[SOLVED] VLAN isolation and router access questions

Installing and Using OpenWrt Network and Wireless Configuration
18

You can chase packets to the end of the earth, and still have them leaking past you. It's a never ending battle unless you make some reasonable decisions about "good enough". Even with "valid" packets, there are nefarious ways that they can carry a backchannel.

Meh, in my opinion, once you're significantly more difficult to attack that other targets of comparable value, you're done. It's like safes. There's no "impenetrable" safe, they're rated in terms of minutes or hours of time before a skilled team can break into them.

Essential, in my opinion:

  • Use strong passwords and rotate them
  • Don't run any services on your firewall or router that aren't essential; put your file server or what have you on other hardware
  • Don't enable UPnP or anything of its ilk
  • If you need/want LuCI run it only over HTTP-S and only for your "trusted", wired network
  • If you have any Windows boxes, make sure you have current "virus protection" and it's enabled and regularly updated
  • Read your firewall rules and, if you don't understand them, ask

Challenging with OpenWrt, but important for me:

  • Add a user login other than root, with sudo
  • Disable root login
  • Use OpenSSH instead of dropbear (some may argue this one)

Reasonable, in my opinion (I'm probably more security-focused than many):

  • Isolate your IoT devices on their own VLANs by brand and, when possible from outside connectivity
  • Only "talk" to your IoT devices, if possible, through an application proxy (for example the TP-Link power switches I use have open-source Python to control them, and I make MQTT calls to a server that then relays to the devices)
  • Put your "critical" devices on a management VLAN
  • Separate your "guest" network from your important computers with a VLAN
  • If you can, separate your "personal wireless" network as well (assume that every wireless client is hostile)
  • Isolate anything that provides services to the outside world on its own VLAN; use containers, jails, or the like to isolate them from each other and from the host they run on
  • Don't run anything but "professional" servers if you're offering services to the outside world (for example, nginx, yes, uhttpd, no)
  • If you can, run an intermediate proxy (for example, an instance of nginx only running as a reverse proxy for your internal webserver)

Getting over the top, even for me (though some of these I do implement):

  • Double firewalls with two different technologies
  • Intrusion detection systems (IDS), multiple, different IDS
  • "Deep packet inspection" in firewalls
  • Real-time log analysis tools and monitoring
  • Only allow ssh-key access for privileged accounts or to sensitive devices
  • Require two-factor authentication
  • Use 802.1X port-based authentication
  • Use 802.1X authentication on wireless networks for clients that support it (consumer IoT devices generally don't)
  • Anything that an alert "rings my pager" so I can immediately respond (well, except for power outages)

I've certainly missed some, but that should at least be a good idea of one person's opinion.

Note that I don't believe that, for example, "ShieldsUp!" and his suggestions are worth a damn, nor is blocking ping worth the problems when diagnosing network problems, or that putting a service on a non-standard port does anything more than reduce log clutter if you've got strong passwords.

3 Likes