Home Network Segmentation

By | Dec 27, 2017

Asus will no longer be updating the codebase for the software that runs my trusty RT-AC66U wifi router. So, what started out as a project to replace the router with an updated model has evolved into a complete revamp of my home network model. Criteria for the new network included the ability to segment and secure the network for home devices, guest wifi and Internet of Things (IoT) devices. Among the IoT devices at my house are:

  • Nest thermostat
  • Phillips Hue lights
  • Apple TV’s
  • Denon AV receivers
  • Wifi security cameras

A home network or home area network (HAN) is a type of computer network that facilitates communication among devices within the close vicinity of a home. Devices capable of participating in this network, for example, smart devices such as network printers and handheld mobile computers, often gain enhanced emergent capabilities through their ability to interact. These additional capabilities can be used to increase the quality of life inside the home in a variety of ways, such as automation of repetitious tasks, increased personal productivity, enhanced home security, and easier access to entertainment. —Wikipedia

I chose two products from Ubiquiti Networks as the core of my revised home network based, in part, on a glowing recommendation by security researcher Steve Gibson at Gibson Research Corporation. There is a fantastic HOWTO written by Mike Potts that is available at his GitHub page here that I used as a reference document. Useful if you choose to design your network with Ubiquiti network products.

Fiber to my home is terminated at the Bell Home Hub 3000 (HH3000) which provides services for Internet and Bell Fibe TV (refer to my previous blog post on the configuration of the Bell Home Hub 3000 here). All wifi is disabled on the HH3000 except of the VLAN that is required for the Fibe TV service. The Ubiquiti products used in the new design are:

Some of us prefer using a command line interface for device configuration and the EdgeRouter X does offer SSH access. However the web dashboard is quite functional and does facilitate configuration of most features in addition to offering traffic analysis screens.

DNS

According to ArsTechnica, “The Global Cyber Alliance (GCA)—an organization founded by law enforcement and research organizations to help reduce cyber-crime—has partnered with IBM and Packet Clearing House to launch a free public Domain Name Service system. That system is intended to block domains associated with botnets, phishing attacks, and other malicious Internet hosts—primarily targeted at organizations that don’t run their own DNS blacklisting and whitelisting services. Called Quad9 (after the 9.9.9.9 Internet Protocol address the service has obtained), the service works like any other public DNS server (such as Google’s), except that it won’t return name resolutions for sites that are identified via threat feeds the service aggregates daily“.

This new service met my security criteria for DNS, however, the Quad9 service is not among the fastest available here in Toronto, Canada (cached response 0.014ms). There reason may be due to infrastructure points-of-presence still being rolled out globally. I expect that the response times will improve over the next few months. I have chosen Google DNS (cached response 0.004ms) for my secondary DNS.

Network Segments & VLAN’s

Ethernet ports 1-4 on the EdgeRouter X are configurable for layer-2 switching and therefore facilitate a logically segmented network design. The UniFi access point can manage up to four separate SSID’s by using VLAN’s. Therefore, in the revised network design, I create three wifi networks (home, guest & IoT) which are facilitated by VLAN’s defined on the single ethernet port 4 of the EdgeRouter X. I also configure ports 2-3 for wired home devices and IoT devices respectively.

DHCP

Individual DHCP services are defined for each network segment (home, guest & IoT). All DHCP servers are authoritative.

Firewall

The default action for packets entering the EdgeRouter from the Internet is to drop the packet if the packet does not match any of the defined firewall rules. Packets with a state of ‘established’ or ‘related’ will be accepted. Thus, the only way a packet will be accepted is if the connection was initiated within the home, guest or IoT network segments. Likewise, packets entering the home network from the IoT or guest networks will be dropped unless their state is ‘established’ or ‘related’. Hosts on the home network can initiate connections with hosts on the IoT network. Hosts on the IoT and guest networks cannot establish connections to hosts on the Home network.

Firewall rules define access to DNS and DHCP services for hosts on the IoT and guest network restricted to specific protocols and TCP ports. Hosts on the guest network are forced to the Quad9 DNS servers. DNS settings on the hosts are ignored.

Conclusion

I feel confident that my home network is much more secure now that it is segmented to isolate IoT and guest hosts from the rest of my network. The immediate benefit if the increased wifi range and throughput throughout the house with the UniFi AP-AC-LR long range access point. The lowest measured reading at any point in the house now is around 53dBm. Previously, readings in the basement would have been an unusable -70dBm.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.