Golly it's nice to hear the voice of experience.

One question I have as a result on watching videos. Lets say I take a LAN port and make it be two vlans that go to other routers. My understanding is that you would need a switch to physically plug things together. One of the videos mentioned that you needed a 'smart switch'. I looked on Amazon and they are plentiful and reasonably priced. I have a 15 year old switch which I highly doubt has any smarts. I'm assuming it would not work. Is it correct that you need a 'smart switch'?

Yes, the correct term is "managed" switch. Those ones usually have a web interface that allows you to define your vlans so the switch knows how to route them properly based on the vlan tags. For instance, you tell the switch that port 1 should only be the vlan1. Port 2 should only be the vlan2 and port 3 can be both. So whenever a packet comes in with the tag vlan2, it will send it to ports 2 and 3. In this scenario, Port 2 would be a dumb device that is meant to be a vlan2 device, they wouldn't even know it themselves (unaware of vlans). Port 3 would be a router or access point that can handle vlan tags and would treat the data differently based on its tag.

I bought a couple of tplink managed switches that handle vlans with ease. 8port ones were about $33

By the way, I saw that you mentioned a router there. Many routers are capable of handling vlans. If your router does, you may not need a separate switch

A layer 2 or 3 managed switch with VLAN Support is what you need to support more than 1 logical segment per switch port. tp-link and Netgear, and D-Link offer the consumer end. I like the Cisco SG series and Ubiquiti unifi lines. Unless you want to be a command line cowboy, make sure your switch has a GUI web interface. Do note there is a bit of a learning curve to vlan segmenting.

The other option is if you have mire than 1 LAN NIC on your firewall, dedicate a swap state vlan for each LAN NIC as the primary untagged vlan, and then connect an unmanaged switch to it.


Sent from my iPhone using Tapatalk

Here went to the TP-Link Easy line of switches. These do not have a CLI. TP-Link has software to manage multiple TP-Link Easy switches.

Purchased first TP-Link 24 port Easy switch years ago because it fit nicely inside of my Leviton Media can and was quiet with no fans. Thinking this one has been running fine now 24/7 since introduction of these switches. Today have three of these running and doing fine.

Relating to testing PFSense / VLAN stuff the PFSense forum topic of using these TP-Links Easy switches were brought up. The comparisons and use in a variety of PFSense sandbox testing scenarios was brought up similar to testing PFSense with the Quotom micro firewalls.

@pete

Sorry your thread got hijacked. It seems to indicate there are quite a few folks interested in hardening their networks. I looked and could not find a generic network security sub forum. Too bad.

With the addition of so many IOT devices, being able to control the boundaries is not enough. Now we need to protect the internals too. I bet there are a lot of folks who would feel concerned about their networks if they really thought about it.

I'm feeling much better about my network security, as well as visibility, and that is a nice feeling.

Personally like that these issues are being brought up.

It is good for the Homeseer forum folks to know about this kind of stuff.

If someone could post an IoT tutorial showing how to segregate the OPT interface via rules (no VLAN) it would be super!

What I did was block everything and then added rules to allow specific devices access as needed.

PFSense Firewall Group purchase interest

So, there are a few dangers with network devices that are either compromised, or not locked down on your network. The first is related to the root not being locked down. This allows remote code execution. This allows a remote source to execute any code on the IOT device they want to. Remote code execution has few limitations network scans, spreading malware through file shares, brute force attacks using SSH/telnet, etc. it is a pretty big list.

Second is vulnerabilities related to phoning home. For example many IOT cameras have the ability to span routers and create UDP tunnels that allow them to phone home. This would allow the compromised device to contact some root source on the Public Internet for instructions, or to upload whatever it found on your network.

Third is patch management. As vulnerabilities are found in software, operating systems, and protocols keeping up to date with current patches reduces your network's vulnerable surface area. Organizations that look for vulnerabilities can become a double edged sword. As white hats outline vulnerabilities black hats can and often do create directed attacks at the un-patched masses.

