have any guide that you used? Which Linux distros are you using? What kind of components did you use for the low power? Would a Raspberry Pie work as the "honey pot"?

August 18, 2016 | 02:56 AM - Posted by lott11

look at the other post at the bottom of post.
software and hardware are list the choice your what to used.
good lock.

August 16, 2016 | 10:19 AM - Posted by Anonymous (not verified)

Good idea, very bad implementation. While you can Jerry-rig this topology with SOHO routers, you are just complicating things and opening a big can of worms called double NAT. Good luck getting reliable online gaming with that setup, especially on consoles or anything that needs a port forward.

If you want to implement a proper network isolation setup get router appliance or use something like pfSense with multiple NICs or VLAN support with a managed switch. Great opportunity to learn some good network concepts and maintian your sanity.

Just my 2 cents.

August 16, 2016 | 05:46 PM - Posted by Michael Horowitz (not verified)

The $180 Pepwave Surf SOHO from Peplink offers more security than you got with three routers.

ETHERNET: each of the 4 LAN ports can be put into its own VLAN. If thats not enough, you can connect a VLAN aware switch to a LAN port too (have not tried that myself).

WIFI: It offers total isolation of devices on a particular SSID. An SSID can be put into its own VLAN. Devices on that SSID can be prevented from seeing each other (they call this Layer 2 isolation). And, access to the router itself can also be controlled per SSID. Simply put, devices on a WiFi network can be *totally* isolated, so all they can do is communicate with the Internet. Period.

The choice referred to in this article, boils down to whether a WiFi device is connected to the isolated IoT WiFi network or a normal (aka untagged) WiFi network.

Plus, the Surf SOHO defends itself better than consumer routers. You can limit admin access to only HTTPS on a non-standard port and you can change the admin userid too. And, the firmware won't be abandoned by the vendor forcing you to buy new hardware to get bug fixes.

For more see www.routersecurity.org/pepwavesurfsofo.php

August 16, 2016 | 10:49 PM - Posted by lott11

Wild you may think that gaming is imposable it is not.
To make the argument is ridiculous, yes ps4 do not like long passwords for WIFI.
But why on the world would I send any thing through WIFI on less it is text, that is WIFI is for web and text that is it.
You are not secured savvy all the PC’s, ps4, any thing goes to the internet is hardwired, cell and tablets are by nature isolated.
What I mean by isolated any WIFI has it’s own protocol of filters on both routers, have you ever use DDWRT.
On like the typical firmware you can add your rules and packages to limit what goes in and out.
So yes it a long process, but then you only do this ones in a blue moon.
The only thing is monitoring that is 3 times every week, in the past 6 months 2 attempts.
There are 3 servers in my home that dose not even count the firewall server,.
There are no nest devices or smart TV’s not even a car that can be access by any WIFI or remote system.
Yes the all way I do not need any more tracking, nor any monitoring I can fix my cars.
Do I live in the twenty first century yes, do I have to do there way no.
Do I miss out on any thing, not at all.
What can a smart TV do that I can not do on Kodi, with kodi I see news, TV, pay per view 59 times more then on cable.
So what are the limits the you are talking off, there are 5 gamers at home we all use steam.
And some have ps4 and x-box or 360 what ever, the point is when my kids or my self want to host we do.
We hosted up to 12 gamers at home and 27 online, do I do this all the time no can it be done yes.
You are limited by your imagination I am not, I am 54 we had to hack to make things work.
You kids just buy a peace of software that is it, some of us still use one’s heads to work out problems.
And to the other anonymous user.
Would a (SBC) work, well they would but most back hat will just LOL in how fast they got it down.
They just do not had the power to keep up, you need at least 2.0 GHz and 2 GB ram and a Linux or BSD.
You would think that this is over kill, you can download Kali Linux and see how long it would take.
This is not the only way but it is well documented and fast to use, to test and penetrate any network.
Yes there are 12 other ways plus at least 7 Linux that do the same and more you have to start some ware.
I have two ways of doing the first server one is slack ware, the other that mite be fast and just as useful Zentyal server there is also Pfsence and ClearOS.
Now for simplest to use the last two distros.
If you what a SBC for any thing go Newegg or Amazon and I do not mean pico boards.
I mean AMD and Intel N &M class or kabini fusion or ontario most of this board are $24 to $54 Us.
And they all a 250 to 350 PSU some ram and a hard drive, use something that is use that you have small 10 up to 50 GB.
If you use Intel Atom quad core, a Celeron dual core the problem is the heat and manner of attacks now days.
They are brutal on the CPU’s, so just because it is a honey pot it is still a PC keep it in a cool place.
Hope this helps.

