Steve Gibson's Three Router Solution to IOT Insecurity
More stuff to know about
Give the router power; plug the Ethernet cable into the blue uplink port and the other end into your cable modem. Basic stuff. Connect another Ethernet cable from your desktop or laptop into one of the available yellow LAN ports on the router. Directly to the left of the AC adapter port on the unit is a power button, give it a good push to power on the router. For those of us super-hardcore who like to use static IP addresses with our machines and or devices, make SURE to disable this feature on the PC you are using to configure these routers. If your IP address isn’t in the “192.168.1.x” address space, you’ll be scratching your head trying to figure out why you can’t reach the web control panel of the router. Speaking of which! – point your browser to 192.168.1.1 once you have everything connected.
Advance to the next screen (press GO) and choose a password for the border router. Don’t skimp on the password – set a good one and write it down or input it into your password manager of choice.
Advance to the next screen, set a wireless password and keep clicking next until you arrive at the Network Map.
Let’s do some basic due diligence by adjusting some security and network settings.
Disable WPS: Browse to the “Wireless” category on the left, select “WPS” from the sub-tabs in the right-hand pane and click the green ON/OFF slider to disable this feature.
Disable Wireless: This is a border router strictly designed to pipe traffic to and from our internal routers. There is NO reason to have wireless capabilities enabled here. Navigate to the “Professional” subtab located inside the same “Wireless” category we are currently in. Select the “No” radio box under the “Enable Radio” line item. Make sure to click “Apply” after making this change!
Disable uPnP: I realize that XBOX and a number of other devices use uPnP to enable forwarding of packets to and from the game system. I am erring on the side of caution and I want to lock this system down before opening things up. It’s up to you whether you are comfortable with devices opening ports using this protocol or not. I would rather manually configure things and not allow an automated process to control my routers. Select the “WAN” category on the left-hand pane. Then select “No” under the “Enable UPnP” line item. “Apply” to save your changes.
Configure Network Addressing: IMPORTANT! You can quickly run into an IP address conflict if you don’t manually adjust the default IP addresses used on the LAN for each of the routers you setup. A router is designed to route traffic from one subnet to another. If you configure two routers attached to each other with the same IP addressing schemes, you will quickly find yourself dealing with intermittent network problems. To avoid this we will design a simple addressing scheme and configure it. This is a LOT easier than it sounds. Here’s how we will design this.
“Border” – 10.10.1.x
“IOT” – 10.10.2.x
“Secure” – 10.10.3.x
Why 10.10.x? This paragraph discusses the thought process that was engaged to arrive at the IP subnet to be used in this article. Skip ahead to the next paragraph if you are simply interested in the setup of the system. A considerable amount of thought and consideration went into the final decision on which private subnet should be used in this guide. It might seem obvious to simply use the popular and more recognizable “192.168.x.x” that we are so accustomed to seeing. Let’s consider the three possible subnets we can use and why they should or shouldn’t be used.
1. 192.168.x.x – This is, of course, the most common default subnet and it’s by far the most recognizable – even to the beginner. However, this subnet has a number of drawbacks associated with its usage in this particular configuration.
1. Internet Service Providers who position their subscribers behind a private IP address generally will use this subnet on their Cable or DSL modems. Since you cannot guess which numeral will be used in the third octet (192.168.#), you have to hope that the number you choose will not conflict with your “border” router’s address.
2. Even if we were able to reliably determine the majority of what ISPs use as the third numeral, we are over-complicating the guide to setup this configuration because we need to explain how to determine if your ISP has given you a private IP address. This adds an unnecessary step to the guide.
3. It’s helpful to “reserve” or mentally label this subnet as the “this router isn’t setup yet or it has been reset by accident” subnet. This is purely a matter of opinion, but it is easy to identify a router that has not yet been configured when its web control panel is still using the 192.168.x subnet.
2. 172.16-31.x.X – Although it’s all but non-existent in home settings, this private subnet is also available for use. It might be a good choice, but I believe our third choice gives us much more flexibility in terms of using numbers for labeling purposes.
3. 10.x.x.x – This subnet gives us the most freedom in terms of how we choose to number our internal network. We have the full range of 0-255 on the second and third octet available to us.
What if you are not able to change your private IP address from 192.168.x to something different because your router does not give you this function? Many years ago when router firmware was much more limited in its capability, this was much more common-place. If you find yourself in this situation, feel free to use the 192.168.x subnet with the caveats mentioned above taken into consideration of course. In the end, it’s strictly all a matter of personal preference. The goal of this guide is to give you a few clear steps that you can easily follow that involve the least amount of steps possible so you can get up and running. With all of that out of the way, let’s configure the IP address of these routers.
Navigate to the “LAN” category on the left-hand pane. Type in the appropriate IP Address into the box labeled “IP Address”. To determine which address should be entered, refer to the list below. If you’re currently configuring the “Border” router, for example, use the address listed next to “Border” in the list below. Click “Apply” when done. Allow the router to reconfigure its IP address. You will be prompted to login again.
“Border” – 10.10.1.1
“IOT” – 10.10.2.1
“Secure” – 10.10.3.1
Rename The Wireless Network: If you are currently setting up your “IOT” or “Secure” router, navigate to the “Wireless” category and change the “SSID” to something you will easily recognize. For example, I named my IOT router “Home – IOT” and my Secure router “Home – Secure”. This way you can determine which network does what when you try to connect a device for the first time to one of those wireless networks. In either case, make sure to click “Apply” when done.
