Router for IoT Security

[NetworkHound]

I have a higher-end consumer router that I got this spring connected to my ONT. It has been working great, but I've been getting concerned over the lack of security on my network. I have over a dozen IoT devices co-mingled with my primary computers, smart phones, and tablets. All the advice I've gotten is that I should segregate my IoT devices from my secure devices. I have a guest wireless network, but there is no way for me to put all my IoT devices on the guest network as some are ethernet based hubs.

The primary suggestion I received from the security form here was to replace my consumer router with a wired router (and stand alone access points) that can do VLAN tagging on the LAN ports. Then I could setup three VLAN groups: one for IoT, one for guests, and one for my secure devices (desktop, laptop, NAS).

My question is: what router should I be looking at? I'm decent with computers, but relatively new to networking. I was looking at the EdgeRouter Lite, but can you setup VLAN tagging via the GUI or do I need to learn the command line? I'd prefer to be able to do at least the basic setup with VLAN tagging using a GUI for now. Is the EdgeRouter Lite too complicated? Is there something more simple I can use to do this setup?

 

[pete y testing]

you might want to have a look at the asus blue cave router and its new security protocols for IoT security

I have a higher-end consumer router

what make and model is it ?

 

[thiggins]

you might want to have a look at the asus blue cave router and its new security protocols for IoT security

Why would you advise someone concerned about security to look at a router that isn't even on the market yet and comes from a vendor known to take many firmware revision attempts to work bugs out of its products?

 

[thiggins]

You can do port-based VLANs with a smart switch. You might also want to look at outboard products like CUJO and Circle with Disney.

If you want to look at routers with security features, the new Norton Core has just started to ship. But it's Norton's first router and they may not be in the router business for the long haul...

 

[NetworkHound]

You can do port-based VLANs with a smart switch. You might also want to look at outboard products like CUJO and Circle with Disney.

If you want to look at routers with security features, the new Norton Core has just started to ship. But it's Norton's first router and they may not be in the router business for the long haul...

I looked at the Norton Core, it seems like a good concept and likely the way home routers will need to go to keep up with IoT security. However it is untested and I think it requires a $10/month subscription.

The CUJO is an interesting concept, I'll look into it.

If I'm going to get a new router and AP, any recommendations on ones that can easily do network segregation? A smart switch would work, but in order to separate the VLANs at the point of routing I assume I need a router.

 

[thiggins]

However it is untested and I think it requires a $10/month subscription.

You are correct it is untested. But I would not balk at a subscription fee. It is cheap insurance against a network breach and these services need funding to support them. The more important issue is whether the service is effective, which, unfortunately, is beyond our ability to adequately test.

 

[NetworkHound]

You are correct it is untested. But I would not balk at a subscription fee. It is cheap insurance against a network breach and these services need funding to support them. The more important issue is whether the service is effective, which, unfortunately, is beyond our ability to adequately test.

That's an excellent point.

The Norton Core looks like a consumer version of an enterprise gateway, where it monitors traffic and may have algorithms to auto detect and isolate suspect devices.

I'm just a little lost on what I'm looking for. Is it a Ubiquiti EdgeRouter, an out of the box Pfsense gateway, Negear Prosafe firewall gateway/router, TP-link firewall gateway/router?

It seems many of the entry level business firewall gateways act as routers and might be able to do all the VLAN tagging in addition to monitoring traffic. But I don't want to go too far down this rabbit hole and get something that's far too complicated for what I need, which is a secure router with network segregation.

I attached a potential setup I'm considering, but could really use some recommendations for the router.

 

[pete y testing]

Why would you advise someone concerned about security to look at a router that isn't even on the market yet and comes from a vendor known to take many firmware revision attempts to work bugs out of its products?

seems you have a bug with asus lately mate

i know that the blue cave has the same security features as the brt-ac828 which is a step above the usual aiprotect

note sure what is up your behind atm when it comes to asus but it sure isnt representative over what they can do with stock fw over other manufactures

yes maybe they need to learn how to test in house first or at least beta test so it doesnt waste your time , but you cant bag the effort they put into security compared to others

maybe its time to take a breather tim , you seem stressed

 

[thiggins]

maybe its time to take a breather tim , you seem stressed

Thanks for your concern.

ASUS has consistently shown it will ship products to market that are not stable. I am testing yet another one now.

I can't let a recommendation to consider an unreleased ASUS product as a solution for security concerns, without a caveat, pass without comment.

 

[NetworkHound]

I appreciate the discussion here, it has been very helpful. I actually appreciate both bringing the Asus router to my attention and the general warning, it is helpful for me to both be aware of the products but also of possible shortcomings.

I think I've decided to go for a more classic VLAN approach. While routers like the Norton Core and the Asus Blue Cave have potential to take consumer routers to the much needed next level of security, I want to go with something that has been tested and out for a while.

Attached is my currently planned setup. ONT -> Router (3 VLANS) -> Switch (Separation of the VLANS) -> APs and Devices.

The first thing I need to figure out is what would you recommend for the router in this diagram? I'd like something that can be setup with a GUI preferably and is less than $300. I just don't even know what I'm looking for. Is it a router, gateway, or a gateway firewall? They all seem to do similar things.

 

[pete y testing]

ASUS has consistently shown it will ship products to market that are not stable.

and its exactly the same for other manufactures

product as a solution for security concerns

it was the specific info on the aiprotection and how it has been upgraded as it has in the brt-ac828 , having tested the brt-ac828 i have specific knowledge on that aspect and how it works with IoT , the blue cube will have the same setup for its security

see

http://www.digitalcitizen.life/sites/default/files/gdrive/asus_brt_ac828/asus_brt_ac828_wifi_30.png

 

[pete y testing]

what would you recommend for the router in this diagram? I'd like something that can be setup with a GUI preferably and is less than $300. I just don't even know what I'm looking for. Is it a router, gateway, or a gateway firewall? They all seem to do similar things.

they do all seem similar but the IoT side of things is in its infancy , things will have to change to improve this aspect and it depends on how much input you are prepared to undertake in setting it up , something like a computer as a gateway with pfsense

https://www.pfsense.org/

is both flexible and adaptable , but requires a learning curve

something like a stand alone router maybe the solution with some of the ubiquiti edge router showing promise in this area

https://www.ubnt.com/products/#default

or maybe some of the draytek router only devices

https://www.draytek.com/en/products/router/broadband/

in the end you will prob have to pick a solution that right for you

 

[NetworkHound]

Thanks! I have been looking at pfsense as a gateway, but for now I think I might go with a Ubiquiti router to see if it can do what I need. A lot of people seem to really like Ubiquiti for more advanced setups and it looks like it can do all the VLANs setups I need via the GUI.

 

[Jose C]

I am doing exactly what you are trying to do (as shown in the last diagram you shared) with a Netgear R7000, three vlans, trusted devices, guests, IoT.

This r7000 is running tomato kille72 v2017.2.

It just works for me and I just spent about $90 for the router.


Sent from my iPhone using Tapatalk