Announcement

Collapse
No announcement yet.

OT-Securing IOT

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OT-Securing IOT

    My network has grown organically over the years from a single computer on a 9600 baud modem(remember those?) to over 25 devices. Having my card info stolen at Best Buy made me start thinking about my network security. I have a Netgear WRT1200AC that gives good coverage, but it only allows the one common local network, a guest network, and a DMZ. I can't put the IOT devices on the guest network because they are "helping" me by providing a web page logon rather than a WPA2/PSK preconfiguration.

    My current configuration is cable modem-->WRT1200AC-->LAN with all devices on the lan. I can segregate my devices into two categories secure(printers, PCs) and insecure. The insecure category can include IOT stuff (cameras, phones, tablets, music streaming, TV streaming, mill DRO, etc.) as none of them need to access local resources. Steve Gibson recommends a three router option (https://www.grc.com/sn/sn-545.pdf, start on page 21) which seems to make sense. I'd missed the MAC snooping issues he mentions when I was considering my options.

    What are other folks doing?
    Last edited by Wheels17; 12-09-2019, 08:22 AM.

  • #2
    Originally posted by Wheels17 View Post
    ...What are other folks doing?
    Preferentially making chips

    Comment


    • #3
      Huuuuuh......................
      The shortest distance between two points is a circle of infinite diameter.

      Bluewater Model Engineering Society at https://sites.google.com/site/bluewatermes/

      Southwestern Ontario. Canada

      Comment


      • #4
        I don't really do IoT in any big way unless you want to count my very obsolete iPad and cellphone. Neither of which I really care about. I regard anything wireless as being inherently insecure and not secure-able. My setup is: cable modem into netgear hub via ethernet. The hub splits it into: Linksys wrt54g on one line, desktop machine on the other line. The linksys is unsecured, mostly its there just for convenience. Except for the linksys router, everything else is wired 10/100. Using DHCP. The desktop is where all the important stuff is -- *nothing* important is allowed anywhere else. The desktop itself is FreeBSD UNIX v.12 with pf firewall and a decent hosts file. Permissions are locked down -- you need my explicit permission to do anything. I have a policy that if it doesn't absolutely require a computer to function then it doesn't get one. If I need to transfer pics or something, that's what USB is for.
        Last edited by nickel-city-fab; 12-09-2019, 12:01 PM.
        25 miles north of Buffalo NY, USA

        Comment


        • #5
          I regard anything wireless as being inherently insecure and not secure-able
          Yup. Even though it is right next to the house and easily within wifi range I ran cat6 out to the shop when I built it.
          "A machinist's (WHAP!) best friend (WHAP! WHAP!) is his hammer. (WHAP!)" - Fred Tanner, foreman, Lunenburg Foundry and Engineering machine shop, circa 1979

          Comment


          • #6
            Only option is to put all of the IOT crap on the guest network.

            I got pissed at Netgear a few years ago. I had a R7000 terrible software support. All the home wifi routers makers SUCK at keeping up with firmware updates. You can can get open source firmware for certain models DDWRT, OpenWRT and Tomato. Or just bite the bullet and spend the money and buy enterprise stuff. I went with Ubiquity so I use a VLAN to put all the IOT junk on and run pi-hole on my NAS. Ubiquity also has Deep Packet Inspection so you can see everything leaving your network.
            Last edited by H380; 12-09-2019, 10:06 PM.

            Comment


            • #7
              Originally posted by H380 View Post
              ... You can can get open source firmware for certain models DDWRT, OpenWRT and Tomato. Or just bite the bullet and spend the money and buy enterprise stuff.
              Bingo. Plenty of older Iron Port and Juniper equipment out there. And Cisco. Or, just grab an old PC and install BSD or something on it.
              25 miles north of Buffalo NY, USA

              Comment


              • #8
                I would never run a consumer router without replacing the firmware - Tomato, one of the WRT variations. The original units usually have backdoors, too many bugs, not enough features, and a lack of updates.

                I would also not run IOT devices that must phone home to a third party server. Especially in China. Tasmota is a good replacement firmware for the devices it supports.

                Comment


                • #9
                  I probably have 30 IOT devices hacked, mining bitcoin for some Chinese hackers or some Russians remotely launching DOS attacks, and the NSA listening in on me through our 5 Alexa devices. But man, the convenience is worth it.

                  Comment

                  Working...
                  X