Jun 1st 2017
Know How... 315
Networking 102 - Part 4: 3 Dumb Routers
Before we talk about the 3-Dumb-Router setup, we need to talk about WHY it's important
For many years, we designed networks around a security scheme called "Perimeter Security"
* The good guys are "inside" the walls, and the bad guys are "outside"
* So we designed firewalls to keep the bad guys out while allowing the good guys to access the Internet
-- All outbound traffic was allowed (unless there was a specific policy to forbid it)
-- SOME inbound traffic was allowed (VPNs, port forwarding, etc.)
But Perimeter Security has one HUGE fatal flaw: It assumes that all clients INSIDE are trusted
* You can have a client that is behaving improperly:
-- an authorized user who is accessing resources they shouldn't
-- an client that has been compromised and "pivoted"
* Additionally, since P-secure ASSUMES outbound traffic is legit, it doesn't stop exfiltrations (Sony)
Today, we've moved to "Zone or Segmented Security"
1. We assume that there are compromised clients within the network
2. We assume that authorized clients will try to access network resources they shouldn't have access to
3. We watch our outbound traffic to ensure there is no exfiltration of data
4. We assume we'll have semi-trusted guests on our network
If we assume all these things, then the only EFFECTIVE response is to keep clients separated as much as possible, so that one compromised client doesn't destroy the whole network
If we were running Enterprise gear, we could generate policy that takes a machine's physical characteristics (MAC, TPM, etc.) and a user's login credentials to assign them just the network resources they require to do their job.
** But most of us can't afford that for home... and we couldn't administer/maintain it.
What if we take relatively inexpensive hardware and use it to APPROXIMATE Segmented Security?
What we COULD do it to create multiple networks, each with its own router.
* We could have a central CORE or ROOT router
* Then we have another router BEHIND that CORE/ROOT router for each TYPE of network we need
Steve is right... MOST of us have a few routers in the closet that are past their prime... but we can use them now.
* Best case scenario: they can be upgraded with DD-WRT or OpenWRT
* Most of these older routers aren't being updated by their manufacturers anymore, so we need a distro that IS
We need AT LEAST three:
1. The Core/Root router
- needs to be the most secure, b/c it's feeding the other routers, AND it's the one that's facing the Internet
- doesn't have to be the fastest/most feature-packed. (It only sees the Internet and the other router's WANS)
- Untrusted WiFi (For IoT)
2. The Untrusted network router
- This is where IoT devices and any other highly-pwnable devices will live
- Needs to have it's interface secured from the INSIDE
* If it's going to get attacked, it will most likely get attacked from its LAN side
3. The Trusted Network Router
- This is your NICE router. It's got the features you like.
- This is the network that will house YOU and all your trusted devices
- NAS, my laptops/desktops
** Bottom line: The more you segment, the safer you'll be. HOWEVER... it will also increase the COMPLEXITY of your network
1. Setup of Routers
2. Wiring of Routers
3. Areas for growth
#1 Setting up the Routers
* Basically, all we need to do is to make sure that their subnet ranges are different.
* You can't have both the Trusted and Core routers with the same range, because the clients on the Trusted network can SEE the Core router range (and gateway) -- They wouldn't know which devices they were actually suppose to "talk" to
* You COULD have all the sub-routers have the same range (since they're not communication with each other), but that would be REALLY confusing.
* I prefer to have different /24 ranges so I immediatly know to which network I'm connected.
Under "Basic Setup"
-1 Change Router Name: (Core/Trusted/Untrusted)
-2 Change "Local IP Address" to the first address in the /24 you want to use
-- Core: 192.168.10.1
-- Trusted: 192.168.20.1
-- Untrusted: 192.168.30.1
-3 Change "Local DNS" to your favorite DNS service
-- Google: 220.127.116.11
-- OpenDNS: 18.104.22.168
-1 Turn off Wireless under "Wireless Network Mode" (Definitely on the core --- PERHAPS on the subnetworks)
-1 Disable "Telnet"
-2 Disable "WAN Traffic Coutner"
-1 Disable "Cron" (Linux Scripting)
-2 Disable 802.1x
-4 Reboot Router
Why not add a few more routers?
Why not a "Semi-Trusted" network?
- My mobile devices
- Anything WiFi (that's trusted)
- Game boxes
- Dual-Homed NAS?
- Protected from the untrusted network
- No access to your NAS or internal entertainment devices.
Connect with us!
- Don't forget to check out our large library of projects at https://twit.tv/shows/know-how.
- Join our Google+ Community.
- Tweet at us at @PadreSJ, @Cranky_Hippo, and @Anelf3.
Thanks to CacheFly for the bandwidth for this show.