So It’s been a minute…. Like 21 days since the last post and in the last post I mentioned some rather large changes that were temporarily on hold until the whole Covid-19 thing cleared up. Well things with the Covid cloud are finally to a point of clearing up that I feel comfortable talking about what has been going on since the end of February. Settle in, this is going to be a longer post than usual from me.
So a while ago I had a general unease about my home network setup, I’m pretty typical in that I run a private network behind a cable modem that has a single public facing internet routable IP. In addition to this I also typically use some sort of Dynamic DNS (DDNS) system to give my home connection a name I have a actual shot at remembering.
If anyone is curious I really like DYN-DNS, they seem to have the best features to reliability to price that I’m looking for. I’ve also had really good luck with the DDNS re-director included in my Synology RT-2600AC router. Particularly around the use of Lets Encrypt for a SSL cert
OK with all that in mind I was forever getting a million hits on my external IP from places all over the world. This is totally normal, that’s what we call a bot not looking for unsecured devices that open up to the internet. And this is where I started having some pain and consternation, I have a fair number of IoT devices and they live on the LAN network space as my Macs and PC. I’ve run my Macs with drive encryption turned on for a couple of years now, the PC doesn’t have that option (stupid Win10 Home). The PC doesn’t leave the house and I don’t keep any of my cloud document (iCloud and OneDrive) on the PC unless I’m actively working on them. For the PC I’m ok with the risk window of someone stealing it and getting my spreadsheets on what bad movies I watched.
The other side of the coin was my true IoT devices where I couldn’t log into the devices at all to a command line level. Think things like any of your smart thermostats, smoke detectors, door locks, TV’s, speakers, and gaming consoles. All of which I had in my house and still do for the most part. So it became less a matter of if and more a matter of WHEN one of those devices would be compromised.
Ok but who cares if someone hacks your thermostat? Well I do since I pay for the power bill. More importantly though once you have the compromised device on the network that is a foothold and much like cancer once it’s in there it’s a real pain in the ass to do anything other then just cut the whole damn thing out. Especially when you start talking about higher CPU devices like a Xbox One or a Playstation 4 that have X86 chips running branches of commercial operating systems. It doesn’t take much to get TCPDump working on in memory writing to a “/tmp” partition and then exfiltrate that network data out for analysis. Do I sound paranoid… I sure do… why? Because given enough time and automation everything is breach-able.
OK so lets talk risk mitigation (i.e. how much pain and misery am I willing to put up with to secure home network)
- Remove the IoT devices and get a printer from 2004
- Nope not happening, some I can get rid of (I’m looking at you thermostat and smoke detectors) but others I’m not wiling to give up (looks longingly at Xbox and smart door lock)
- Block outbound connections except for internal IP’s from your computers and trusted devices.
- Nope, I bought these things for remote management of my house… if I do that I still have to poke so many holes in a firewall I may as well just not bother.
- Buy a second router and put all of the IoT stuff on there and give it a second address space that can’t be accessed by the “secure” side
- Hey that’s not half bad idea… I don’t think I want to deal with another router but I can do a network firewall.
OK so network firewall one side has the IoT stuff the other side has my secure stuff.
So have you ever tried to look for a consumer grade network router with the capability of doing a firewall between two sets of devices? No? You should… it was frustration in abundance for most of 2019. I did find a number of roll your own solutions using PFSense however those presented the problem of being more admin then I cared to put into the whole endeavor and while rolling your own may be fine for certain folks (and I certainly should be one of them) this is one device where I want to know that my configuration is solid. So I kept an eye out and found a couple of solutions that were close but not quite there.
Flash forward to this month and I finally pulled the trigger on a UnFi Dream Machine from Ubiquity Networks. Is it overkill for what am I doing? Yup sure is… do I regret it? No I do not.
It met my requirements of having a network firewall in place between the IoT side and the “secure” sides of my network. Along with the ability to run multiple SSID’s and VLANs which while tend to be high maintenance to setup don’t require much care and feeding once they are stable. In the course of my research it was brought on multiple occasions by multiple sources that doing this kind of setup would limit functionality between devices on the secure side and devices on the IoT side. I was very ok with this as the only thing that I was really concerned about was that my Sonos speakers and Apple TV work.
- For the Sonos speakers I found this really excellent walk through from gentleman who walked through the whole firewall rule setup and port opening for the Sonos speakers over here
- As a side effect of the first rule in the firewall allowing traffic from Secure to IoT, but not back all of my Apple stuff sees my AppleTV no problem.
In concept the biggest difference I have seen is that when bringing up the Sonos app on my phone, it takes about 10 seconds to hook up with the speakers where as before it was sub 2… that is a penalty I’m willing to deal with. The biggest problem I have run into is manually entering the IP address of my Roku TV’s to control them remotely because I block advertisements from the IoT VLAN to the Secure VLAN.
And finally because I like logs and apparently network administration I put two 8 port UniFi network switches on my network as well. To not only have as many things running wired as I can, but to also be able to manage the switches or devices if needed. I’ve been running the setup for a week now and after the initial setup of a hour or so (creating accounts, updating firmware and devices, and getting familiar with the system) I spent probably 10 hours actually configuring VLANS and firewall rules and only that much time because I did it a couple of times from a couple of different sources before I found the walk through that worked for me mentioned above.
So yeah I had a pretty eventful thing there….
Also I quit my job in Phoenix, sold my house, lived with my parents for two weeks, moved to Colorado, and start a new job in a few days. Don’t worry I still do IT stuff at a hospital.