Security Bytes - JUNE 2016 - IOT part2
Last month I introduced the topic of IOT (Internet Of Things) devices and how they can be a useful devices if they are implemented correctly. In the past month I have heard so many stories where many of these devices are NOT set up correctly on a segregated network and as a result privacy can be compromised. I felt that it is necessary to continue to add more information so that everyone can have a handle on how to do this correctly to allow these neat devices to do their thing in a secure way.
IOT devices range from light bulbs, home appliances, security systems, and all the way to sprinkler systems. Many of the companies that make these devices have a system where the device itself basically “phones home” to get software updates and feature updates, sometimes without user interaction. What this means is that there is a connection made out of your private network to a vendor’s network to gather updates. While this may seem innocuous it does present the possible threat that if a vendor’s network or software gets compromised, then there is the possibility that when that device gets its update it may also become compromised. If that IOT device is on your main network, it could possibly be a way for an intruder to see private data. It is essential that one set up these devices on their OWN network or network segment (VLAN) so that they ONLY have access to the Internet and NOT your private network.
The best way to accomplish this is by purchasing at least 2 routers so that one can separate the IOT traffic with network firewalls thereby preventing any IOT devices from communicating with your private network. By taking the 1st router and plugging that into your main Internet provider’s router you create one internal security zone, let’s use 192.168.1.X for example (IOT network). You can then connect a 2nd internal router to the 1st one to create another secure network inside of the 1st router network let’s use 192.168.2.X for this PRIVATE network. You then connect your PRIVATE home devices to the PRIVATE network and the IOT devices to the IOT network on the 1st router so that they can get to the Internet but cannot transverse the firewall back into your PRIVATE network. The nice thing is that if you are on the PRIVATE network you CAN get to the IOT network because all traffic must go through that network on the way to the internet.
If you are tech savvy there are other ways to accomplish this via the use of VLANs and commercial grade firewalls such as PFsense, Sonicwall, Fortigate, etc. By using this methodology one can set up a reasonably secure network for all your devices and still maintain privacy on the inside network. As more and more of these IOT devices become available there is more need to keep your private data PRIVATE.
-Paul Mavrovic, CISSP