Secure IoT Network Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to crosstalk solutions my name is kristen today we're gonna be setting up a secure IOT network for your IOT devices now IOT stands for Internet of Things and this includes any number of quote unquote smart devices that require internet or network access with the growing number of IOT devices hitting the market they are also increasingly targeted by hackers looking to find ways into your network so this includes smart plugs thermostats televisions gaming consoles cameras refrigerators you know the Alexa and Google home type devices all of these are examples of devices that should be isolated into their own IOT network so that if they're compromised in any way they don't have access to your personal computers or network equipment that sits in your quote-unquote main network ok so let's go ahead and take a look at how we're gonna set all of this up so here we have a Visio overview of what I'm going to be setting up today we have the Internet up top I have an edge router for that plugs into a unify switch 24 which then also pushes out to a UAP AC pro this is a very simplified version of my network I actually have a lot more devices in this but this will this will get us where we need to go and ok so basically I've got my mainland over here this is my secure land vlan1 it's where I do all of the management of my network switches and access points I've got my computers in this network I've got my phones you know like my iPhone and any tablet devices are in this network that does not count guests ok so one thing that I'm not showing here is that I do have a completely separate guest network for people that are visiting and they want to you know just connect to the internet with their phones then I'm going to be creating a second network here this is going to be my IOT LAN and I'm making it 192 168 1 o 7.0 / 24 and that's gonna be gonna be VLAN 107 now why VLAN 107 it's an arbitrary number you can pick whatever you want for me though 107 is IOT in like leaps peak so it just make sense and it's easy to remember that that's where my IOT devices are and of course this includes the smart plugs Roku's Apple TV's Smart TVs gaming consoles you know thermostats whatever you have that everything should go into that network so now there's two ways to get into this network wired or wireless so if we go wired I have an untagged I have the ability to untag ports right so for instance up in my living room I have a small five ports which it receives a feed in from my main unify switch and it basically gives network access to my playstation there's like an Apple TV up there a Smart TV and then I think there's a spare port right so all of those can be on this IOT network so I just make an untagged port that feeds that unmanaged switch or that non VLAN capable switch and then all of those devices when you plug them in are gonna be automatically on the 107 dot 0 IOT network for wireless devices though I have my quote unquote main SSID I have a guest SSID and now I have a third SSID which is what I'm using to ID or identify my IOT devices so I called it the ID IOT network now that in my case is a hidden SSID if you search on your phone to try to find our network to connect to you're not gonna see that network I have to manually input that into the devices and we'll talk about that in just a little bit because it works fine with most devices but it doesn't work fine with all devices so we'll talk about how to overcome that challenge a little bit further in the video none of this means anything without actually putting some firewall rules in place to segregate the IOT network from the secured land so we're going to do a number of firewall rules the first thing we're do is we're going to allow establish and read related traffic coming from any private land network to go into the IOT land so I have a ton of networks here but I always adhere to the sort of standard RFC 1918 private land network ranges and so anything that I've created internally should be able to see the devices in the IOT land network and once a connection is established to those devices we can maintain that for two-way communication however it does not work it's not a two-way street it doesn't work the other way around the IOT land does not have access to any other private network other than its own so then there are a few other considerations that I have here so I run a piehole for DNS and so if I wanted a primary and secondary DNS I'm going to use my piehole as the primary and I'm going to use the edge router as the secondary so the primary is at 192 168 210 so I had to open up a port UDP 53 over to the pie hole in the other Network and this is something that you're gonna need to do for your own network not necessarily for pie hole or for DNS but for any device where you need to poke a hole through so that your devices can see something in your secure land but it allows you to give very granular control so that you're not just sort of opening the floodgates you're you know surgically saying look you specific network or specific devices in the network can see this other specific device in my secure Network but only on a particular port right so same thing here as in with my Plex right so in order to get devices like my smart TVs and the Roku's to be able to see my plex server which is in my secure land it probably should be in the IOT network as