I was wondering about peoples ' opinions on IOT devices that could be considered safe enough to ...

[G+_Eric VanDyke]

I was wondering about peoples' opinions on IOT devices that could be considered safe enough to use on my main computer network? I am reconfiguring my home network using the 3 dumb routers setup, but having a couple IOT devices on the same network as my NAS and other devices would be nice. My thoughts are that companies like Amazon, Roku, and Google will keep their devices updated and are the most likely to be secure, but are they secure enough?

 

Also, what about networked printer security? I have a couple older laser printers that work great, but haven't had firmware updates in a couple years. Maybe it would be best to turn off the networking at this point and share them through a USB connection?

[G+_David Peach]

If all the IOT you are putting on your network is an Amazon Echo, them you're probably right that they will keep it updated. But the moment you put a lightbulb or a power switch on the network then you've made yourself vulnerable.

[G+_Jean Jeto]

David Peach I am a beginner, and I am looking forward to setting up the 3 dumb routers. I wanted to have all IoT even the ones some believe are safe in the Untrusted zone. Is this setup ok?

[G+_David Peach]

Jean Jeto yes, separating everything from your trusted network is fine. I'm only saying that it is likely that Amazon will keep you up to date. But that doesn't mean you have to trust them.

[G+_Jean Jeto]

Thanks David. I am thinking of implementing this at home. grc.com - www.grc.com/sn/files/Ubiquiti_Home_Network.pdf

In this setup, my understanding is that the AP is hooked up to the main router. I thought it was not the best setup. Do I understand correctly? I am referring to page 4 on the document. Thanks for your help.

[G+_Eric VanDyke]

Yeah, I will be adding a couple switches controlled by the Echos, so in that case, they get relegated to the IOT network. I can't really see much lost functionality from an Echo set up like that. A Chromecast or a Roku I would think should be safe on the main network so they can access the NAS and be accessed by tablets on the main network since that is really key to their functionality.

[G+_Brent Vrieze]

I'm a Network Engineer so take that into consideration on my response. Pick up a Mini-ITX or ATX-Micro motherboard with an embedded CPU (because you don't need much CPU power for a router and they are fanless) Add a multi-port NIC in it so you have 3 or more and then use PFSense.

 

Multiport NIC $67 I beleive x4 PCI express slot or larger required: newegg.com - Intel E1G44HTBLK Server Adapter I340-T4 (Bulk Pack) 10/100/1000Mbps PCI-Express 2.0 4 x RJ45

 

Embedded Motherboard (Make sure PCI slot is not x1 only for the NIC) here is an ASRock I almost bought with and x16 PCIe slot $67: https://www.newegg.com/Product/Product.aspx?Item=N82E16813157727

 

8GB of RAM(maybe less if you don't add apps to it): $70

 

Small SSD $50:

 

Cheap Case (watch for full height or short PCI slot for the NIC, mabye the NIC has both brackets): $55

 

PFSense Free: https://www.pfsense.org/

 

for around $300 you can have an enterprise grade router/firewall with up to 5 ports on it. This system then can run all the add-on software PFSense uses which is extensive.

 

I have one of these in my house right now that only has 10/100 Mb slots and as I am going to get 1Gb fiber to the house this fall I bought and am building a new one.

 

Again I'm a Network Engineer so networking is something I deal with all day but I like it and I don't have to worry about crappy bug ridden/vulnerable firmware on a consumer grade router.

 

 

 

[G+_David Peach]

Brent Vrieze that's what I have at my office and strongly considering doing that for my next home router.

 

For the office I bought the same setup you describe (mostly), for $250 on Amazon specifically for pfSense. Then got an 8 port gigabit switch to connect to it. Which then goes out to three other 24 port switches and other local devices.

[G+_David Peach]

Jean Jeto for some reason my phone won't open the PDF. Maybe someone else can chime in. Or I can take a look when I get to my destination tonight.

[G+_Brent Vrieze]

David Peach I did not want to put that in my message but yes you could buy a managed switch so it can do VLANs and make sure your NIC can do VLAN tagging then do the "router on a stick" method to reduce the cost of the router and only need 2 NIC ports. But then you add cost in the switch and if you are a home network person you may not understand(or care to understand) VLANs.

 

We could get even more secure and put in VRFs? JK :)

 

Thanks

Brent

[G+_Robert Hafer]

A completely different method would be to IoT devices that run on a proprietary radio like Insteon or Z-wave automate them on your own computer with its own security. That’s diving deeper into HA nerdery.

[G+_Jean Jeto]

David Peach David,

Would appreciate your thoughts. Thanks.

