Access between vlans.

[Bob.]

Setup:
Cisco DPC3010 modem
WRT54GL Router
dd-wrt firmware


Pertinent facts:
Using the ddwrt firmware, I’ve recently revamped my home/home office network to create multiple isolated vlan networks

in the IP range 192.168.(1-5).xxx. I’ve created a vlan for each LAN port on the wrt.


I have done this to isolate my business, wireless, wife’s system, a TV with netfilx and Amazon fire (will have a media pc in future). I also have a ‘guest’ network that will be used to clean up virus infected systems (outside systems brought in)


There are 5 vlans (including the wireless network) They are all unbridged and can access only the internet but not each other. All of these networks are working fine and able to access the internet and able to see and access other machines on the same vlan.
I have further “protected” these networks from each other with the following firewall rules (entered into Administration\commands in ddwrt):


[FONT=&quot]iptables -I FORWARD -i vlan+ -o vlan+ -j DROP[/FONT]
[FONT=&quot]iptables -I FORWARD -i vlan+ -o vlan1 -j ACCEPT[/FONT]
[FONT=&quot]iptables -I FORWARD -i vlan1 -o vlan+ -j ACCEPT[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]So I think I’ve pretty much protected my business network, but I also, on occasion, might need to access machines on the other networks. I could move cables around to place various machines on the same network, but I’m thinking there may be a more elegant solution than that.[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]Questions:[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]1.[/FONT][FONT=&quot] Is the above described method a viable way to protect these networks from each other?[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]2.[/FONT][FONT=&quot]What is the best and most secure way to accomplish this occasional access? Will I need to use a remote software (RDC, UltraVNC, etc)? A vpn? Not sure how to handle this securely?[/FONT]
[FONT=&quot] [/FONT]
[FONT=&quot]Thanks for any help.[/FONT]

 

[dave_the_nerd]

To handle it securely and not have to swap cables around, I guess a VPN would work.

Otherwise, why split it up so much? Work, Home, Done. A separate VLAN for your HTPC is just silly. And why separate your wife's computer and the Kindle?

 

[imagoon]

Agreed, sounds overly complicated. Business, home, guest I can see. No reason to isolate the TV or kindle. Also if "home office" just means "where I work from home," I would also question the need for a business network also. Generally you are more likely to have a security issue connected to the internet than just being connected at home and VPNing in to work.

 

[Bob.]

Hi and thanks for your comments. "Home office" here is a business that I've operated out of my home for the past 30 years. Recently, I've added computer systems repair and diagnostics to the services the business offers, which will at times include bringing systems to the "home office" to monitor, run full system scans, etc. And, having maintained systems for friends and family over the years, I've come to understand that most machines I bring in will likely be virus ridden, so it's important that my networks are secure, particularly my business network.

As for the TV (and fire TV, not kindle), I do understand that there isn't a lot of risk associated with media streaming, media servers and HTPCs at present, but with the explosive popularity of internet TVs, and the surrounding and upcoming tech, security will be an issue:

Internet TV security risk

Also, at times I could see using a browser from a pc connected to the tv to web surf.

I understand that the level of security I'm imposing is overkill, but going 'beyond code' is how I've run my business for many years. Better too much than too little is my perspective. I apply the same philosophy to my surfing habits.

As to the current issue, is it agreed that vpn is a secure and preferable method over others to accomplish the occasional need for connecting between the vlans? All vlans fall within the local IP ranges mentioned above (192.168.[1-x].1xx).

If so, I'd appreciate any pointers to good articles regarding vpn and/or other technologies that might suit my purposes.

Again, thank you for your comments.

Bob

 

[Bob.]

An interesting read:

how-an-internet-connected-samsung-tv-can-spill-your-deepest-secrets

And a relevant excerpt:

Update:

In the event a TV is behind a router that uses network address translation, Auriemma's attack won't work at the moment. But with more work, he says it could be possible to use exploits based on IPv6, the next-generation Internet routing protocol, to bypass that protection. He also said readers shouldn't discount the ability to carry out the attack on local networks, since TVs may be plugged into office networks.

As further mentioned, not a great risk at present, but Mac was thought to be invulnerable to viruses, etc, as was Linux.

Perhaps the only condition necessary for 'bad guys' to exploit a system technology is its popularity, and it seems to me that the entertainment industry will move entirely to internet streaming in the near future.

 

[dave_the_nerd]

Well... VPN it is then.

 

[seepy83]

If you're really concerned about security, then you shouldn't ever be "mixing and matching" systems from different security zones. The same goes for connecting your business network to your home network with a VPN. As soon as you do that, you've lowered the security of your business network. The VPN connection encrypts your network traffic to protect it from someone that might be able to sniff the data off the wire, but that's all that it does. If a host in your "Home" network is compromised, and you VPN in to "Home" from a computer in "Business", then you just opened up a channel of communication to one of your secure business computers, and the attacker that has compromised something in "Home" can potentially pivot to the Business network over that new VPN connection.

 

[Bob.]

Well... VPN it is then.

Thanks Dave.

If you're really concerned about security, then you shouldn't ever be "mixing and matching" systems from different security zones.

Good point. I guess the best way around that is to make use of the "guest network", which will be empty unless I'm using it for an outside machine. I could use a laptop or a VM machine attached to that network (I have jacks in the office space for all networks). If there is trouble with one of the machines, I'll generally check (sitting at the machine in question) first for virus before connecting to it anyway. We've never had one.

I also don't leave open shares on any of the networks except for "Transfer" folder shares for shuttling files when necessary. Then, after my need to connect is done, I set windows firewall to block all incoming connections, including those on the allow list.

I guess there is no 'complete safety'.

To anyone: Are there any other security measures or methods of connection that I should be considering? And any links to educate?

 

[imagoon]

As for the TV (and fire TV, not kindle), I do understand that there isn't a lot of risk associated with media streaming, media servers and HTPCs at present, but with the explosive popularity of internet TVs, and the surrounding and upcoming tech, security will be an issue:

Internet TV security risk

Bob

To be fair, what you are linking to is true for all devices. If you or the manufacture don't maintain the application or device, it can be used to attack a network. TV, Kindle, internet clock or Toaster, it doesn't matter. The main issue with isolating the HTPC/TV is now you can't use it with other devices. For example I periodically stream things to my PC if I am working etc.

 

[Bob.]

The main issue with isolating the HTPC/TV is now you can't use it with other devices. For example I periodically stream things to my PC if I am working etc.

True, but I guess everything is a trade-off. And I can access Netflix & Amazon Prime through the internet.