August 17, 2016 | 09:17 PM - Posted by drbaltazar (not verified)

If I understood Steve right (this week or last week )Steve Gibson found a box that could do it all 5 separate port (yes literally separate but within the same box (60$)so if I understood correctly just adding this box and plugging wire in the correct order with your router etc should technically T.N.O your network. Ask Steve or one his allies .I am sure it's done already (sure sounded very done ,unlike S.Q.R.L)

August 18, 2016 | 02:02 AM - Posted by David Beem (not verified)

Steve has been covering the Ubiquity EdgeRouter X ($50 - $60 USD), I have one and also use pfSense. My solution has the IoT "routers" (in my case, re-purposed DSL modems) authenticate to the DMZ interface of my pfSense firewall through PPPoE (the EdgeRouter X can do the same thing): http://wnmctech.blogspot.com/2016/08/isolating-internet-of-things-device...

August 18, 2016 | 02:38 AM - Posted by Anonymous (not verified)

Errrrm...
How is this more secure than having 1 router running OpenWRT with a firewall that will only forward traffic from IoT MACs/IP range to the WAN?
The software configuration is a bit more complicated, but you don't have to buy and keep 2 extra routers in your home.

August 18, 2016 | 04:52 AM - Posted by Anonymous (not verified)

And if you're concerned about a compromised device listening in on your wireless traffic, use 802.1x authentication.

August 20, 2016 | 07:54 PM - Posted by arbiter

My Asus N66u router has option in guest network, to setup a wireless guest network and Isolate it from the rest of the network. Devices using can access the internet but can't access anything else connect to that router.

That is built in to stock Asus firmware.

August 26, 2016 | 12:33 PM - Posted by NoraaC (not verified)

I have set up the three dumb routers as described. The iot router is at the end of a long ethernet cable that was originally used to extend our office network into a distant part of a large warehouse/packinghouse building to connect a barcode printer needed in that location.

As time went on we added a FosCam ip camera to allow us to keep tabs on the packing operation from the office and then a Honeywell Internet connected thermostat. There are obvious benefits to being able to access the camera and thermostat from remote locations, at night etc.

This was done by setting up a second router with the ethernet plugged in to a LAN port with the router on the same subnet as the office and all devices connecting to the router - some wired some WiFi.

We live in an area where Internet access is not available (Other than Satellite) for many people so our employees appreciate having Internet access at work at least.

As a regular watcher of Steve's Podcast I was becoming increasingly nervous about the iot devices on our office network not to mention all the various cell phones and laptops brought in by employees and customers.

The problem now is having set up the isolated subnet in the packing house I still need to be able to print to the barcode printer which must be located where it is and I would like to be able to access the video from the camera.

My question after all this long winded explanation: Is there any way to print to the printer on the iot subnet from the office subnet without compromising the whole setup or am I forced to run another 100' of ethernet cable just to connect the printer?

August 26, 2016 | 12:43 PM - Posted by NoraaC (not verified)

I meant to post this here but posted to a different thread by mistake (too many open tabs) so sorry if it is redundant.

I have set up the three dumb routers as described. The iot router is at the end of a long ethernet cable that was originally used to extend our office network into a distant part of a large warehouse/packinghouse building to connect a barcode printer needed in that location.

As time went on we added a FosCam ip camera to allow us to keep tabs on the packing operation from the office and then a Honeywell Internet connected thermostat. There are obvious benefits to being able to access the camera and thermostat from remote locations, at night etc.

This was done by setting up a second router with the ethernet plugged in to a LAN port with the router on the same subnet as the office and all devices connecting to the router - some wired some WiFi.

We live in an area where Internet access is not available (Other than Satellite) for many people so our employees appreciate having Internet access at work at least.

As a regular watcher of Steve's Podcast I was becoming increasingly nervous about the iot devices on our office network not to mention all the various cell phones and laptops brought in by employees and customers.

The problem now is having set up the isolated subnet in the packing house I still need to be able to print to the barcode printer which must be located where it is and I would like to be able to access the video from the camera.

