Monday, August 22, 2016

Re-Purposing VisionNet M505N Modems as Wireless Access Points, Part Five: URL Filtering

The concepts of isolating your "Internet of Things" device(s) is quite simple:  Provide that IoT with the connection it needs and nothing more, nothing else is allowed to connect to it, and that it doesn't connect to anything other than what it needs. After I set up my IoT Wireless Access Point (for only one device, my Honeywell thermostat) I connected to a managed Ethernet switch in line to the DMZ interface of my pfSense firewall, mirrored the port that was receiving packets from that WAP, and started "Wireshark" (software that can examine data on the connection).

After just a few minutes there was traffic to two adjacent IP addresses on port 443 (HTTPS. IoT will commonly use a port that would not be blocked for an Internet connection). Tracing the IP addresses, yielded that they were a part of "AlarmNet.com", run by Honeywell. I have them shown here as 'Allowed' addresses on the modem's 'URL Filter' (under the 'Security' menu item):


If it were only that easy: Allow my thermostat to connect only to those IP addresses to "phone home" on that port, and nothing else. Therein lies the rub. The default actions of a firewall (including pfSense) when it is first installed is to block everything incoming from the Internet and to allow all traffic outbound.  I can show areas that I will try to block everything but what is shown above, but it will be complex. Remember that my "guest" wireless (as well as other potential systems later) is also on my DMZ network.

The IoT WAP does use that PPPoE authentication method shown in Part One to get a specific IP address on my pfSense firewall that can be better filtered there, but I also want to have entries on the modem itself to offload that work as much as possible. For the moment I also want to describe  how 'URL Filtering' will be used for your guest wireless. Of course, it will be in contrast to the method shown above, with specific URL addresses 'Blocked' instead of allowed.

We're back to an entry I had back in April on guest wireless security, including many of the same steps I have done in this multi-part series. It's not through yet, but there will likely be additional entries on IP addressing, MAC addresses, and ports. I'm not going to provide a list of URLs you should block for your guest network (URL filtering, and the next 'Outbound IP Filtering' also is for the wired LAN ports of the modem in addition to the wireless), but you can probably think of a few yourself. Stay tuned, there is more to come!

No comments:

Post a Comment