Transcript:
Welcome engineers. My name is Travi’s IQ. And today we’re going to talk about network segmentation, specifically in the context of Iot devices and small to medium network security, so first and foremost what we need to talk about is what constitutes network segmentation. Or how do we segment the network right, and so the idea is I have hosts on my network and these hosts can communicate with one another intuitively right, intuitively innately. Maybe I have a switch here and I plug a PC and a printer into this switch, right, and this switch is plugged into a router and that router routes us to the internet to the wan. Okay, so here we actually do have the we do have network segmentation, going on to some extent, and the extent is we are. The network is being segmented by the router from lets. Say the ISP right to the customer premises equipment. Our stuff here. Okay, So what happens then if I need to plug something else into this network, something else needs to go on to this network that needs to communicate to devices on the way in, right. What happens if I need to plug in? Let’s say a an Iot device, a camera for security, a smart fridge so that I can know how cold my vegetables are a smart thermostat like the Kobe. Smart thermostat, a server that manages these things, a home automation utility like home assistant, right, these devices running on their own, right. I don’t want them with with limited firmware Linux and paired Linux firmwares right. Oftentimes, if we’re not cognizant of the types of devices were buying and put on our network and this happens in both the home office environment and in the Enterprise Environment. If we’re not cognizant of this fact, then we may, uh, pick up devices that have known issues or companies that don’t push out firmware updates when vulnerabilities are discovered. And these types of things very very common. Also, vulnerabilities are discovered sometimes in firmware or packages that were utilized by a number of companies and are pervasive and aren’t fixed very much at all, and this happens more often in Iot device infrastructures than it does in other infrastructures. This is why I’m focusing specifically on Iot for network segmentation today, right, okay, so I’ve established why I would put these on the network. I’ve established why I don’t want them to be on the same network as my main work, PC and a server or a printer or some other device that’s being utilized for work purposes, for example, right, and so I need a primary lan and I need. Let’s say just in this case, right, A segmented network for Iot devices that is separated from the primary LAN for security purposes. Specifically, we could say we could separate it for a number of other reasons and do quality assurance and policy of the traffic and all these other things, but let’s say we’re talking specifically about network security and segmentation here. Okay, so there’s one way I could do. This is I could have two physically separate networks right, so I could take and plug all of these devices into a switch or a wireless access point Iot device’s, home Assistant, camera thermostat. I could plug this switch into a router, and I could take another interface on that router. Connect it to a switch and then hook up my PC via CAT5 or high throughput fiber. Whatever I want to do depends upon the data transfer rates. I need and some other server over here, and then I can have my wan connection. In this case, I have a single router, acting in my segmentation and security from my segmentation and security perspective as a router firewall hybrid and these Iot devices can now communicate to the LAN. If I were to be, you know, if I were out on the way in, let’s say Travi’s IQ is out here on the on the way in and needs to talk to his home automation server that is aggregating information from all these other Iot devices and I forward. I punch a hole in my firewall and forward traffic from Port 443 to 8123 which is the default port for home assistant. And I log in and I get all this information now. This server is actually exposed, right. This port is now being forwarded to this service here and anyone who attempts to connect to my network via that port is going to be forwarded to this service. This is why we set up strong usernames and passwords and multi-factor authentication so that although we understand that this device is exposed and is a potential security risk more so than these other devices here it is secured and segmented, so we have layers of security and we’ll talk about things like defense in depth on this channel at some point as well. Okay, so this is one mechanism mechanism of segmenting the network. If I needed this server or if I needed this PC to be able to talk to this server if I were to in in the case of home assistant, I needed to update a configuration and the way that I would update configurations in home assistant is with the Configyml file and so I needed to do some configyaml updates, and I wanted to use something like Windows SMB to update the configyml file, basically Windows Server message block, so I could connect directly to it like it. We’re a folder on my on my on my PC here directly. I could do that. I would have to do one of a few things I could do. White listing of those ips and directions. We’ll talk about, you know, Firewall configuration, Another time I could, um, whitelist an ipn and a port number, and if or I could do established connections, a number of different things, right, but I would have to allow explicitly that connection from this device to this device within that firewall config. You say, how would you do that, Travis well? It would vary from from a nos to Nas network operating system or firewall operating system to firewall. Right, juniper, Palo Alto, fortinet, Cisco. Pfsense Untangle. Pick your device, okay. I said I could do this. One of two ways. So what’s the second way, Travis? Well, I don’t have all of my. I don’t have a ton of ports sitting off my small router in a smaller, medium business infrastructure to segment the network like this right, usually especially in a small small office environment. Right, I’m going to have one router, or maybe one one and one set up in high availability. I’m in redundancy, but let’s say one router connected to a big backbone switch in my office, and I’ve got a bunch of devices connected to this that want to get out to the lan, and I’ve got these Iot devices. Iot Iot Iot, right. These are going to be on my Iot segment, and then I’ve got these other devices here. PC server backup server. That are going to be on another segment here. I can instead. Do what is known as virtual segmentation, virtual means we use the term logical logical means in software so in software, we define this segmentation. Sorry, I should probably do this in the right color in software. We do we define this segmentation like this, and there’s a term for this, right, these are these would be different local area networks at that point, right so they would be virtual local area networks or vlans. And so what I can do is I can configure multiple vlans on this switch. Switches can segment the network using Vlans and I can associate this PC this server and this server with Vlan 5 and I can associate my Iot Vlan with Vlan 999 Let’s say, and what this means is they are, Essentially, This is essentially the same as segmenting them with a router, right where they have their own networks, so that means that they would have their own IP address ranges, so this could be the 192.168.1.0 address range and this could be the 192.168.2 not zero, so one thing that we know about separate address ranges, right like this, right, The 192.168.1 and the 192.168.2 is they require a router to communicate with the two and so in this scenario here where I just have a switch, Let’s say I’m not connected to this router, right, Those two, those two networks actually can’t communicate right because they’re separated in software in the device and across those boundaries, right, we would need a router to route to route that traffic and so what we can do is have r1 here route, the traffic for us and now we have network segmentation with a device that’s not necessarily innately intended to segment the network and we have a device facilitating communication between those networks if we so if we so desire, if you’re going to set it up like this, what you’re what you’re likely going to have in this case Barring some special specialized cases is this this router is going to prevent communication between these two networks until you explicitly allow it right, and that would be part of our firewalling functionality and so we would have firewall rules preventing the connection between these two networks. You would say well, maybe in some core routers and some, um, core implementations that might not necessarily be the case, and I agree with you, but in our small medium enterprise example here, that’s that’s that would definitely be the case, and so now you’ve got your Iot devices. You’ve got an Iot, Uh, automation and home automation utility. Hold on, sorry, wrong color. You’ve got a home automation utility here that sits here too. And I want to manage it with my PC. I still have to punch a hole. In this firewall to allow these two devices to communicate, we’ll talk about how we would facilitate this and how you facilitate inter vlan routing with a single router, a router on a stick like this with things like sub interfaces and stuff like that at a later date, but as of now this is sufficient for our discussion of network segmentation. If you’d like to see more discussion of cyber security topics, networking topics and network and installation topics like and subscribe. If you have any questions about it, comment below And I’ll answer as many as I see if not engineer break stuff and have fun.