Steve Gibson's Three Router Solution to IOT Insecurity
Author: Nicolae Crisan
Date: August 15, 2016
Subject: General Tech
Manufacturer: Various
Tagged: networking, network, iot
Introduction
Even before the formulation of the term "Internet of things", Steve Gibson
proposed home networking topology changes designed to deal with this new
looming security threat. Unfortunately, little or no thought is given to the
security aspects of the devices in this rapidly growing market.
One of Steve's proposed network topology adjustments involved daisy-chaining
two routers together. The WAN port of an IOT-purposed router would be
attached to the LAN port of the Border/root router.
View Full Size
In this arrangement, only IOT/Smart devices are connected to the internal (
or IOT-purposed) router. The idea was to isolate insecure or poorly
implemented devices from the more valuable personal local data devices such
as a NAS with important files and or backups. Unfortunately this clever
arrangement leaves any device directly connected to the “border” router
open to attack by infected devices running on the internal/IOT router. Said
devices could perform a simple trace-route and identify that an intermediate
network exists between it and the public Internet. Any device running under
the border router with known (or worse - unknown!) vulnerabilities can be
immediately exploited.
View Full Size
Gibson's alternative formula reversed the positioning of the IOT and border
router. Unfortunately, this solution also came with a nasty side-effect. The
border router (now used as the "secure" or internal router) became subject
to all manner of man-in-the-middle attacks. Since the local Ethernet network
basically trusts all traffic within its domain, an infected device on the
IOT router (now between the internal router and the public Internet) can
manipulate or eavesdrop on any traffic emerging from the internal router.
The potential consequences of this flaw are obvious.
View Full Size
The third time really is the charm for Steve! On February 2nd of this year (
Episode #545 of Security Now!) Gibson presented us with his third (and
hopefully final) foray into the magical land of theory-crafting as it
related to securing our home networks against the Internet of Things.
Continue reading our editorial covering IOT security methodology!!
With this iteration Steve moved us from a two-router solution to a three-
router solution. The new arrangement involves three fundamental elements to
the network – an “external” or “border” router that has one purpose and
one purpose ONLY; to move traffic back and forth between the public
Internet and the two internal subnets underneath it. The second is an IOT-
purposed router which houses all “Smart” / “Internet of Things” / “
Internet-Enabled” devices whose uplink port is connected to an open LAN
port of our border router. Devices such as PCs, laptops, phones and network
storage devices have NO place inside this segment of the network. The third
and last element is the “Secure” or internal router which, in similar
fashion to the IOT router, has its uplink port connected to an open LAN port
of the border router. Any valuable device (high value targets to hackers)
such as desktops, laptops and network storage devices (a NAS of similar
network appliance)) are all clustered together inside this subnet.
View Full Size
Maintaining three separate purpose-driven subnets affords our network some
key protective features unavailable to us with both of our previous
configurations.
1. Separation of Ethernet Segments: Compromised devices and or malicious
payloads no longer have the luxury of unfettered access to devices (either
upstream or downstream) by exploiting the trusting Ethernet protocol.
2. Damage control: Compromised devices and or malicious payloads are
separated from higher value targets such as PC workstations and network
attached storage devices. In the event of a breach, the damage an “
expendable” IOT device can cause on the network will be contained and
compartmentalized to the local subnet.
View Full Size
Although our proposed variation so far seems very bullet-proof (it is for
the most part), we cannot neglect to briefly discuss one outstanding caveat.
Even though corralling all of our less secure devices into a single subnet
will dramatically improve our overall security, the threat of an already
infected device hijacking or exploiting the vulnerabilities of an adjacent
device in the same IOT subnet is still a very real possibility. For this
reason, I would propose an additional modification to this blueprint (Which
Steve also slightly alluded to). Whether built in software or (preferably)
hardware, a per IP “virtual LAN pipe” should be constructed on the fly
with each new IOT device connection that would allow IP-based communication
to only one endpoint – the publicly facing Internet. It’s important to
note that a VLAN does not provide the form of security we desire on a
wireless interface. Our goal is to draw on the concepts of how a VLAN works
while the implementation will most likely utilize some other method/protocol
. In other words, a device would ONLY have the capability to transmit and
receive as if it were the only device behind the protection of the NAT. The
idea here isn’t to over-engineer a solution (even though it feels very much
that way). This is about advancing our networking technology to address the
very real threat IOT devices carry with them.
View Full Size
Router Configuration Walk-Through
The IT veterans among us are most likely already well acquainted with the
concepts at work in this type of router configuration. In fact, I would
wager that most of you also could easily purchase and configure a system
like this blindfolded. Even though most of us might already understand the
concepts and steps involved, there are several benefits all of us can take
advantage of. Less experienced readers can get a grasp on some basic
networking concepts while the IT veterans among us can fill-in some
knowledge gaps (we all have them). As a community we can all fine-tune
various aspects of this alternative approach to IOT security and begin
implementing this network configuration at home or in the office.
Whether you're a beginner or a CISCO certified professional, we will all
learn nuances of this alternative router configuration that we wouldn't have
had we not walked through it together.
So, let’s assume we’re sold on the idea that Gibson’s router
configuration will answer all of our IOT security woes. We’re going to un-
box and configure three identical routers so they adhere to this alternative
way of handling “insecure” and “secure” traffic. You can, of course,
use three completely different router models. To keep things in the realm of
sanity and because it’s much more efficient and easy to manage one unified
interface, we will be using the same router model for all three.
For this setup we’ll be using three ASUS RT-N12 “3-In-1” Wireless Routers.
View Full Size
I have to pause a moment and chuckle at the advertising ASUS has come up
with on this line of routers. The word “FAST” wasn’t good enough
apparently – ASUS had to make an acronym out of it to really drive home the
point that “this router be FAST, yo!”
View Full Size
This isn’t a Warranty Notice insert that I should just throw away. People,
this is a “VIP Member” warranty notice! I am SO important to ASUS they had
to include that specific verbiage just for me!
View Full Size
After unpacking all three units, lay everything out so it emulates the
network topology we are creating – as shown below. I would HIGHLY recommend
labeling each router to eliminate any confusion as to what that router’s
purpose is in your network. Ten months from now when you hobble back into
your server closet or re-approach the tangled rats-nest of wires we all know
you have near your cable modem, you won’t remember why you have three
identical routers or what each of them does!