For IOT devices that don't really need Internet access and only minimal access to resources on your LAN, I recommend:

ON YOUR FIREWALL
A. segregating your LAN networkfrom your IOT network using 2 separate VLANS and subnets (VLAN 1: 10.10.10.0/24 and VLAN 2: 172.16.1.0/24)
B. Build your firewall rules for your IOT network as follows:

1. allow traffic to specific nodes. (ex: camera feed from VLAN 2: 172.16.1.0/24 to your NVR's IP address. Extra credit if you filter traffic to the allowed only destination and return ports only.

2. Disallow all other network traffic from your IOT network (VLAN 2: 172.16.1.0/24) to your LAN network (VLAN 1: 10.10.10.0/24).

3. Disallow traffic to or from Public Internet access to or from your IOT network (VLAN 2: 172.16.1.0/24).
4. Disallow traffic from your IOT network to your firewall's management interface.

5.A. If you have a nicer managed switch pass both VLANS on a trunk port to your managed switch from your firewall.

5.B if you have unmanaged switches you will need two separate LAN NICS and you can set up to separate OPT ports instead of VLANS above.

ON A MANAGED SWITCH.
A. Setup your switch's uplink port as a trunk port create both VLANs on it. Both VLANS should be configured as tagged traffic.
B. You can safely grant your switch an IP address on VLAN 1: 10.10.10.0/24.
C. Do not give your switch an IP address on VLAN 2: 172.16.1.0/24.
Your downlink ports should be configured to either VLAN 1 or VLAN 2, and be untagged.

ON AN UNMANAGED SWITCH.
LAN 1 to one switch and that will be for your LAN network.

OPT1 to the other switch and that will be for your LAN network.

With this method in place you will reduce the surface area of attack between IOT network devices and your network computers, smartphones and tablets. Additionally, you further limit vulnerable surface area by limiting public Internet access to devices on your network.

IOT THAT NEED PUBLIC INTERNET ACCESS
There are some IOT devices that require access to the Internet (ex: echo). I lucked out here as my echo dot was wifi only. Here, I relegate those devices to my guest network that does not have access to my internal subnet but does have access to the Internet. My wireless AP (Ubiquiti) has a feature called "guest Isolation" which disallows devices on the guest network from communicating with each other.

The above configuration at least minimizes the attack surface area between the Internet connected IOT devices and your internal network. It also minimizes the vulnerable surface area between devices on your guest network. It does not address what said IOT device is transmitting when phoning home.

I always question the need to provision access to the public Internet to IOT devices. The truth about the cloud is that in reality it is just someone else's servers, ISP, and storage solutions. What is the value add of these devices accessing the big I. The only one I have been able to consciously validate is the software development for voice recognition (google home, amazon echo, and Apple Siri). I am still Leary regarding the security and privacy practices configured in them.

The entire IOT industry is still in it's infancy and what's more society at large is already comfortable with losing privacy, or at least oblivious to it.

Sent from my iPhone using Tapatalk

This reminds me of something recently in the news. Oh yea that small equifax issue.

That's how they got in... default admin password to a piece of equipment.

PFSense Firewall Group purchase interest

Now that I am reading that I should have noted patching being the third vector for attack. (Editing)


Sent from my iPhone using Tapatalk

Agreed, 1 mistake 145 Million people thrown at the wolves...


Sent from my iPhone using Tapatalk

The entire IOT industry is still in it's infancy and what's more society at large is already comfortable with losing privacy, or at least oblivious to it.

Hear! Here!

Go slow here (baby steps) now relating to adding the pieces of segregating your home network and security in general.

Note that you are doing more than the average home owner connected to the Internet.

Agreed, this is more than most people do, but I am starting to think it is becoming a pre-requisite.




Sent from my iPhone using Tapatalk

On a rant....

99.9% of small offices (20-50 employees) that I have looked at personally follow no internet security precautions which is sad.

Consumer Reports states that much personal ID theft is occurring in hospitals and small and large medical and dental offices.

This has happened with much public sector stuff mostly assuming that no one was ever looking.

Mostly seen routers left at default settings and databases in a DMZ with full views inside and outside on the Internet.

I have seen this come up with installation of software managed in the cloud by companies that know how to install software or clients or databases but have no experience in router / switch management.