pfsense and Rules For IoT Devices with mDNS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this is December 2018 only a few days after Christmas and lots of people probably got some fancy new internet of thing device that may or may not be secure so maybe you don't want it on your network but I wanted to talk about that a little bit so there's always a lot of questions of do I you're doing iPod on network what should I have on my network or what should go on some type of separate segregated network so these devices that if they get attacked or if the frigerator gets compromised it doesn't become an attack vector for your other devices I just want to do this quick video to talk about how you can separate them on a network why you should or shouldn't and things you can do to make them still function despite them being on a separate network so I drew a diagram what we've done here is this is essentially kind of a microcosm of a piece of our network broken out here so you can see how the devices are set up so the orange here is the 192 168 3 Network where I have the unify switch I computer several other computers phones and things like that this is more or less the trusted network or safe then we have the 172 network here that has internet only so we can only get out to the internet cannot go out and look at local network and then we have the Avaya a vie protocol I've done a video on this before I get the naming possibly wrong in mdns because some people have messaged me with concerns when I did that video thing but doesn't that break the security model no and that's what we're gonna can talk about real quick here so the reason with IOT devices you may want them on a separate network is if they become compromised they become attack vectors and when someone gets in your network and anything that reaches out through the firewall and listens for commands which is how most IOT devices work when they're listening for commands and if they were insecure or poorly designed and someone finds a way to hijack the commands coming in to them and we've seen many devices buy lots of random companies come out there get to market but not really have any security auditing done until they were deployed in a market which is what's created many of these IOT botnets these devices ones hijacks they start looking for other things to hijack now many of them simply go back out to the internet to you know go back to attacking things or whatever their purpose that they were set forth to do becomes but you don't want that to be you or something local on your network now in theory if your computer's patched it should be safe from said things but you still don't really want them making noise on your network so we put them on a separate network now I have a couple devices listed here like the chromecast or the Amazon dot one of those are statistically less likely to be attack vectors because both Google and Amazon have a pretty good security reputation but lots people get those off-brand random tablets and things like that or random friends coming over with their phones that maybe they side-loaded something and maybe as a security compromise on it that you don't know about and it's looking for things to start talking to or as I have a screenshot from our friends over at Silicon Valley the wonderful refrigerators that for some reason need to be connected to the Internet and you know maybe the companies really get designing refrigerators but maybe not so good at designing security related to those refrigerators and your refrigerator becomes in a potential attack point and you don't want it wandering around so the reason I mentioned T by protocol is some of these devices require talking to your local devices to get them to function wholly and chromecast specifically is one of them but I believe some of the Apple AirPlay stuff does and I think Sonos and a handful of other devices they use this protocol referred to as mdns and by loading up the Avaya protocol in M maintains the M DNS lookup now first let's talk about how the rule sets work here again anything on the dot three network here full access to the internet and has access to these devices and it sometimes causes confusion by allowing the three network to talk to the 172 Network that means you requested from your side of the network in specifically 3.9 is the IP address of my computer if I go in and make a request to a device on this side I'm the one to initiate the request and will only send back data based on my request for data but these on this side here cannot initiate a quest or even have awareness of the 192 Network so anything on a 172 Network if it scans its local network it may find the other things on this IOT network but it doesn't have any ability to reach out to any other private addresses in the 192 space because we have them block and we'll get into the rules real quick how I have them set up in a second now this is also where we need the VY DNS because the chromecast wants to talk to the phone and if the phone is on a separate network it doesn't see it now at mdns is is a protocol that allows DNS lookups specific type of DNS lookups you can look up the RFC spec in just Google em DNS and read into the details of it that doesn't break the security model because it's only publishing lists now this list then gets maintained on both sides of the network the things on this network can do a call give me the mdns list of devices that support these protocols the MD NSS has it and a chromecast will be listed in there and of i running maintains that list so you are still doing from a security model an initiated connection from here to talk to here where the initiation is starting on the 192 network and then requesting something over on the 