My question after all this long winded explanation: Is there any way to print to the printer on the iot subnet from the office subnet without compromising the whole setup or am I forced to run another 100' of ethernet cable just to connect the printer?

August 31, 2016 | 01:13 AM - Posted by David Beem (not verified)

When you have two wired devices (in your example a barcode printer and IP camera) that use the same uplink cable, but still need to be isolated from each other, the best solutions is to set up VLANs. I strongly recommend replacing the Ethernet switch at the end of this long cable run with an Ubiquity EdgeRouter X (between $50 to $60 USD, more pricey elsewhere). You would also need the network infrastructure where your main systems are in the facility, but getting a professional to set it up the right way will give you peace of mind.

I also recommend setting up a separate wireless network for employees bringing in their own systems into the office (called BYOD - "Bring Your Own Devices")...

August 31, 2016 | 01:23 AM - Posted by David Beem (not verified)

The Honeywell thermostat is more of the true "IoT" - I discuss in my blog (wnmctech.blogspot.com) how my Honeywell thermostat "phones home" to the Honeywell servers, then I access that data by connecting to them - not the thermostat directly. Your IP camera is more likely designed to be accessed directly on the other hand. Be aware that the Foscam brand is good - and typically has a setting in the interface for configuring an Access Control List.

There are security camera systems that feed that data to an Internet location or a server that you would run, but I think at this point you need a good network consultant to review everything for an ideal method...

August 27, 2016 | 01:53 PM - Posted by MeadDogMan (not verified)

I have the same issue as NoraaC, but it pertains to a Plex Media Server on the secured network and the Roku 4 on the IoT network - need to access the secured Plex Media Server and play the movies on the IoT Roku 4.

Any suggestions on doing this?

August 31, 2016 | 01:29 AM - Posted by David Beem (not verified)

A Roku interacts more within your network and is not an IoT device that should be isolated. I've got about eight Roku units of various levels around. Since you have a new model it needs the Internet connection for possible updates and any external streaming; If you were only playing Plex content there would be a chance of locking it down with an advanced hardware firewall like pfSense.

August 28, 2016 | 09:28 PM - Posted by Frank iot (not verified)

Great info, the pepwave surf soho mentioned by Michael is promising as one device that fits all purpose including wifi. We'll have to wait for thr new model release that is able to do more such as concurrent dual band and 11ac.

Steve's ubiquiti edge router x does it too but it does not have wifi for which you need to buy separately (e.g. Unifi from the same company is good choice).

October 14, 2016 | 05:38 PM - Posted by Anonymous (not verified)

I know that Ubiquiti just had some MAJOR hacks back in May. ALL of their devices were hacked and the username was set to mother password set to f****r. The hacker bypassed the security of the kernal and reset the credentials. It affected their radios and their routers as well. I don't know if I would trust the Ubiquiti option for security. I am a wireless provider and luckily, we have SSH and FTP blocked from outside of our network to our WISP.

I was personally looking at one of the Dell Sonic Walls for my home. I have several DVR's, Media Player and Apple TV on my LAN along w/ my computers. I have Ubiquiti unifi AP's in my home and my main desktop acts as the controller.

I came to this site because I am trying to figure the best way to set myself up w/ proper security for the future. At this time, I only have one router and a gigabit cisco 50 port POE switch. But am about to put in smart locks, garage door openers and IP cameras. Was wanting to segregate that traffic from the rest of the LAN for security reasons and for bandwidth reasons on my LAN and not make my other video suffer and start buffering.

I only have DSL speed to the Internet even tho I have a gigabit LAN.....

Am I on the right path?

December 6, 2016 | 12:31 AM - Posted by Joseph Kesselman (not verified)

Confused by one point: In discussion it was suggested that a single Ubiquiti box could provide solid enough isolation to avoid the three-router setup. But that doesn't seem to provide wifi, which is sorta sine qua non for many IoT devices and desirable for guests even if your secure net is hardwired. So it seems at least one additional router or AP is needed, possibly two. What am I missing?

I'm also wondering whether simply firewalling the IoT devices to communicate only with their official hosts/hubs and/or control sources wouldn't do the job more efficiently...?

December 16, 2016 | 08:40 PM - Posted by Joe (not verified)

So I tried to setup up this same exact configuration in my house, and I have a question.