At this juncture you have two options – you can continue to fiddle with the other advanced settings on the router or move on to the next router. I highly recommend you setup all three routers first before fixing something that isn’t broken (not yet anyway).
For those of you who program, it’s time to invoke the “while” loop. While you still have routers in line to be setup, scroll back up to the “Router Setup” section and repeat this process until all three routers are configured – with one VERY important exception! You definitely do NOT want to disable the wireless radio on the second and third routers!
Pro Tip: Each time you’re ready to begin setting up a new router, leave all your cables (both Ethernet cables and the power cord) in place! Simply power off the finished router, unplug each cable gently in preparation for the next router. Place the finished router aside in a “finished pile” and reattach the cables to your next router on deck.
Pro Tip: Print this guide or save it as a PDF while configuring your routers. It will allow you to work offline while you are plugging and unplugging things and interrupting your Internet connection. You could also use a separate device that takes advantage of a different wired or wireless network. It’s up to you!
Once you have successfully completed configuring all three routers, locate three Ethernet cables and unpack the three included power adapters. Connect the “IOT” and “Secure” routers to the “Border” router.
1. Begin by plugging in an Ethernet cable into the WAN port (blue) of the IOT router.
2. Repeat this process with a second cable with the Secure router.
3. Connect both of the Ethernet cables into the LAN ports (yellow) of the Border router.
4. Ensure each power button on each router is in the OFF position.
5. Connect an AC adapter to each router and plug them into an open power outlet.
My personal anecdotal evidence suggest it is better to plug in your network equipment starting from the cable modem, waiting about 10-15 seconds and then gradually moving inward.
1. Power cycle your cable or DSL modem by unplugging and re-plugging it into its power source. Wait until all the LED indicators return to their normal state.
2. Power on your Border router. Wait until the network activity LED is blinking.
3. Power on both the IOT and Secure routers.
You have successfully setup Steve’s three-router solution! You can now begin to connect all of your IOT or “Internet-Enabled” devices to the IOT router, connect your “private” or most valuable electronic assets such as your main PCs, laptops, mobile devices and network storage devices to the Secure router.
Achievements: By forcing our network traffic through separate channels (IOT & Secure), we vastly improve the security of our local network devices. As mentioned above, we still have to deal with the threat of infected devices on the IOT router infecting or hijacking other IOT devices. In future we might be able to address this issue by applying some sort of software layer of protection (i.e. VLAN per device), but at least we have a solid platform on which to build upon. Remember, the primary goal and or achievement here is putting a theory into actual practice instead of just discussing how we can remedy this new and growing security threat. A side benefit of implementing this network topology is our change in behavior when it comes to connecting new devices to our network. Instead of passively blending everything in with our other devices and hoping everything will behave, we can now easily make an active decision about each device on its very first connection. We only have two choices, either the device is insecure and needs zero access to our secure network or the device is of high value and should be protected inside our secure network. We all realize the decision may not be as binary as that with each and every device, but at least now we are actively engaged in the mental process of protecting our most valuable network devices.
Return On Investment: If you implement this router configuration by purchasing brand new units and if you use the same models listed in the walkthrough, you will end up spending approximately $120 (at the time of this writing). We could go over an infinite number of variations and adjustments to lower or raise that price. Obviously if you use units you already have, the total build cost will lower dramatically. Here’s an important factor to keep in mind if you intend to build out this configuration with used equipment. Most likely you don’t have two exactly identical router models or even the same brand of routers all at the same residence or place of business. The probability that you have three of the same router is even smaller still. There isn’t anything inherently incorrect about using three completely different router models to accomplish this setup. However, I believe you will find that managing three completely different GUI interfaces as well as the difference in available settings can drive you to insanity. I would highly recommend using three identical router models to simplify the troubleshooting process – even if the total cost ends up being higher. All of this being said, the return on our investment of time and money manifests itself in an intangible way at first. In fact, at first blush, we have added more complexity to our home network, but the benefits we receive, in terms of lowering the total amount of attack vectors, is well worth our investment.
Our main goal with this network design adjustment was to somehow address the IOT security threat in our local SOHO router environments by developing a proof-of-concept. It certainly isn’t the cheapest or most efficient way to setup a network, but it provides us with a platform on which to build and advance our approach to a secure home network.
Editor's Note: It should be mentioned that while this method is the most secure, if you have a router that can use DD-WRT there is a feature called "AP Isolation" that can perform a similar function.
The wireless bridge builds a bridging table consisting of a table of "heard" (or sniffed) MAC addresses that appear on various ports. Think of the router having just 3 available ports; Wireless, Ethernet switch, and router port. If the destination MAC address of a port is shows up in the MAC address table as sitting on a specific port, only that port gets the traffic. Broadcasts, which have no destination MAC address are sent to all ports.
When this feature is enabled the software builds a logical rule (or filter) for these MAC addresses and ports that says:
"If the packet originates on the wireless port, it can only send and receive packets that are destined or originate from the router port or ethernet switch port."
Not a very complex rule, but one which totally prevents wireless client to client traffic. Not even broadcasts will go from wireless client to client.
While there is always a chance that this firmware-based rule could be disabled or broken, it's a great option for those of you looking for a more simple security option.