Secure home network: create an isolated segment for guests
Today, almost every apartment has a home network that connects desktops, laptops, data storage (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP / IP protocols are used. With the development of the technology of the Internet of Things, home appliances — refrigerators, coffee makers, air conditioners, and even wiring accessories — have gone online. Thanks to Smart Home solutions, we can control the brightness of the lighting, remotely adjust the indoor climate, turn on and off various devices - this makes life a lot easier, but it can create serious solutions for the owner of advanced solutions.
Unfortunately, the developers of such devices are not yet sufficiently concerned about the safety of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are cases when the device is no longer supported after entering the market - for example, our TV has 2016 firmware installed on Android 4 and the manufacturer is not going to update it. The guests also add problems: it’s inconvenient to deny them access to Wi-Fi, but I wouldn't want to let anyone into my cozy network either. Who knows what viruses can settle in other people's mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do it, as they say, with little blood and with the lowest financial costs.
We isolate Wi-Fi networks
In corporate networks, the problem is solved simply - there are managed switches with virtual local area network (VLAN) support, a variety of routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. With the help of the device Traffic Inspector Next Generation (TING), for example, the problem is solved in just a few clicks. It is enough to connect the switch of the guest network segment to a separate Ethernet port and create firewall rules. For home, this option is not suitable because of the high cost of equipment - most often the network is controlled by one device that combines the functions of a router, a switch, a wireless access point and God knows what else.
')
Fortunately, modern household routers (although it would be more correct to call them Internet centers) have also become very smart, and almost all of them, except perhaps quite low-cost, have the opportunity to create an isolated guest Wi-Fi network. The reliability of this isolation itself is a matter for a separate article, today we will not explore the firmware of consumer devices from different manufacturers. As an example, take the ZyXEL Keenetic Extra II. Now this line has become known simply as Keenetic, but the device released under the ZyXEL brand has come into our hands.
Setting up via the web interface will not cause difficulties even for beginners - a few clicks, and we have a separate wireless network with its SSID, WPA2 protection and password for access. You can let guests into it, as well as turn on TVs and players with a long-awaited firmware or other clients that you don’t trust. In most devices from other manufacturers, this function, again, is also present and enabled in the same way. So, for example, the problem is solved in the firmware of D-Link routers using the setup wizard.
Screenshot from the manufacturer's website
You can add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
As you can see, everything is quite simple, then we turn to the discussion of more subtle matters.
We isolate Ethernet networks
In addition to clients connecting to the wireless network, we can get devices with a wired interface. Connoisseurs will say that so-called VLANs (virtual local area networks) are used to create isolated Ethernet segments. Some home routers support this functionality, but the task is more complicated. I would like to not just make a separate segment, we need to combine the ports for a wired connection with a wireless guest network on a single router. Not every consumer device can do that: a superficial analysis shows that, in addition to Keenetic Internet Centers, the Ethernet ports can be added to the guest segment along with the Wi-Fi network, MikroTik models are also able to, but the configuration process is not so obvious. If we talk about comparable household routers at the price, only Keenetic can solve the problem in a couple of clicks in the web interface.
As you can see, the test subject easily coped with the problem, and here you should pay attention to another interesting function - you can also isolate the wireless clients of the guest network from each other. This is very useful: your buddy's infected malware will be online, but it will not be able to attack other devices even on the guest network. If you have a similar function in your router, you should definitely enable it, although this will limit the possibilities for customers to interact - say, you can’t make friends with a media player via Wi-Fi, you’ll have to use a wired connection. At this stage, our home network looks more secure.
What is the result?
The number of security threats is growing year by year, and manufacturers of smart devices do not always pay enough attention to the timely release of updates. In this situation, we have only one way out - differentiating the clients of the home network and creating isolated segments for them. To do this, you do not need to buy equipment for tens of thousands of rubles; a relatively inexpensive household internet center can handle the task. Here I would like to warn readers against buying devices of budget brands. Iron is now almost all the manufacturers more or less the same, but the quality of the embedded software is very different. As well as the duration of the support cycle of the released models. Even with a fairly simple task of combining in an isolated segment of a wired and wireless network, not every household router can cope, and you may have more complicated ones. Sometimes it is necessary to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network via external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure customer registration in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are able to solve such problems, but not all - the functionality of the built-in software they have, we repeat, is very different.