I recently purchased a Ring Doorbell -- this is an IoT device (for those that don't know) that has a camera which allows you to see who is at your front door if you use the associated Ring iOS/android application. The Ring app will also allow you to view the camera feed when you are away from your house and outside of your local network. In my setup, I connected the Ring Doorbell to my "IoT network". Meanwhile, my iphone with the associated Ring phone app is connected to my "Secure network".

When all three routers (Border, Secure, and IoT) are on, I can access the live feed from the Ring doorbell no matter which network my iphone is connected to (from the "IoT network", from the "Secure network", and from my cell phone provider's internet). However, when I turn off the modem used for the "Secure network", I can only access the feed on the Ring app when my phone is connected to the "IoT network". In this scenario, I obviously can't access the video feed from the "Secure network" because that modem has been turned off. But what doesn't make sense to me is why I can't access the video feed while my phone is connected to my cell phone provider's internet.

Anyone have an explanation for this?

(Apologies if it's a dumb question -- I'm obviously not a networking expert)

Thanks!

December 26, 2016 | 04:58 AM - Posted by RH (not verified)

Nicolae Crisan, thank you for making SGibson's theory implementable by those not super technical!

The majority of the comments lean against this “3 dumb routers” configuration. It seem most consider it inefficient. There are comments suggesting the Ubiquity EdgeRouter X, pfSense, or Pepwave Surf SOHO.

If my primary objective is to isolate IP cameras, specifically Foscam 8910s from sensitive devices, is the “3 dumb routers” config an easy to administer set up for a non-technical person that has zero interest in learning anything about networking?

Here is my scenario:
I am assisting my cousin and her two teenage daughters. She lives three states away, so my support will be remote with her acting as my eyes and hands. One device with complex rules, will be too much for her to help me troubleshoot remotely. To date, the guys she has dated have not been technical. I plan to configure/test the network at my house, ship her the pieces and walk her through snapping in the cables. I know a little about networking, but very far from being an expert. By providing her a list of devices types to connect to IOT or Secure, my hope is for her to easily be able to admin her network.

Primary objective: isolate 4 Foscam 8910s from her main network.
Secondary objective: Encrypt Foscam data streams, Foscam 8910s do not have https. Her current contract cell service has spotty service, so she uses free WiFi too much. When using free WiFi, she is giving her network login and password to anyone that is looking or capturing LAN data.

Her current home LAN set up is Time Warner Cable service, a cable modem she owns, connected to a Netgear 3400 v2 wireless router. Netgear has not release an update for v2 in 2-3 years. It is currently running its most recent firmware (1.0.0.52). It supports a guest network, but it is not set up. Remote administration, WPS, and UpnP are turned off. Each of the four IP cameras has a port forwarded in the Netgear.

Her devices are (Netgear 3400 v2 seems to handle load well):
-4 wireless Foscam IPs (640x480 resolution viewed via cell phone),
-1 ring doorbell,
-2 iPhones (various models), [usually on carrier’s 4G network]
-2 iPads (various models),
-2 WiFi Printers,
-2 Android phones, [usually on carrier’s 4G network]
-2 Win 10 laptops,
-1 Chromebook,
-2 connected DVDs that can stream Netflix and Youtube,
-2 Rokus,
-AT&T/Direct TV home DVR system with 3 wireless Genie devices, I think they have their own network to communicate to main DVR unit that is separate from her home WiFi network,
-XBox (no online gaming),
-Wii U (does do online gaming),
-1 Fitbit type devices,
-Guess network (she is the neighborhood and Drill team mom, many different teen girls on and off network).

Her family: 50 year old mom. 17 & 14 year old daughters. Many, many friends and drill team members have the guest password saved in their devices.

Suggested Map of Devices to Router and SSIDs (not real name of SSIDs):
-Border Router: Secure Router & IOT Router
-IOT Router; Video SSID: Foscam 8910s; Ring Doorbell;
-IOT Router; Media SSID: Rokus, Connected DVDs, XBOX, Wii U, Fitbit
-Secure Router; Family SSID: Cellphones, Printers, Apple iPads, Windows laptops, Chromebook
-Secure Router; Friends SSID: Printer, many teenage friends of their parents. 5-9 friends at one time seems to be average.