well but it is in the secure land we are allowing TCP port 32 400 from the IOT land over to my secure land then we're dropping all other traffic right so we're basically only allowing those two ports through to my main LAN and then all of the traffic is dropped however we are also allowing UDP 53 to the edge router that is for a secondary DNS server just in case my piehole is ever not responding or offline or something like that always good to have two DNS servers there is one other rule and that's to allow for DHCP or to allow devices to get a DHCP IP address but we've talked about this enough let's go ahead and pop over to the configuration and get this thing set up start to finish okay so here we have the interface of my edge router this is an edge router for running firmware version 110 eight I should be very clear though while I'm running an edge router with a unified switch and a unify access point these same concepts can be applied to any set of equipment that understands VLAN and has a strong firewall so if you've got a PF sense with ruckus access points this should still work you just have to know the right buttons to press to get the same configuration into those devices what I'm using again is the edge router and so we're going to take a look at the edge router interface first now I've already created all of this we can see I have my ID IOT network here but in order to create a new VLAN we simply go add interface add VLAN in this case the VLAN ID is 107 the interface is my main interface of eath 1 that's the main interface that hosts my sort of secure land then for description we can put whatever we want I'll put ID IOT and then for the address we're gonna say 192 168 107 dot 1/24 that's basically giving our network a default gateway address and telling the edge router that this network is a Class C subnet ok so then we can say save and that is created now of course I've already created it so I'm not going to save that the next thing we need to do is add a DHCP server for this network so we're going to come over to the services tab and we're gonna say add DHCP server the DHCP name is going to be whatever you want to call it I'll call it ID IOT subnet 192 168 whoops 182 dot one sixty eight dot 107 dot 0 slash 24 now for the range I'm not gonna have any static devices in this network other than the default gateway so absolutely everything in this network can be DHCP so the first DHCP address is going to be 192 168 1 oh 7.2 and the last DHCP address is going to be 180 168 107 dot 254 for the router that's the D fall Gateway 101 68 107 . one for DNS one that is going to be my piehole which exists in my 200.000 dot 10 in an IOT network it's also a good idea if you don't have a piehole set up use like some of the public DNS servers that do some level of malware protection so that would be like 1.1 1.1 or 999.9 so if you use either of those two in place of what i'm doing here it should work just fine so in fact for mine I'm just gonna do a secondary of 118 168 100 7.1 which is the default gateway interface it's the listening interface for DNS on the edge router but I haven't set that up yet so let's go ahead and do that next at this point I would click Save and my DHCP server is created ok so to do the DNS portion of this also in the services tab we want to click on DNS and then from these drop-down boxes or you can just say add listen interface drop it down select the interface that you want DNS to listen to requests on in my case it's eath 1 dot 107 or VLAN 107 and then just click Save and then we're good to go finally this is an optional step but if you have something like a Google chromecast you might want to enable an M DNS repeater and to do that we go over to config tree and then you click on service followed by M DNS and then click on repeater and you can add a new interface eath 1.1 o 7 that is again Ethernet one port of the the edge router for VLAN 107 so f1 dot 107 and what this does is if for instance you had a chromecast sitting in your IOT network this allows a device to discover that chromecast from a different network ok so that mdns repeater basically just allows that communication to happen there's a video that we did on how to set this up with a lot more specific mdns information I'll put a link to that video up on the screen ok so at this point we are all done with our setup let's go ahead and pop over to unify all right so in unify the first thing that we need to do is tell unify that we have a new VLAN VLAN 1:07 so we're gonna go down here to settings and we're gonna click on networks and they're gonna do create a new network now this can be the ID IOT network the name can be whatever you want we're gonna say VLAN only and it's gonna be VLAN ID 107 and then click Save that's all we need to do we now have that VLAN setup now if you have unify switches where you're gonna be hard wiring devices into the IOT network you're likely going to want to hardwire those as untagged network ports so we're gonna go over to our switch next we're gonna say devices we're gonna click on our 24 ports which we're going to click on ports and we're gonna look at for example port 4 now in my case port 4 is that connection that goes up to my living room where I've got a TV you know a samsung TV and a Playstation and an Apple TV all sitting up in the same area so I've got just a little dumb switch up there it receives this feed from port 4 and then fans that