172 network in the case of chromecast you would be opening up maybe the YouTube app but you select the chromecast app and you say hey YouTube will then speak to that device and tell it go get this YouTube video and display it on that Chrome cast so this is where the confusion came in because some people think well if it publishes the IP addresses of these things doesn't that break the security well no the firewall rules maintain the separation between these devices and with mdns it's not really talking back to the phone it's just giving it the feedback the phone requested via that app so it's not giving even with the initiating connection some type of massive back access to it now if somehow you had a device that was mdns an app that controlled it you could potentially have an issue if there was some exploit both in the app the methodology and if it requested something was able to send something back it's a real edge case and if you're that read about security you wouldn't have any of these devices on your networking you wouldn't be trying to use chromecast or any of those devices now the other thing that would go on this network let's say would be things like garage door openers and other random IOT light switches and stuff like that but most of those don't even need any type of mdns luck because they don't look locally for the network a methodology that they connect with is they contact wherever their host server is as a service for example I've seen a few garage or companies that use in Amazon ec2 cloud instance they contact that so you get them you set them up you go to the airport whatever that portal may be and it talks to that portal in the Amazon Cloud and what your phone does when you load it up the app for that garage door opener it talks to the Amazon portal and because the two devices don't ever have to be on the same network there's nothing you really need to do on here you can have them on a separate network and have these same rules and it doesn't break anything at all this is actually out many many cloud devices work they don't want to deal with trying to figure out local IP addresses and things like that the ones that do are gonna use probably mdns so there's never really any port mapping that needs to occur between these unless you try to get complicated and put a printer over here you'd have to map the ports that a printer between the firewall and the local network to get it on here I usually recommend people not do that because it creates you can be done but you're gonna create a more complicated network for yourself because there's a lot of things that need to go on back and forth with them because they kind of expect to be on the same network especially with wireless printers but once again our wireless printer is a threat model yeah unfortunately found some security flaws in them I generally recommend commercial printers like directly plugged in because they're gonna be better take that for what it's worth that is just kind of a risk of having the printers in there if the printer goes out and wants to talk to the cloud some wireless printers are simpler and I don't know every model of them that you can just keep them on your local network and they don't need to call out or you can just plug them in USB and mitigate the potential for some of those issues all right well let's actually dig into the rules of what this looks like now the first thing I want to show you is the a VHI de pie by Damon and it's really simple and able to buy land and IOT for the sake of this discussion that's how we're going to be doing this don't worry about the other networks we have several others and things for other purposes but I want devices on land to be able to talk to via mdns devices on IOT check a few boxes here pretty straightforward no Advanced Settings in here hit save and that's what bridge is that mdns across those devices once again you're not changing any firewall rules you're not allowing the passing of any traffic it's basically like publishing a DNS list and listening on both sides with the DNS to make a list but no actual traffic is going back and forth related to this it's just a listing service that lists DNS entries next private networks vs. public networks I labeled this called LTS private networks LTS underscore private underscore networks description our private network list hype networks and you find this under aliases in the firewall the nice thing about alias is because I have three different networks I don't want anything on the IOT network to be able to come back and talk to it all and are cleverly named out 3.2 and VPN there's then that works right here so let's talk about the rule now so we've created this little alias now if you only have two networks you could forego this and only type in the IP address as a destination like this and we're going to show you both ways to write this rule so here's what the rule looks like one rule that says source is IOT net so source is the IOT network the 1/72 network we talked about and from that source network where are we allowed to go what's the destination so if you were to add the rule as wide open asterisks is basically wide open it would be able to go anywhere else on the network you have to have at least one rule in here to allow the traffic to route we're saying that wide open so any thing in the ipv4 ipv4 protocol space source IOT network port asterisks any port destination if you notice the little exclamation point ahead of this we mouse over it we see our alias it's saying hey exclamation point not these and I just refer to the role of my description allow all except which means allow all networks except this one and go over here now and show you how that works single host or alias LTS