Tuesday, April 5, 2016

"Internet of Things" Isolated Networks, aka "Three Dumb Routers"

Tonight I changed my "IoT" ("Internet of Things"; a definition that many household devices are now Internet-enabled) Honeywell thermostat to my "guest" wireless network instead of my main wireless LAN (Local Area Network). This proactive measure comes from a concept of renown security expert Steve Gibson called "Three Dumb Routers". In brief, potential security flaws in a small Internet-enabled device could allow a hacker to use it (once compromised) as a jumping point to attack the rest of your network.

Here is the original episode Steve Gibson did on his Security Now show with Leo Laporte of TWiT (This Week in Technology). Leo and Steve do discuss politics at first, but the relevant section comes up at the hour mark. Steve does initially say that firewalls like pfSense (which I run) have the ability to handle this problem more elegantly than having three small home routers daisy-chained together for his solution (Steve also elaborates on his "sleep formula" too):

In a set of later articles, I intend to expand on my pfSense configuration. For this discussion, I have an open wireless network for guests in my "DMZ" (DeMilitarized Zone), isolated from my main network. Beyond the separation from a protected network, there is also a secondary goal of providing a sacrifice connection to the Internet: If someone "war-driving" wants Internet access, they will be satisfied with an open network that is provided without effort, rather than hacking into my main wireless network.

The "guest" wireless is also restricted on bandwidth through my firewall (1.5Mbit/sec), as well as being locked down from accessing specific external equipment from my Internet connection. Of course, if my thermostat required a direct connection from my systems to read and program it this solution would not be viable. Instead it "phones home" periodically with the temperature and settings to a Honeywell server, and the Honeywell app on my smartphone retrieves the information from their systems.

In other words, it's an easy candidate to consider doing this. I was helped immensely by Tom Hesley's pages, where he documents how to change the wireless settings for the exact model I have. No "IoT" attacks for me. The Honeywell service even notifies me if the thermostat has not checked in (meaning the Internet connection could be down; I have other monitoring on my main network anyway).

Using a pfSense firewall is a dream (the software itself is open-source and free, but there are complete units and support that are sold by the organization) to have as protection. In later articles I will show the hardest tasks of the initial rule-creation, the actual installation is easy (but I will cover that too). Please stay tuned!

No comments:

Post a Comment