out to all of those devices it's not VLAN capable so I needed to send any traffic going from this switch to that switch as untagged VLAN 107 traffic so for the the switch port profile I just chose the ID IOT network as the only network traffic that's going through that connection ok so a little bit of more advanced topic VLAN tagging and untagging if you're interested in that kind of stuff I have a ton of videos on VLANs on the channel just search through crosstalk solutions channel for VLAN stuff okay now for the wireless side we can actually add a new SSID so if I click on settings and then click on wireless networks we can see that I have this network here that I created but typically you just want to click create new wireless network but we're gonna edit the one that I already created and I'll show you all of the settings that you need for this network ok so first and foremost we're going to enable that wireless network we want to do a WPA personal as well as a strong security key you're gonna be typing this in manually to all of your devices but just make sure that it's a strong security key so that no one else can get on this network now this next setting block land to win multicast and broadcast data okay so this is going to be optional I have it turned on because I'm not taking broadcast data out of the wireless network on to the wired network however there's a thousand different IOT devices out there and some of them may require that this be unchecked okay so I have it checked it might require that it's fun check so for instance if you have a device that relies on broadcast data to be discovered right then you might need to uncheck this so that you're not blocking that land data then down here we have the VLAN that we're going to use so we want to check that box and we're going to use VLAN 107 and then down here here's another setting that is also optional prevent this SSID from being broadcast now what that does is it hides the SSID so that if other people are at your home or near your home and they're looking for wireless signals on their phone or device they're not gonna see this ID IOT network show up in the list it's hidden now that means that for the IOT devices that you have you're going to have to manually enter the IOT ID IOT network and SSID every device that I've added so far does have the capability of doing a manual wireless network for the device to connect to however again there's thousands of devices out there some might not have that capability and another thing you might run into is even if a device does have the ability to manually give it a network to connect to it still might not work so case in point I have a Nintendo switch I tried to put the Nintendo switch on this network it let me put in the wireless network information but it would just not connect to that network so what I did is I came in here I check this box so that it says so that it started broadcasting that s and then the switch found it and connected to it no problem and then I came back in and turned it off again so just keep in mind that you might have to fiddle with it a little bit to get all of your devices connected not every device is going to connect perfectly okay so then there are two more optional settings that you may or may not want to set you can throttle bandwidth on this network though I'm not doing it in my case the reason being is that I've got Smart TVs and you know Apple TVs and Roku's on this thing that are streaming Netflix and YouTube and whatever I don't want to throttle that traffic I want that to have full access to my bandwidth but again your mileage may vary on that and then finally you can potentially enable a WLAN schedule so for instance if you only want your IOT devices to be available to connect to this wireless network or if you only want the wireless network available for your IOT devices to connect to during specific hours of the day you can also lock that down here with this WLAN schedule ok so once you've got all those settings in there go ahead and click Save and your wireless I o T network is now configured and set up properly what you can do is take your phone or just some device that's easy to connect to a wireless network and then connect that to the IOT wireless network just to make sure that DHCP is working make sure that you have an internet connection and all that sort of good stuff and now let's go ahead and move on to our firewall rules okay so we are back in the edge router interface we're clicking on the firewall slash NAT tab and we're going to start by creating a a firewall group that is going to encompass all of the possible private LAN network spaces ok so basically you would click Add group here and then you would come up with this rule so here we have a firewall slash NAT group and we called this RFC 1918 ranges you can just call this local networks or whatever you want to call it but the networks that we are adding to this group are all of the private network ranges so that's one ninety two dot one sixty eight dot anything so basically one nine two dot one sixty eight dot zero zero slash 16 which basically 2/16 accounts for the last two octet of the subnet range then we have 172 dot 1600 / 12 again that is going to cover our 172 dot 16 private address range and then we have 10.0.0.0 / 8 which covers our 10.000 class a range so all of the possible addresses in the 10 dot whatever range so go ahead and save