Another firewall advice

[coxhaus]

I am talking web encryption inspection that includes HTTPS inspection. Be aware with HTTPS inspection, you need to install a CA certificate on all hosts/browsers. Untangle qualifies as a NGFW firewall.

Untangle is an enterprise level firewall that we get to run for cheap at home.

 

[Tech9]

I am talking web encryption inspection that includes HTTPS inspection.

I'm talking about the same thing. More information here:

SSL Inspector - UntangleWiki

wiki.untangle.com

It can be done in pfSense as well, if needed.

 

[coxhaus]

Where's the link for pfsense?

 

[Tech9]

Here, with explanation how to set it up:

Intercepting HTTPS Traffic Using the Squid Proxy Service in pfSense

By default, the Squid Proxy has no visibility of encrypted HTTPS traffic. Enabling HTTPS interception will allow you to monitor and log encrypted web traffic passing through the Squid proxy server.

turbofuture.com

 

[coxhaus]

Looks new as there are still know issues in what you posted.

 

[Tech9]

Both work the same way in Untangle and pfSense - network wide proxy. The issues are identical, mostly visible when you attempt login to banks and financial organizations. I have tried both and it's not something I would run on my network. Untangle's advantage is easier user interface, but it's not free. pfSense is more flexible, but more knowledge is required. Untangle's community support is more limited as well, the product is less popular. Both are good products and it's a matter of choice. I prefer pfSense because I'm more familiar with it and it's the default OS for my appliance.

By the way, how you are going to install the certificate on an IoT device, if it uses https to communicate with some server? Just curious.

 

[coxhaus]

By the way, how you are going to install the certificate on an IoT device, if it uses https to communicate with some server? Just curious.

I think I won't be buying one of those.

 

[Tech9]

That means no lights, switches, power plugs, weather stations, thermostats, speakers, cameras, door bells. Did I miss something?

 

[SSri]

All these discussions are gold for me as well as for anyone who is interested in this space. @Tech9,
thanks for triggering plenty of discussions.

We will take our time to read, digest and plan what we intend doing. But, we will take one step at a time starting with the Firewall. We will take a look at Untangle for convenience, but like the flexibility of PfSense; we will take a call after checking out Untangle.

If we look at vulnerabilities posed by IoT, it has exploded and it will going forward. It will become an inevitable part of our life, if not already. A care is required in using them, like the way @Tech9 and @coxhaus explain, which is out of the skills set for the majority of the population.

If we were to take a quick look at the extent of data the social medias collect vs the IoT, they are no less. It’s one of the main reasons, I am not a part of the most of the social media platforms. At the same time, we are not worried about losing a bit of our privacies, if they were to keep us all safe.

Many thanks all for very helpful discussions and insights!

 

[SSri]

@coxhaus One question though, which is more of a doubt.

Are we suggesting that a certificate needs to be installed on every IoT device for an improved security? It still wouldn’t prevent any vulnerabilities, which devices may have because of a lack of security patches, would it ?

Thx

 

[Tech9]

Are we suggesting that a certificate needs to be installed

My suggestion - drop this idea entirely. Just separate your IoT from your main network or your important devices from all the rest.

 

[coxhaus]

That means no lights, switches, power plugs, weather stations, thermostats, speakers, cameras, door bells. Did I miss something?

I am using Apple's HomeKit which uses Bluetooth so I am avoiding all this as I believe Apple has a better idea. It is limited and more expensive but I prefer it.

You only need to load a CA if you want to inspect SSL traffic. No consumer devices do this as it is more managing your network like a business does.

 

[Tech9]

I am using Apple's HomeKit which uses Bluetooth

This is completely unrelated. The data still has to travel over Internet.

 

[SSri]

My suggestion - drop this idea entirely. Just separate your IoT from your main network or your important devices from all the rest.

Makes sense.

• The best option is an independent network —> separate internet —> router --> wired and wireless for IoT. This is expensive.
• Subnet / Vlan, where wired and wireless IOT devices can be connected

Perhaps, I may talk to Virgin business for an additional static IP address on the account, while retaining the dynamic IP. But, this is unlikely to result in a separate subnet.

Either way, the devices can remain on the LAN. The remote connection, while away, can be accessed via VPN. We don’t need a cloud, unless the whole thing is offloaded to iCloud via HomeKit. My preference is a VPN connection than iCloud, though the latter is convenient.

Early days, though. Thanks!

 

[Tech9]

This is expensive.

Are you sure? It can be done with two routers in double NAT. All IoT connected to the first, all your devices to the second. There is a firewall in between.

 

[SSri]

Are you sure? It can be done with two routers in double NAT. All IoT connected to the first, all your devices to the second. There is a firewall in between.

I thought I explained clearly. I wasn’t thinking of a double NAT. The first option was running two independent connection and hence an expensive option.

In a double NAT

• ISP modem —> Router 1 —> Firewall —> Router 2.

- Change the default gateway to Router1.
- Router1 will be a DHCP, so reserve a static IP address for the firewall.
- Firewall is the gateway to Router2.
- Router1 will forward Router 2 traffic through the firewall

One doubt is with the above schematics - how does one shield the IoT devices? They sit outside the firewall, as they are connected by Router 1, are they not? Only the devices connected to R2 will hide behind the firewall.

IMO, we don’t need a double NAT, although I haven’t thought about this clearly as it is early days. Because, I have a Cisco switch. I can leverage this to create a subnet / VLAN to achieve the same result; Vlan 1 for all IoT devices and Vlan 2 for main network.

 

[Tech9]

ISP modem —> Router 1 —> Firewall —> Router 2.

No. Even simpler and cheaper. Not the best, but it works and may cost nothing:

ISP modem -> Router 1 -> Router 2

IoT and what you don't trust much to Router 1, your protected devices to Router 2.

 

[SSri]

No. Even simpler and cheaper. Not the best, but it works and may cost nothing:

ISP modem -> Router 1 -> Router 2

IoT and what you don't trust much to Router 1, your protected devices to Router 2.

Thx for your patience and helpful. This requires two routers, which I need to buy. Why buy a set of routers, if we can get the result with what we already have - except firewall of course?

Would you place Router 2 -> Firewall -> Switch?

Considering what we already have, I would prefer the below route.

ISP Modem -> Firewall -> Switch - Vlan 1, Vlan 2, …, where, Vlan1 hosts IoT, Vlan 2 protected devices, we can have a Vlan3 for untrusted devices - if required.

Not the best

What’s the best solution please ? You can’t say no IoT!

Cheers!

 

[L&LD]

You can’t say no IoT!

I can. And do.

 

[SSri]

I can. And do.

That’s not a solution, is it not? Please don’t get me wrong. It is up to us, if we want to use or otherwise. While it is still maturing, an outright no to IoT is similar to not using the internet. ;-)