The concept of defense in depth is nothing new. Militaries use this strategy to slow down the advancement of opposing forces. Rather than try to prevent all advancement of the enemy, sometimes it is enough to slow them down (with hopes that they will surrender or retreat). The same is true with cyber security. Increasing the layers of defense in your network can decrease the likelihood of a full network compromise. Of course, there must be a balance between security and usability for the end users (especially if your end users are your family – it is important to keep your family happy!).
Also, at the same time we do not want to introduce new attack vectors that malicious actors wish to exploit. While anti-virus software is still an important tool to protect devices, such software can actually increase the attack surface of your network. If the anti-virus company's software or some other vendor in the supply chain gets hacked, there is a risk that you may actually get malware via your anti-virus application! How ironic is that? Such a situation is not out of the realm of possibilities. An example would be CCleaner which is a PC maintanence utility that is similar to an antivirus utility. It attempts to remove unwanted junk from your PC.
To add a dose of reality, a defense in depth strategy will not stop all intrusions even though this strategy can be very helpful. You must evaluate what is most important to protect and take the necessary steps to ensure that your data and systems are protected. A useful article I found provides a necessary perspective on why a defense in depth strategy is not always enough. You should not put all of your hope into this strategy and you may need to ensure you are focusing on protecting the proper assets. You may have all the technology in the world protecting your assets but your weakest link could be a human with privileged access to the data. Insider threats are just as important to consider as external threats.
Along the same lines, if a machine is compromised on your network, you cannot always trust devices on your internal network. Protecting just the perimeter of your network is simply not enough with current threats. A “trust no one” X-Files type approach can be beneficial for improving your network security as long as you do not get overly paranoid since that could impact the usability, performance, and stability of your home network.
A Metric for Success
For home network purposes, it is useful to consider how you wish to layer security controls into your network without disrupting the user experience. Simply isolating IoT devices onto their own network is a good start, but you can go much further and still have a great user experience on your home network. You will know that you are successful with layering various security controls when none of your users are unhappy with network outages or bothered by complex configurations. When done properly, things should just work. You should not discount that fact for your home network simply because it is not an enterprise network which requires such security and stability – a secure, reliable, easy to use home network is great to have! Plus, you have the added bonus of showing all your (techie) friends! (My wife knows that I may disappear for 45 minutes when I am showing someone new my home network setup.)
Example Scenario #1
When I first started the adventure of creating a more advanced home network, I did not know how far I would go with securing my network. It began as a exercise of separating devices on my network based on function and the level of access I wanted certain devices to have on my network and the Internet. Once I separated my devices using VLANs, then I began establishing firewall rules to define how devices will interact with one another (inter-VLAN communication). I have tried to be as restrictive as possible with the rules yet still allow the functionality that I require. After establishing the necessary firewall rules, I began making use of port isolation on my network switch to further restrict the access certain devices have on my network. In particular, I have an older Apple TV 3rd generation that only needs direct access to the Internet and nothing else on my network. I configured port isolation to only all the Apple TV 3 to access the port the router is connected to on my network switch. It cannot talk to any other device on other VLANs and not even any devices on the same VLAN.
In this example, there are a few layers of security applied:
- Created a VLAN for IoT devices
- Firewall rules allowing IoT devices access to other parts of my network such as my Plex Media Server
- Enabled port isolation on my network switch for certain Internet-only devices
Example Scenario #2
Another more complex example is my IP security cameras that I am currently using as high quality baby monitors. To secure the cameras, I created a VLAN for them. Then I blocked all Internet access to that VLAN. My cameras are wired to the network, which adds extra security if you are not using wireless devices to access them since an attacker would need physical network access. However, I am using an older iPad mini as the monitor because it is much more convenient to carry around a wireless monitor than trying to set up a hardwired device as a baby monitor. Since I am using Ubiquiti wireless access points, I can create VLANs for my wireless devices (up to 4 separate SSIDs can be broadcasted). I created a wireless VLAN using the same VLAN ID as my wired cameras. Since they are on the same VLAN, the same firewall rules are applied so the iPad mini is also isolated from the Internet. I effectively have a closed network for my baby camera monitor, which is what I desire for security purposes. The cameras have their own web interface which I set to use HTTPS instead of HTTP for extra security. They also have passwords that can be changed from the default as well as the ability to create additional users with more limited permissions.
Later I added the ability for my phone, my wife's phone, and an older larger iPad to have access to the camera network. All other devices on my network are blocked from accessing the cameras. I created a separate non-admin account on all my cameras and use that more restrictive account on the 3 additional devices that I mentioned. The more restrictive user account cannot pan, tilt, or zoom (PTZ) the camera and also cannot talk in the microphone. Essentially only access to the video feed is allowed. So if someone can manage to hack one of our 3 devices, their access is limited (assuming they do not know the admin account password). They would not be able to scream/harass my family, which is a real problem with Internet connected baby monitors. I also have the firewall rules scheduled to disable access to the cameras for the 3 monitoring devices at night while we are sleeping. This adds more security against the hackers that may attempt to hack at night when everyone is asleep.
One last thing to note, I added the ability to remotely access my cameras via the OpenVPN service installed on my OPNsense router. I enabled strong encryption with certificates on the VPN so it should be fairly secure since you do not normally hear a lot about vulnerabilities in OpenVPN (but of course there is no guarantee with any software). Also, I should be able to spot unusual VPN activity since I only access the VPN via one device so if I see more than one device then I most likely have a problem.
So in this scenario we have implemented several layers of security:
- Created VLAN for Ethernet connected IP security cameras
- Created VLAN on my wireless APs for an iPad monitor that has the same VLAN ID as the wired VLAN
- Firewall rules blocking Internet access for the IP cameras and the mini iPad monitor
- Firewall rules allowing 3 additional devices on my IoT network to acccess cameras (but blocking all other IoT devices) which are scheduled to turn off at night when they are no longer needed
- Changed the default admin password on the cameras
- Created a non-admin user with limited permissions for the 3 specific devices to use
- Set the allowed list of IP/MAC addresses on the IP cameras to enforce which devices can access them (redundant to the firewall rules but can still be useful if a hacker can get access to a device on my isolated VLAN where the firewall rules do not apply since it is within the same network)
- Remote access only available via strong OpenVPN connection
These are only a few examples of how you can layer security controls to restrict access to your devices or data. An attacker potentially has to penetrate multiple layers to finally get to your devices or data. The more difficult it is for that to occur, the less likely an attacker will take the time to penetrate further into your network especially if you are not a large target as a home user. This strategy should help reduce simple drive by attacks that are automated to hit any user with exposed, vulnerable devices.
However, keep in mind that it is still possible to bypass multiple layers of protection if there is a high risk security vulnerability that allows easy “backdoor” access (which is what the article I referenced above states as a potential “gotcha” since it is impossible to anticipate and block all possible vulnerabilities). Do not let this possibility scare you away or make you feel as though it is not worth implementing a depth in depth approach with your home network. You do not have to go to the extreme but a few simple added layers of security can make a big difference in securing your home network.