that group and now we're gonna pop over to our firewall policies we'll see where we're going to use that group in just a second so for the firewall policies when you are creating policies there are three directions or three options for traffic per interface or per VLAN of the Edra you've got in out and local in-and-out are a little bit confusing because that is the direction that traffic is flowing in relation to the edge routers interface right so for VLAN 107 our example here the in direction is stuff coming from VLAN 107 into the firewall and heading out to the internet or to other networks or to wherever the out is stuff that's coming from the firewall into VLAN 107 so out of that port and into that VLAN I know it's a little bit confusing then local is just stuff that's happening on that local network only okay so let's start out with our in rule that is traffic that is going from VLAN 107 out to either another network or out to the internet and by default our default action is going to be accept so what you would want to do here is add rule set and then you give it a name description and then say accept and save it let's go ahead and see what that looks like once it's actually created we can click on configuration so I call this network ID IOT underscore in I gave it that same description by default we are accepting all traffic from VLAN 107 into the edge router interface wherever it's going to go and then we are going to explicitly block that traffic or deny that traffic from hitting our private IP ranges so basically anything that we just set up in that firewall / group okay so then we are going to accept everything let's take a look at the rules that we created for this network so first and foremost we are allowing established and related from our land networks Network group let's take a look at that rule okay so this is called allow established related this is for anything in my private IP ranges my private lands my secure networks that is reaching into the IOT network we want to establish that connection and allow that connection to remain established so this rule is enabled we are going to accept as the action all protocols and then if we go over here to advanced we're just gonna check the boxes for established and relate it and then if we click on destination our network group is the RFC 1918 ranges again so the group that we created just a few minutes ago okay let's save that row let's move on to the next one the next rule is allowing our PI whole DNS so if you recall I have pi whole in 192 168 200 it's actually at dot 10 in that network and so we want to allow UDP port 53 open through to that PI whole so that we can do we can allow DNS request to happen and utilize that piehole for blocking anything we don't want so if we go to actions basic on the UDP rule we can see what this looks like so we are doing except we're doing actually both TCP and UDP just to cover our bases on the DNS requests and then if we click on the destination tab our destination is specifically going to only 192 168 210 on port 53 so either UDP or TCP port 53 okay so we're gonna save that rule and then the next rule is to allow Plex now Plex again this these rules are gonna be dependent on whatever services you happen to have running in your own network but very similar to the PI hold DNS rule let's take a look at that one then we're going to accept only on TCP when the destination is 180 168 200 190 on port 30 to 400 again the best practice is I probably should move my plex server into the IOT net as well but since I haven't done that yet this is how I have it set up now okay so final rule here is to drop the IOT network for any LAN network so remember by default this rule has accept okay so that means that it will take traffic out to the internet no problem or out to any other network no problem but we want to specifically block our private networks except for the rules that we've already created for Plex and piehole and then the establish related right so drop iot tool and networks let's take a look at that rule by default we're going to drop as the action all protocols where the destination is that land group right so basically these rules are processed in order so if it hit the UDP 53 for my piehole it's going to allow that through no problem but any other port any other protocol any other IP address it is not going to allow that through to those private IP ranges those reserved private ranges but then since the default rule is to accept if we go out to you know Google which is not in those private IP ranges we are accepting that traffic outbound out to the Internet okay so we're gonna save that role now let's take a look at our ID IOT local rule this is for stuff that is happening on the local network itself so right within VLAN 107 so let's edit that rule set if we look at configuration on this rule by default we're gonna drop all traffic okay so if we've parsed through the rules that we're allowing then we're gonna drop absolutely everything else locally on this network drop all traffic the interface that we're tying this one to is f1 dot 107 local by the way in the last rule I think I forgot to mention this part it's eath 107 'if one dot 107 in for the previous rule for the in rule and then this is the local rule so we're tying it to that interface and the rules that we have here just two simple rules we are allowing DNS to 192 168 1 Oh 7.1 on pork 53 for both