private networks invert match simple the invert is really important because if we didn't invert this it would do exactly the opposite we want it wouldn't allow it on the Internet it would allow it to the my private networks and we definitely don't want it there now if you didn't want to write the alias you could put one 92168 so zero single host or alias I believe there we go yet this shoes Network if you want it to be a network destination so 3.0 says 24 if I only wanted to block the one network but like I said I prefer to do this as an alias so we're gonna say single hawser alias bleeped the first letter else yes here's a description a la wall and that's it for the rules hit save and now the IOT devices and get back to me but I can get to them um quick demo to show you how that works alright now that we've seen the rules I have a dubbing server sitting at the 172 1669 address that's 24 then my computer is six 83.9 as shown here and i'm ssh din and what this is is PF top and we filtered for host 172 1669 39 as you want to see what this host see and show you how the rules work in action so if I request an ICMP packet from 172 1669 39 we now see 3.9 over to here traffic type is ICMP as you can see right here so no problem now and this is like I said the part I wanted to make sure people are clear on so if we try to ping one I to 168 3.9 nothing dead air the firewall will not allow an establish connection from there so this is that little part of confusion that I just wanted to make sure it cleared up with people when you're getting into networking they assume if the connections made one way that it automatically means something can be back so the firewall prevents based on the rules a connection from coming back so I can still paying this but that still doesn't allow it because my computer didn't request data so here's that ICMP rule it's gonna expire here's the one up here no data traverses because of the firewall rule but up to the top here if we ping news.com hangout I can get out to the Internet and you can follow what happened here we have an ICMP packet we have a UDP packet because it had to do a lookup port 53 to figure out the name of the address I wanted a ping and now it's sending data so it has access to the Internet but it doesn't have access to the local network so you know these are the simple rules that you put it on there it doesn't have to be that complicated that one rule with an invert in air saying don't go to my private Network just go out to the internet and do your IOT thing and hopefully you don't get attacked and hopefully you don't get compromised and away you go now this also expands it so later you decide to do things like rate limit or speed limit that particular leg of the network you could do that you could put in a rule that says my IOT network can never have much bandwidth because you don't want it to take away that's also a good way to do this so you don't take away from your main network bandwidth that's not our concepts you can do that's not hard to do when you apply some of the rules but just in general it they're usually not bandwidth hogs and well except for things they chromecast that either nature if you're watching Netflix at 4k gonna use some bandwidth but this allows you to have them on a separate network where you can worry about them a little bit less but you can still get to them to make things function like the chromecast using the Avaya protocol for um DNS so hopefully this concept makes sense to you and it's just like I said a real basic overview and if you want to know in depth more walk through step by step my getting started with pfsense video which I'll throw a link to that will get you started from loading it to creating these Network rules step by step all the way through I've also got several ones on unify of how to line up VLANs with PF sense it's pretty straightforward to do and always hopefully this was helpful or enlightening to get you a better understanding of what the risk might be for having an IOT stuff and why you might want to just keep it on another network and how simple it is to do that and still maintain functionality not too big of a deal alright thanks thanks for watching if you enjoyed this video go ahead and hit the thumbs up if you want to see more content from my channel go ahead and hit subscribe and the bell icon and hopefully YouTube will send you an notice if you're interested in contracting launch systems for any type of IT services work or consulting work go ahead and head over to lawrence systems comm and fill out our contact and get in touch with us if you would like to help the channel out in other ways you can use our affiliate links below within the description or we have a link directly to our Lauren systems page where we have a list of different affiliate offers and it's very appreciated if you use any of those for signing up any of the services and many of them offer you discounts if you want to head over to our forums there'll be a link in the description for our forums wherever they may be because we've been looking at different forum platforms but they'll always be relevantly linked right there alright once again thanks leave some feedback and comments below on this video if you loved it if you hated it I try to reply to everyone the people who hate and the people who love them so thank you very much and see you next time

Info

Channel: Lawrence Systems

Views: 74,323

Rating: undefined out of 5

Keywords: pfsense and Rules For IoT Devices with mDNS, mdns, unifi, vlan, iot, internet of things, pfsense iot, pfsense iot vlan, pfsense iot network, pfsense iot rules, pfsense setup

Id: HW9mUrF1ZgU

Channel Id: undefined

Length: 17min 8sec (1028 seconds)

Published: Sat Dec 29 2018