Questions/Concerns:
1. NEED TO ISOLATE FOSCAMS. 8910s are using Foscam’s DDNS and port forwarding through the Netgear 3400 v2. They call home often but Foscam initially denied they did. Who knows what data is being sent to China. I have read creepy stories of how the Foscam’s have a full LINUX system inside with limit security or safe guards. A cleaver hackers can enter the home LAN through the Foscam and hop to other devices on the LAN. Once a laptop/tablet is found, the hacker has access to more RAM and CPU power to do bad stuff.

2. DO I NEED TO PORT FORWARD FOSCAMs ON BOTH BORDER AND IOT ROUTERS? If this is required, am I weakening my setup? That is, am I not setting up a potential M-I-M situation since I have granted outside internet access through the border router? What options are there to remedy this scenario? Can it be set up so that I get an email if changes are made to the router’s config? Can a log be set up that will keep its entries through a reboot?

3. HOW DO I ENCRYPT FOSCAM VIDEO STREAMS SINCE THEY DO NOT USE HTTPS? My first thought is to figure out free OpenVPN. But the N12 stock firmware does not support OpenVPN. Is there another router I should consider? I would consider using Merlin firmware, but a few searches suggests the N12 is not stable on Merlin.

4. ARE DATA ON DIFFERENT SSIDs KEPT SEPARATE? One of Nicolae’s images show the Asus N12 D1 firmware can make 3 guest SSIDs. Are data isolated such that data on the MAIN Family SSID is completely separate data on the Friends SSID? Can these separate SSIDs be viewed as a sort of Wifi VLAN? I want to make sure an ex-boyfriend of one of the teens cannot use the commonly accessed Friends SSID to get access to data on the Family SSID.

5. WHICH CONSUMER GRADE ROUTER BRAND HAS BEST REPUTATION FOR MAINTAINING THEIR FIRMWARE? The Netgear 3400 v2 has not been updated in years. I was in Micro Center and noticed the 3400 is still sold, but it is v3. Netgear’s website does not make it clear when the last update was provided for the 3400 v3.

I regret the long post. Please let me know if my requests do not make sense.

Thank you.

RH

December 29, 2016 | 01:01 PM - Posted by Anonymous (not verified)

Back to basics

Yes, this a very clever solution. But to what problem? What is really an IoT device??? How can a webcam, printer, Playstation, IP phone etc to be less 'dangerous' than a refrigerator(or another traditional IoT device). Even a PC with the wrong software installed would not be more secure than a refrigerator.

March 24, 2017 | 12:21 PM - Posted by Fillmore (not verified)

My Netgear Nighthawk Router/WAP, like many devices, has a Guest WiFi Network (well, two one for 2.5Ghz and one for 5Ghz).

Why would I not use this? Now my home automation requires an Ethernet connection so to solve this, I'm thinking I could purchase a WiFi extender with Ethernet port, plug that in to an outlet and connect it to the Guest WiFi. Then plug the home automation hub in to the Ethernet port on the extender.

Set up the guest WiFi for isolation and Bob's my uncle.

What am I missing here? The traffic is isolated, no?

April 5, 2017 | 02:30 PM - Posted by WC (not verified)

The issue I have run into when trying to implement this isolated type of setup is that with iOT devices needing hubs (HomeKit with Apple TV for example) it becomes harder to separate and firewall. For example if you use the Apple TV to watch movies from your NAS etc you would generally put that on the secure side of the network, however the Apple TV needs to be able to 'see' the iOT devices to control them therefore causes a problem with routing. I have tried this with some crazy firewall rules to block all but Bonjour style of traffic but a) that is not easily bounced around (Bonjour is not very re-direct friendly) and b) still leaves a bit of a security gap.

Would love to know if others have run into this and how they are resolving these issues with control of iOT devices from hubs that need access to secure side etc.

Thanks

WC

April 6, 2017 | 10:51 AM - Posted by james (not verified)

Make the second router for IOT devices a VPN router for extra security. You can make one yourself if you are pretty technical or buy a premade one, like https://easyvpnrouter.com/ or google around for others

April 14, 2017 | 10:21 PM - Posted by train_nerd

Please forgive nOOb questions but would like to try this with Ubiquiti edgerouter X as Border, then existing router as Secure, the add new IoT VPN router for IoT devices.

I'm getting impression from other sources that DHCP should be disabled on the IoT and Secure routers. Does that make sense?

Will devices on secure network be able to see and control IoT devices on IoT network?

(I have the existing router config backed up on NAS, I understand this approach is messier than Gibson advice)

Thank you.