TCP and UDP so accept both TCP and UDP where the destination is 181 60 107 dot one on port 53 okay save that rule we are also allowing for DHCP so this rule says we're accepting UDP where the destination is any IP address on port 67 okay so we're basically taking DHCP requests from anywhere within the IOT VLAN and that's it everything else all other traffic locally on this network is just gonna get straight-up dropped okay so we are allowing dns we're aligned for DHCP nothing else inside the IOT network itself okay so with those two rules notice that I enabled logging on both of them so if we do edit rule set click on configuration I've got logging set up on the IB IOT Local and I've got logging set up on the ID IOT in so how can we actually view those logs and see if our stuff is working properly well to do that we can bring up SSH and you're going to want to log into your edge router okay so here I am logged in and we're just gonna say show log tail and this is going to just do an output of the stuff that is going through this log the only stuff that I have enabled for logging right now are the two IOT firewall rules okay everything else is turned off so all of this traffic that you see flowing past the screen here this is all chatter on that IOT network now let's take a look at some of these and we'll sort of dissect a couple of these log entries so that you guys can sort of just be able to understand what's going on in your IOT network so let's go ahead and cancel this for a second and let's just grab one of these at random so here let's just take this last one that came through here let me move this up is that this is a rule that this is some traffic that came through on the ID IOT local interface so this is basically broadcast traffic in the ID IOT network where the source was 192 168 1 o 7.4 and the destination was 255 255 255 255 that is a broadcast okay then we have the protocol with UDP and the you says DPT it sort of stretches across the line here but the destination port was six six six six so how do we figure out what this is so basically some device the one to whatever device is 100 168 107 dot for put out a broadcast on UDP 6 666 in that local network so what is that exactly let's take a look here first thing we can do is go to our services DHCP and we can look for our leases so if we look at the leases for this network 192 168 1 o 7.4 is actually one of my I clever smart plugs so I've got a few of these on the network I actually believe it's this one right here so I've got this one set up and if I turn it on and off and I will actually see or I should say if I turn it on and off with the app I will actually see some traffic on the network that is in the ID IOT in because it's it's communicating with the outside world in order to turn the traffic on and off but this is local traffic this is broadcast traffic so let's take a look at it again first of all what is UDP port 6 6 6 6 used for let's take a look at that you can just google it UDP port 6 666 and it should tell you what it is in this case UDP port 6 6 6 6 is IRC okay so it's basically doing IRC broadcasts every few seconds probably this is that I'm not sure why I would do that as a keepalive or maybe it's talking to other you know similar devices in the same network or something I really don't know why it does that but again this is why since I don't know why it does that this is why we want to keep that chatter off of my secure network and on to its own IOT network right it makes sense now that we want to separate that traffic all right let's take a look at another example we're gonna go back here and let's see if we can find an ID IOT in so here's one here ID IOT in this came from one I to 168 107 dot 4 so this is the same device this is a this is the I clever device reaching out to the Internet on TCP port 1 8 8 3 and you can actually look at the content the packet if you want to dig in further but you would need something like a Wireshark to be able to do that capture all of the packets from this particular device and then you could actually look at the contents of this packet to see what it's sending if you really wanted to start digging in deep but let's just check out what TCP port 1883 is used for okay so TCP port 1883 is used for is the mq telemetry transport protocol or mqtt now I'm not sure exactly what that is but these I clever devices are pretty amazing you know they're very very responsive with the app I mean anywhere in the world you can hit this app and turn these on or on and off like this watch on/off on/off right so I'm doing that from the app throughout to the internet and then back right and it's very very responsive when you do that but let's see where this is actually going so we can see that it is TCP port 1883 but the destination here is 34.2 15.1 32 to 11 so let's copy that and let's take a look and let's do an IP address lookup for that IP address paste and look it up and what we can see here is that is sending traffic out to an AWS server an Amazon server located in Boardman Oregon so actually not too far from me I'm out here on the coast and then you know that is a Boardman Oregon up here there must be an Amazon data center in that location so what it seems like to me is that these I clever devices are phoning home and I clever uses Amazon AWS as their sort of cloud servers they probably have them all over the world I imagine and so when I'm hitting the