Unfortunately, the developers of such devices are not yet sufficiently concerned about the safety of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are cases when the device is no longer supported after entering the market - for example, our TV has 2016 firmware installed on Android 4 and the manufacturer is not going to update it. The guests also add problems: it’s inconvenient to deny them access to Wi-Fi, but I wouldn't want to let anyone into my cozy network either. Who knows what viruses can settle in other people's mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do it, as they say, with little blood and with the lowest financial costs.
We isolate Wi-Fi networks
In corporate networks, the problem is solved simply - there are managed switches with virtual local area network (VLAN) support, a variety of routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. With the help of the device Traffic Inspector Next Generation (TING), for example, the problem is solved in just a few clicks. It is enough to connect the switch of the guest network segment to a separate Ethernet port and create firewall rules. For home, this option is not suitable because of the high cost of equipment - most often the network is controlled by one device that combines the functions of a router, a switch, a wireless access point and God knows what else.
')
Fortunately, modern household routers (although it would be more correct to call them Internet centers) have also become very smart, and almost all of them, except perhaps quite low-cost, have the opportunity to create an isolated guest Wi-Fi network. The reliability of this isolation itself is a matter for a separate article, today we will not explore the firmware of consumer devices from different manufacturers. As an example, take the ZyXEL Keenetic Extra II. Now this line has become known simply as Keenetic, but the device released under the ZyXEL brand has come into our hands.
Setting up via the web interface will not cause difficulties even for beginners - a few clicks, and we have a separate wireless network with its SSID, WPA2 protection and password for access. You can let guests into it, as well as turn on TVs and players with a long-awaited firmware or other clients that you don’t trust. In most devices from other manufacturers, this function, again, is also present and enabled in the same way. So, for example, the problem is solved in the firmware of D-Link routers using the setup wizard.
Screenshot from the manufacturer's website
You can add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
As you can see, everything is quite simple, then we turn to the discussion of more subtle matters.
We isolate Ethernet networks
In addition to clients connecting to the wireless network, we can get devices with a wired interface. Connoisseurs will say that so-called VLANs (virtual local area networks) are used to create isolated Ethernet segments. Some home routers support this functionality, but the task is more complicated. I would like to not just make a separate segment, we need to combine the ports for a wired connection with a wireless guest network on a single router. Not every consumer device can do that: a superficial analysis shows that, in addition to Keenetic Internet Centers, the Ethernet ports can be added to the guest segment along with the Wi-Fi network, MikroTik models are also able to, but the configuration process is not so obvious. If we talk about comparable household routers at the price, only Keenetic can solve the problem in a couple of clicks in the web interface.
As you can see, the test subject easily coped with the problem, and here you should pay attention to another interesting function - you can also isolate the wireless clients of the guest network from each other. This is very useful: your buddy's infected malware will be online, but it will not be able to attack other devices even on the guest network. If you have a similar function in your router, you should definitely enable it, although this will limit the possibilities for customers to interact - say, you can’t make friends with a media player via Wi-Fi, you’ll have to use a wired connection. At this stage, our home network looks more secure.
What is the result?
The number of security threats is growing year by year, and manufacturers of smart devices do not always pay enough attention to the timely release of updates. In this situation, we have only one way out - differentiating the clients of the home network and creating isolated segments for them. To do this, you do not need to buy equipment for tens of thousands of rubles; a relatively inexpensive household internet center can handle the task. Here I would like to warn readers against buying devices of budget brands. Iron is now almost all the manufacturers more or less the same, but the quality of the embedded software is very different. As well as the duration of the support cycle of the released models. Even with a fairly simple task of combining in an isolated segment of a wired and wireless network, not every household router can cope, and you may have more complicated ones. Sometimes it is necessary to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network via external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure customer registration in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are able to solve such problems, but not all - the functionality of the built-in software they have, we repeat, is very different.
Source: https://habr.com/ru/post/349998/
All Articles