[G+_David Peach]

Jean Jeto my thoughts are that we are staying way far off the simplicity of the 3 dumb routers idea that can be implemented with hardware most people own or can get their hands on for very cheap. Unless you have a much better connection than I have, the routers we've all been buying and replacing for the last decade can probably be used with no significant loss in speed.

 

What I personally have at home is a 5-year old DD-WRT based router that lets me make a guest network that is isolated from the rest of the network. I put all my IoT devices on that network and call it good enough. Once I need a wired IoT connection then I have to make some changes.

 

I am the network engineer at my office by default, not by training. I am by no means an expert. I spend lots of time on Google trying to make sure our small non-profit is safe on a limited budget. So I usually go with the least expensive option at the cost of sweat equity and sometimes loss of sleep wondering if I've really made the right choices.

 

So take my opinion on this (and most tech matters) with the understanding that I got my education from the University of Google.

[G+_Jean Jeto]

Hi David. Thank you. I am not an engineer either. Started learning networking a month ago, and yes Google University is my evening school too.

[G+_John Sullivan]

Eric VanDyke Regarding your original question: "My thoughts are that companies like Amazon, Roku, and Google will keep their devices updated and are the most likely to be secure, but are they secure enough?"

No, they are not secure enough.

There are too many "zero day" exploits out there, and you only need one to totally mess up your system. I recommend that you keep your important stuff (I assume your NAS) on a separate network from devices that don't need to access it.

And be sure to backup anything on the NAS that you would not want to live without. The NAS is not a reliable backup.

As for whether you should allow one or more IoT devices on your NAS's network, only you can decide that. You should view each IoT device as a possible threat to your NAS, and ask yourself if you're willing to allow that threat or not.

[G+_David Peach]

Jean Jeto I got a chance to look at that document. If you get the Edge Router X, then it is fine to read that PDF that you link to. However, if you have less capable routers, then you would be better served to read these two pages (reading them anyway may help explain the Edge Router X configuration). Make sure you read through these before jumping in to configure anything. They are iterative. They don't explain the optimal setup until you get towards the end of the documents.

 

pcper.com - Steve Gibson's Three Router Solution to IOT Insecurity | PC Perspective

And,

http://nerdcave.littlebytesofpi.com/router-configuration/

 

These should really help you understand the setup.

[G+_Jean Jeto]

Dear David,

Thanks a lot for your time. I feel like asking silly questions as very very few answer. Wanted to know if the document I have forwarded was the 3 dumb routers configuration designed by Steve.

 

Yes I have the ERX, and would appreciate your feedback on how I am thinking of setting things up.

 

ISP Modem, then 1 ERX-SFP(Core) and a CloudKey, then my RT2600ac (Current router) for the home network, the other ERX, for Lab and IoT networks. Behind the Lab and IoT networks, I will add two Unifi switches, and Access Points, for Wifi.

 

Because I am learning, I am going slowly, and buy my equipments before jumping into configuration. Thanks for the advice.

[G+_David Peach]

Jean Jeto knowing you have the ERX, I will look at the document again when I get home tonight. From my quick read-through and looking at the pretty pictures, no, this is not exactly the 3-dumb router setup. The ERX is able to segment the network and give you the isolation you are looking for without needing 3 separate routers. The 3-dumb router setup is called that because you use 3 much less capable routers to simulate what a single smart router can do.

 

Having said that, I am not a trained network pro. And I have not studied the ERX. But, I would say, that because Steve is recommending it, then the ERX and that PDF should get you configured safely.

 

The 3-dumb router setup was designed as a way to give commercial class network segmentation using three $20 routers.

 

As far as your proposed setup goes with the equipment you have, I think that sounds like it will work well. But it also sounds like an excessive amount of hardware. For Wi-Fi I understand you to say you will use the 2600 for your secured network and 2 Unifi devices for the insecure network. That means you potentially have 3X the coverage area for the insecure network.

[G+_David Peach]

Jean Jeto I looked at the document again (just the first few pages). I think the setup that this document recommends is much more complicated than most home users need.

 

If this all seems overwhelming and confusing, take it in small chunks. Look at the two simpler documents that I linked to and set up each one of the networks they talk about. It should help you to understand what the advantages and disadvantages of the different network types are.

 

There is a dizzying array of settings you can configure in your ERX. The vast majority of the 96 page document you point to is just about configuring the ERX. Try to learn what those settings are doing and I think that will help make this clearer. Though I also think that setup is more complicated than it needs to be.

[G+_Jean Jeto]

David Peach Thanks David.

I used to have the 2600 only in bridge mode, then I watched Padre and Steve G. on Twit.

I came across a very good deal jeté in France. Bought 3 ERX, including one with SFP, for 180$.

My understanding of Steve G. is that the physical segmentation is safer.

Like you I not a network engineer. So thank you again for your time.

I will start today, as it is 5:45 Paris time