February 26, 2018 at 18:02Secure home network: create an isolated segment for guests
Today, almost every apartment has a home network, which connects stationary computers, laptops, data warehouses (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP / IP protocols are used. With the development of Internet of Things technologies, household appliances - refrigerators, coffee makers, air conditioners, and even wiring equipment - have entered the Network. Thanks to the Smart Home solutions, we can control the brightness of lighting, remotely adjust the indoor climate, turn on and off various devices - this makes life easier, but it can create serious problems for the owner of advanced solutions.
Unfortunately, the developers of such devices are not yet sufficiently concerned about the safety of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are frequent cases when, after entering the market, the device ceases to be supported - for example, in our TV, the firmware of 2016, based on Android 4, is installed, and the manufacturer is not going to update it. The guests add problems: it is inconvenient to deny them access to Wi-Fi, but I also would not want to let anyone into their cozy network either. Who knows what viruses can settle in other people's mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do this, as they say, with little blood and with the least financial cost.
Isolating Wi-Fi Networks
In corporate networks, the problem is solved simply - there are managed switches with support for virtual local area networks (VLANs), a variety of routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (TING) device, for example, the task can be solved in just a few clicks. Just plug the guest network segment switch into a separate Ethernet port and create firewall rules. For the home, this option is not suitable because of the high cost of equipment - most often we have a single device controlling the network that combines the functions of a router, switch, wireless access point and God knows what else.
Fortunately, modern household routers (although it is more correct to call them Internet centers) have also become very smart and in almost all of them, except perhaps very budget ones, there is the opportunity to create an isolated guest Wi-Fi network. The reliability of this isolation itself is a question for a separate article; today we will not investigate the firmware of household devices of different manufacturers. Take ZyXEL Keenetic Extra II as an example. Now this line has become simply called Keenetic, but the device released under the ZyXEL brand has got into our hands.
Setting up via the web interface will not be difficult even for beginners - a few clicks, and we have a separate wireless network with its own SSID, WPA2 protection and password for access. You can let guests into it, and also include TVs and players with firmware that has not been updated for a long time, or other clients that you do not particularly trust. In most devices of other manufacturers, this function, we repeat, is also present and turns on in the same way. So, for example, the task is solved in the firmware of D-Link routers using the setup wizard.
Screenshot from the manufacturer’s website You can
add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
As you can see, everything is quite simple, then we will move on to discussing more subtle matters.
Isolate Ethernet Networks
In addition to clients connecting to a wireless network, devices with a wired interface can also come across to us. Connoisseurs will say that so-called VLANs — virtual local area networks — are used to create isolated Ethernet segments. Some home routers support this functionality, but here the task is complicated. I would like not just to make a separate segment, we need to combine the ports for wired connection with a wireless guest network on one router. This is too tough for every household device: a surface analysis shows that in addition to Keenetic Internet centers, MikroTik models are able to add Ethernet ports to a single guest Wi-Fi network, but the process of setting them up is not so obvious. If we talk about comparable at the price of domestic routers,
As you can see, the subject easily coped with the problem, and here it is worth paying attention to another interesting function - you can also isolate the wireless clients of the guest network from each other. This is very useful: your friend’s smartphone infected with malware will go online, but he won’t be able to attack other devices even on the guest network. If your router has a similar function, you should definitely enable it, although this will limit the possibility of client interaction — for example, you can’t make friends with your TV and media player via Wi-Fi, you will have to use a wired connection. At this point, our home network looks more secure.
What is the result?
The number of security threats is growing from year to year, and manufacturers of smart devices do not always pay enough attention to the timely release of updates. In this situation, we have only one way out - differentiation of home network clients and creation of isolated segments for them. For this, you do not need to buy equipment for tens of thousands of rubles, a relatively inexpensive household Internet center can handle the task. Here I would like to warn readers from buying devices of budget brands. Almost all manufacturers now have more or less the same hardware, but the quality of the embedded software is very different. As well as the duration of the support cycle for released models. Even with a fairly simple task of combining in an isolated segment of a wired and wireless network, not every household router can handle it, and you may have more complex ones. Sometimes you need to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different. in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different. in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different.
