IoT in the Home: Part 2 - IoT Containment

posted Mar 9, 2018, 4:50 AM by Tom Pedersen   [ updated Sep 12, 2018, 3:55 AM ]
http://ventures.tpedersen.net/images/black_diamond_icon.gif
Finally organizing my notes to share network tactics and practices used to throw a fence around smart devices in our home. These smart things are becoming unavoidable, yet most lack mature security and privacy controls. Here's a recap of my initial assessment, network adjustments and a few resources - hopefully useful to others.  

Motivation

Smart device cloud contacts
A review of our home network traffic combined with an understanding of current-state IoT security practices provided plenty of inspiration to revamp our home network to better accommodate the ongoing surge of 'smart' things.

Monitoring network connections on our home network revealed some interesting chatter between smart devices and their internet end-points - domestic and international.  Much of the wayward traffic appeared to be associated with device overhead (NTP Pooling, etc), but there were also a fair number of connections and conversations that seemed a tad creepy.

The lack of apparent security strategies by smart device manufacturers is also disconcerting.  Most of the smart devices in our home have been around for a number of years yet lack evidence of established security practices or controls (SSAE16, ISO 27001, etc).  Furthermore, IoT security & privacy standards really haven't matured in the past 2-3 years - device manufactures seem to be learning as they go.  

Based on my comfort level with devices in our home, I settled on a "Containment" strategy that keeps our smart device world separate from our existing home network (personal computers, phones/tablets, shared peripherals ...).  The Containment subnet also accommodates a couple of unavoidable constraints, like the ISP-supplied gateway/router that is required for our TV set-top boxes.  I also decided to steer clear of smart devices that could be a physical security or safety issue for the time being - avoiding smart door locks, garage door openers, pacemakers and such.

Network Adjustments

Our home network tweaks involved adding an isolated personal network behind a better firewall/router and recasting the original network as a combination guest WiFi and IoT Containment area.  

Network objectives/characteristics
  1. Protected Personal network
    • Set behind a new/capable Firewall/Router
    • Separate/dedicated IP subnet - LAN & WiFi Network
    • Portable - network is plug-n-play if we decide to change ISPs
    • Firewall rules prohibit traffic initiated on IoT Containment subnet
    • Can be shutdown when we are away w/o affecting the 'smart' home
  2. Isolate Smart Devices 
    • Behind original ISP-Supplied internet gateway 
    • Smart devices connected to separate/dedicated IP subnet 
    • When possible, IoT devices are wired to network (ethernet) 
    • If wireless-only device:
      • Connected to dedicated Containment WiFi network (Separate SSID) 
        Only authorized wireless connections permitted on Containment network
      • DHCP Reservations & MAC filtering required
  3. Smart(er) Switch added
    • Port-Mirroring for network monitors, probes & IDS
    • VLAN Features
New network looks something like this:

Hardware

Software

References

    Guidance (not much) 
    Inspiration (plenty)

That's it ... The network will likely continue to evolve as our smart world evolves and matures.   Not exactly a step-by-step, but hopefully useful.  Feel free to Drop me a line if you have thoughts or questions.

---------------

* T. Pedersen Ventures is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.