Steve Gibson's Three Router Solution to IOT Insecurity
Even before the formulation of the term "Internet of things", Steve Gibson proposed home networking topology changes designed to deal with this new looming security threat. Unfortunately, little or no thought is given to the security aspects of the devices in this rapidly growing market.
One of Steve's proposed network topology adjustments involved daisy-chaining two routers together. The WAN port of an IOT-purposed router would be attached to the LAN port of the Border/root router.
In this arrangement, only IOT/Smart devices are connected to the internal (or IOT-purposed) router. The idea was to isolate insecure or poorly implemented devices from the more valuable personal local data devices such as a NAS with important files and or backups. Unfortunately this clever arrangement leaves any device directly connected to the “border” router open to attack by infected devices running on the internal/IOT router. Said devices could perform a simple trace-route and identify that an intermediate network exists between it and the public Internet. Any device running under the border router with known (or worse - unknown!) vulnerabilities can be immediately exploited.
Gibson's alternative formula reversed the positioning of the IOT and border router. Unfortunately, this solution also came with a nasty side-effect. The border router (now used as the "secure" or internal router) became subject to all manner of man-in-the-middle attacks. Since the local Ethernet network basically trusts all traffic within its domain, an infected device on the IOT router (now between the internal router and the public Internet) can manipulate or eavesdrop on any traffic emerging from the internal router. The potential consequences of this flaw are obvious.
The third time really is the charm for Steve! On February 2nd of this year (Episode #545 of Security Now!) Gibson presented us with his third (and hopefully final) foray into the magical land of theory-crafting as it related to securing our home networks against the Internet of Things.
With this iteration Steve moved us from a two-router solution to a three-router solution. The new arrangement involves three fundamental elements to the network – an “external” or “border” router that has one purpose and one purpose ONLY; to move traffic back and forth between the public Internet and the two internal subnets underneath it. The second is an IOT-purposed router which houses all “Smart” / “Internet of Things” / “Internet-Enabled” devices whose uplink port is connected to an open LAN port of our border router. Devices such as PCs, laptops, phones and network storage devices have NO place inside this segment of the network. The third and last element is the “Secure” or internal router which, in similar fashion to the IOT router, has its uplink port connected to an open LAN port of the border router. Any valuable device (high value targets to hackers) such as desktops, laptops and network storage devices (a NAS of similar network appliance)) are all clustered together inside this subnet.
Maintaining three separate purpose-driven subnets affords our network some key protective features unavailable to us with both of our previous configurations.
1. Separation of Ethernet Segments: Compromised devices and or malicious payloads no longer have the luxury of unfettered access to devices (either upstream or downstream) by exploiting the trusting Ethernet protocol.
2. Damage control: Compromised devices and or malicious payloads are separated from higher value targets such as PC workstations and network attached storage devices. In the event of a breach, the damage an “expendable” IOT device can cause on the network will be contained and compartmentalized to the local subnet.
Although our proposed variation so far seems very bullet-proof (it is for the most part), we cannot neglect to briefly discuss one outstanding caveat. Even though corralling all of our less secure devices into a single subnet will dramatically improve our overall security, the threat of an already infected device hijacking or exploiting the vulnerabilities of an adjacent device in the same IOT subnet is still a very real possibility. For this reason, I would propose an additional modification to this blueprint (Which Steve also slightly alluded to). Whether built in software or (preferably) hardware, a per IP “virtual LAN pipe” should be constructed on the fly with each new IOT device connection that would allow IP-based communication to only one endpoint – the publicly facing Internet. It’s important to note that a VLAN does not provide the form of security we desire on a wireless interface. Our goal is to draw on the concepts of how a VLAN works while the implementation will most likely utilize some other method/protocol. In other words, a device would ONLY have the capability to transmit and receive as if it were the only device behind the protection of the NAT. The idea here isn’t to over-engineer a solution (even though it feels very much that way). This is about advancing our networking technology to address the very real threat IOT devices carry with them.
Router Configuration Walk-Through
The IT veterans among us are most likely already well acquainted with the concepts at work in this type of router configuration. In fact, I would wager that most of you also could easily purchase and configure a system like this blindfolded. Even though most of us might already understand the concepts and steps involved, there are several benefits all of us can take advantage of. Less experienced readers can get a grasp on some basic networking concepts while the IT veterans among us can fill-in some knowledge gaps (we all have them). As a community we can all fine-tune various aspects of this alternative approach to IOT security and begin implementing this network configuration at home or in the office.
Whether you're a beginner or a CISCO certified professional, we will all learn nuances of this alternative router configuration that we wouldn't have had we not walked through it together.
So, let’s assume we’re sold on the idea that Gibson’s router configuration will answer all of our IOT security woes. We’re going to un-box and configure three identical routers so they adhere to this alternative way of handling “insecure” and “secure” traffic. You can, of course, use three completely different router models. To keep things in the realm of sanity and because it’s much more efficient and easy to manage one unified interface, we will be using the same router model for all three.
For this setup we’ll be using three ASUS RT-N12 “3-In-1” Wireless Routers.
I have to pause a moment and chuckle at the advertising ASUS has come up with on this line of routers. The word “FAST” wasn’t good enough apparently – ASUS had to make an acronym out of it to really drive home the point that “this router be FAST, yo!”
This isn’t a Warranty Notice insert that I should just throw away. People, this is a “VIP Member” warranty notice! I am SO important to ASUS they had to include that specific verbiage just for me!
After unpacking all three units, lay everything out so it emulates the network topology we are creating – as shown below. I would HIGHLY recommend labeling each router to eliminate any confusion as to what that router’s purpose is in your network. Ten months from now when you hobble back into your server closet or re-approach the tangled rats-nest of wires we all know you have near your cable modem, you won’t remember why you have three identical routers or what each of them does!