Know How...

Jun 1st 2017

Know How... 315

Networking 102 - Part 4: 3 Dumb Routers

What if we take relatively inexpensive hardware and use it to APPROXIMATE Segmented Security?
New episodes every Thursday at 2:00pm Eastern / 11:00am Pacific / 19:00 UTC.
Category: Help & How To

Before we talk about the 3-Dumb-Router setup, we need to talk about WHY it's important

For many years, we designed networks around a security scheme called "Perimeter Security" 
* The good guys are "inside" the walls, and the bad guys are "outside"
* So we designed firewalls to keep the bad guys out while allowing the good guys to access the Internet
  -- All outbound traffic was allowed (unless there was a specific policy to forbid it)
  -- SOME inbound traffic was allowed (VPNs, port forwarding, etc.)

But Perimeter Security has one HUGE fatal flaw: It assumes that all clients INSIDE are trusted
* You can have a client that is behaving improperly:
  -- an authorized user who is accessing resources they shouldn't
  -- an client that has been compromised and "pivoted"
* Additionally, since P-secure ASSUMES outbound traffic is legit, it doesn't stop exfiltrations (Sony)

Today, we've moved to "Zone or Segmented Security"
1. We assume that there are compromised clients within the network
2. We assume that authorized clients will try to access network resources they shouldn't have access to
3. We watch our outbound traffic to ensure there is no exfiltration of data
4. We assume we'll have semi-trusted guests on our network

If we assume all these things, then the only EFFECTIVE response is to keep clients separated as much as possible, so that one compromised client doesn't destroy the whole network


If we were running Enterprise gear, we could generate policy that takes a machine's physical characteristics (MAC, TPM, etc.) and a user's login credentials to assign them just the network resources they require to do their job.
** But most of us can't afford that for home... and we couldn't administer/maintain it.

So...
What if we take relatively inexpensive hardware and use it to APPROXIMATE Segmented Security?

What we COULD do it to create multiple networks, each with its own router.
* We could have a central CORE or ROOT router
* Then we have another router BEHIND that CORE/ROOT router for each TYPE of network we need

Router Prep

Steve is right... MOST of us have a few routers in the closet that are past their prime... but we can use them now.
* Best case scenario: they can be upgraded with DD-WRT or OpenWRT
* Most of these older routers aren't being updated by their manufacturers anymore, so we need a distro that IS

We need AT LEAST three:
1. The Core/Root router 
    - needs to be the most secure, b/c it's feeding the other routers, AND it's the one that's facing the Internet 
    - doesn't have to be the fastest/most feature-packed. (It only sees the Internet and the other router's WANS)
    - Untrusted WiFi (For IoT)

2. The Untrusted network router
   - This is where IoT devices and any other highly-pwnable devices will live
   - Needs to have it's interface secured from the INSIDE
     * If it's going to get attacked, it will most likely get attacked from its LAN side

3. The Trusted Network Router
   - This is your NICE router. It's got the features you like.
   - This is the network that will house YOU and all your trusted devices
   - NAS, my laptops/desktops

** Bottom line: The more you segment, the safer you'll be. HOWEVER... it will also increase the COMPLEXITY of your network

3DR Setup

Demo Agenda
1. Setup of Routers
2. Wiring of Routers
3. Areas for growth

#1 Setting up the Routers
* Basically, all we need to do is to make sure that their subnet ranges are different.
* You can't have both the Trusted and Core routers with the same range, because the clients on the Trusted network can SEE the Core router range (and gateway) -- They wouldn't know which devices they were actually suppose to "talk" to
* You COULD have all the sub-routers have the same range (since they're not communication with each other), but that would be REALLY confusing. 
* I prefer to have different /24 ranges so I immediatly know to which network I'm connected.

 

Under "Basic Setup"
-1 Change Router Name: (Core/Trusted/Untrusted)
-2 Change "Local IP Address" to the first address in the /24 you want to use
  -- Core: 192.168.10.1
  -- Trusted: 192.168.20.1
  -- Untrusted: 192.168.30.1
-3 Change "Local DNS" to your favorite DNS service
  -- Google: 8.8.8.8
  -- OpenDNS: 208.67.220.220
-4 Save

Under "Wireless"
-1 Turn off Wireless under "Wireless Network Mode" (Definitely on the core --- PERHAPS on the subnetworks)
-2 Save

Under "Services"
-1 Disable "Telnet"
-2 Disable "WAN Traffic Coutner"
-3 Save

Under "Administration"
-1 Disable "Cron" (Linux Scripting)
-2 Disable 802.1x
-3 Save
-4 Reboot Router

Why not add a few more routers?

Why not a "Semi-Trusted" network?
   - My mobile devices
   - Anything WiFi (that's trusted)
   - TVs
    - Game boxes
   - Dual-Homed NAS?

Guest network?
   - Protected from the untrusted network
   - No access to your NAS or internal entertainment devices.

Connect with us!

Thanks to CacheFly for the bandwidth for this show.