Unfortunately, the developers of such devices are not yet sufficiently concerned about the safety of their products, and the number of vulnerabilities found in them is growing like mushrooms after rain. There are frequent cases when, after entering the market, the device ceases to be supported - for example, in our TV, the firmware of 2016, based on Android 4, is installed, and the manufacturer is not going to update it. The guests add problems: it is inconvenient to deny them access to Wi-Fi, but I also would not want to let anyone into their cozy network either. Who knows what viruses can settle in other people's mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do this, as they say, with little blood and with the least financial cost.
Isolating Wi-Fi Networks
In corporate networks, the problem is solved simply - there are managed switches with support for virtual local area networks (VLANs), a variety of routers, firewalls and wireless access points - you can build the required number of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (TING) device, for example, the task can be solved in just a few clicks. Just plug the guest network segment switch into a separate Ethernet port and create firewall rules. For the home, this option is not suitable because of the high cost of equipment - most often we have a single device controlling the network that combines the functions of a router, switch, wireless access point and God knows what else.
Fortunately, modern household routers (although it is more correct to call them Internet centers) have also become very smart and in almost all of them, except perhaps very budget ones, there is the opportunity to create an isolated guest Wi-Fi network. The reliability of this isolation itself is a question for a separate article; today we will not investigate the firmware of household devices of different manufacturers. Take ZyXEL Keenetic Extra II as an example. Now this line has become simply called Keenetic, but the device released under the ZyXEL brand has got into our hands.
Setting up via the web interface will not be difficult even for beginners - a few clicks, and we have a separate wireless network with its own SSID, WPA2 protection and password for access. You can let guests into it, and also include TVs and players with firmware that has not been updated for a long time, or other clients that you do not particularly trust. In most devices of other manufacturers, this function, we repeat, is also present and turns on in the same way. So, for example, the task is solved in the firmware of D-Link routers using the setup wizard.
Screenshot from the manufacturer’s website You can
add a guest network when the device is already configured and working.
Screenshot from the manufacturer's website
Screenshot from the manufacturer's website
As you can see, everything is quite simple, then we will move on to discussing more subtle matters.
Isolate Ethernet Networks
In addition to clients connecting to a wireless network, devices with a wired interface can also come across to us. Connoisseurs will say that so-called VLANs — virtual local area networks — are used to create isolated Ethernet segments. Some home routers support this functionality, but here the task is complicated. I would like not just to make a separate segment, we need to combine the ports for wired connection with a wireless guest network on one router. This is too tough for every household device: a surface analysis shows that in addition to Keenetic Internet centers, MikroTik models are able to add Ethernet ports to a single guest Wi-Fi network, but the process of setting them up is not so obvious. If we talk about comparable at the price of domestic routers,
As you can see, the subject easily coped with the problem, and here it is worth paying attention to another interesting function - you can also isolate the wireless clients of the guest network from each other. This is very useful: your friend’s smartphone infected with malware will go online, but he won’t be able to attack other devices even on the guest network. If your router has a similar function, you should definitely enable it, although this will limit the possibility of client interaction — for example, you can’t make friends with your TV and media player via Wi-Fi, you will have to use a wired connection. At this point, our home network looks more secure.
What is the result?
The number of security threats is growing from year to year, and manufacturers of smart devices do not always pay enough attention to the timely release of updates. In this situation, we have only one way out - differentiation of home network clients and creation of isolated segments for them. For this, you do not need to buy equipment for tens of thousands of rubles, a relatively inexpensive household Internet center can handle the task. Here I would like to warn readers from buying devices of budget brands. Almost all manufacturers now have more or less the same hardware, but the quality of the embedded software is very different. As well as the duration of the support cycle for released models. Even with a fairly simple task of combining in an isolated segment of a wired and wireless network, not every household router can handle it, and you may have more complex ones. Sometimes you need to configure additional segments or DNS filtering to access only secure hosts, in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different. in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different. in large rooms you have to connect Wi-Fi clients to the guest network through external access points, etc. etc. In addition to security issues, there are other problems: in public networks, it is necessary to ensure the registration of clients in accordance with the requirements of Federal Law No. 97 “On Information, Information Technologies and Information Protection”. Inexpensive devices are capable of solving such problems, but by no means all - the functionality of the built-in software for them, again, is very different.