button here to turn these on and off it's actually communicating with Amazon AWS which this device is also communicating with ok let's see if we can look at one more example and I'm gonna turn them logging back on here and I'm gonna put on YouTube onto my Roku ok so I actually have a YouTube video playing in the background here and I turn the volume down but you can see like how much stuff is flowing past the screen here it's bringing in just tons and tons and tons of information every time I select text and then it disappears that's a full page of information that's going past the screen here so let's go ahead and hit ctrl C and let's see if we can find some of that YouTube traffic so the device is 180 160 at 107 dot 3 here it is right here and we can see ID IOT in that is traffic that's heading out to the internet from 192 168 1 o 7.3 that's the source and the destination is 170 3.1 94 . 51 52 10 let's grab that IP address and then the protocol is TCP and the destination port is port 443 or HTTPS right so let's go ahead and take a look at that IP address paste that look up IP address yep and there we go so that is traffic that is going out to Google and it looks like it's well it says Kansas but I think that's just it didn't exactly determine where it was so it's a Google data center somewhere ok so there you go and really the point of all this is that once you isolate that traffic it becomes a lot easier to log that traffic you can you also use syslog I mean I'm connected directly to the edge router you could log that traffic to syslog server or something like that instead which might make it a little bit easier to sift through and and read through but it allows you to sort of take a close look at what these kinds of IOT devices are doing on the network and then of course you can take it a step further and maybe set up alerts or filters or whatever you want and then start getting really deep into the networking from here if you want but if you don't want to do that and you don't care at least you know now that these IOT devices have no access whatsoever to your internal LAN network or your secure and private land networks not even like a guest wireless network they cannot get into those networks at all they can only get out to the Internet okay so that's gonna do it for this video what do you guys think what did I miss what would you add to this setup any additional firewall rules the only other firewall firewall rule that I should probably add to this because I know someone will comment on this is a rule in the IOT in rule set that specifically blocks UDP and TCP port 53 for any other DNS servers right so that way one of these devices can't use its own separate DNS server to get out to the internet so I will probably add that rule as well just to block any other DNS servers and only allow the DNS servers that I say are okay that would be an extra security precaution but what else is there so there's a lot to this IOT stuff I highly recommend segregating your IOT stuff on to its own network and once you have it set up like this you now have the ability to start migrating all of your IOT devices into that network I have migrated about half of mine so far I have another half that I need to do and it's just sitting down with the device and you know basically reconnecting it to the IOT wireless network okay so that's gonna do it I hope you guys enjoyed this video if you did enjoy this video please give me a thumbs up if you'd like to see more videos like this please click subscribe my name is Chris and crosstalk solutions and thank you so much for watching you
Info
Channel: Crosstalk Solutions
Views: 319,156
Rating: undefined out of 5
Keywords: iot, internet of things, iot network, iot security, iot tutorial, ubiquiti edgerouter, unifi access point, unifi iot, usg, usg iot, ubiquiti, ubiquity, crosstalk, crosstalk solutions
Id: 6ElI8QeYbZQ
Channel Id: undefined
Length: 34min 29sec (2069 seconds)
Published: Wed May 01 2019
Related Videos
05 - IoT Network Setup - UDM-Pro Complete Setup 2021
Crosstalk Solutions
66K
You Should Be Using Yubikeys!
Crosstalk Solutions
426K
Ubiquiti Live Stream - 11/11/2016
Crosstalk Solutions
31K
IoT Security Vulnerabilities: Quick fixes and realistic discussion about smart home security
The Hook Up
83K
Part 2 | Ultimate Home Network 2021 | VLANs, Firewall Rules, and WiFi Networks for IoT UniFi 6.0
The Hook Up
242K
Build Your Own VPN Proxy
Crosstalk Solutions
98K
Best Home Network 2021 - A Guide to the Best Available Network Equipment
Crosstalk Solutions
115K
UniFi Dream Machine Pro (UDM-Pro)
Crosstalk Solutions
517K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
74K
tp-link Omada - Complete Overview
Crosstalk Solutions
86K
Let's Talk UniFi w/Reilly from HostiFi
Crosstalk Solutions
19K
Complete UniFi Setup Start to Finish 2019
Crosstalk Solutions
703K
We *ALMOST* Got Scammed! Here's the story..
Crosstalk Solutions
60K
pfsense Firewall Setup and Features in Depth Version 2.4
Lawrence Systems
280K
Setup IoT VLANs and Firewall Rules with UniFi. ULTIMATE (Smart) Home Network Part Three
The Hook Up
316K
UniFi Guest WiFi
Crosstalk Solutions
341K
UniFi U6-Lite WiFi 6 Access Point - Review and Benchmarks!
Crosstalk Solutions
199K
What is a VLAN??? - How to setup VLANs in your Home Network and WHY YOU NEED THEM
Raid Owl
7.3K
Raspberry Pi 4 Getting Started
Crosstalk Solutions
1.5M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.