Could I ask what your solution is to this concern illustrated by +Troy Hunt?
So far I've been running some insecure protocols in my home network, typically: NFS without authentication, I don't like this very much as a starting point, as a result I've shared this network over Wi-Fi with almost no-one.
For my next place, a larger apartment with very thick walls where I'll hopefully have more guests, I plan to use two Wi-Fi hot-spot with roaming to cover every room well.
For guests Wi-Fi, I'm thinking about a few approaches, like:
Option 1:
Using a (3rd) dedicated Wi-Fi router for guests: good thing is that I can plug it directly to my ISP Ethernet who generously assign another public IP address to every new MAC making a DHCP request.
Pros: complete isolation, ability to disable very easily.
Cons: no Wi-Fi roaming for guests, no access to Android TV Chromecast for casting.
Option 2:
Using a (3rd) dedicated Wi-Fi hot-spot, not acting as a router and connected to another Ethernet card to a Linux machine acting as NAT router for both the home and guests network.
Via ebtables (Linux Ethernet bridge management tool), allow each Android TV and Chromecast connected to the home network to appear on the guest network as well.
Pros: good isolation, ability to cast media from the guest network and connect to desired devices on the home network as well.
Cons: no Wi-Fi roaming for guests
Option 3:
Attributing an internal IP in http://10.0.0.0/24 to any unknown MAC address (guests) and http://192.0.0.0/24 for known (home network) MAC addresses. Wi-Fi is roaming between the two access points, sharing Wi-Fi password with guests.
Using a Linux machine as router, allow http://10.0.0.0/24 IPs to communicate with selected http://192.0.0.0/24 devices (Android TV and Chromecast) and not others using iptables filtering.
Pros: great Wi-Fi coverage via roaming, ability to cast media and connect devices between guests and home networks (needs verification if the cast protocol is happy with the routing situation)
Cons: no real network isolation, low security (can be overridden by setting the IP address manually), could break some broadcast/multicast discovery protocol and introduce weird behaviors, the Wi-Fi password is still being stolen and shared by Windows 10 Wi-Fi sense.
Option 4:
Same as previous, with Wi-Fi roaming over two access points, however sharing only a guest SSID terminated with _optout for Wi-Fi sense, and using a different password than the one I use myself.
Since even WPA2 sniffed Wi-Fi can be decrypted, provided you already have the password, it's not a good idea to share it with anyone.
https://supportforums.cisco.com/document/100611/80211-sniffer-capture-analysis-wpawpa2-psk-or-eap
Pros: same but solves Windows 10 Wi-Fi sense as well as captured Wi-Fi decryption issues.
Cons: same, and still no real network isolation or security.
What do you think?
#supercurioBlog #network #security #wifi
You could use 802.1x authentication for everyone. Provided you have access points that support roaming and putting users on separate VLANS, you can have users authenticate using 802.1x with a freeradius backend. You can have your own username and password that puts you on your own home VLAN and You can have a "guest" username and password that puts users on a VLAN that NATs out to the second public ip address you have. 802.1x users negotiate their own keys, so even users with the same username and password use different keys which would deal with the sniffing concern. Using 802.1x, a user has to authenticate BEFORE a VLAN is assigned, so freeradius can send an attribute back that decides the user's VLANs after a user is authenticated.
+Colin Joseph The solution you describe seems pretty neat!
I like very much the idea of authentication managed via a freeradius server instead of the various access point themselves as described here http://freeradius.org/enterprise-wifi.html, instead of PSK.
Unfortunately, one of the Wi-fi AP I'll use is a Netgear R6300 that has no Entreprise Wi-Fi nor VLAN capability. Last time I tried, DD-WRT ran very poorly on it (very slow wireless speed)
In case I decide to upgrade to more capable Wi-Fi and switches equipment I'll use the proper way as you mentioned 🙂
In the meantime, I'll continue exploring other options compatible with consumer hardware.
Just setup a guest network that is physically only connected to the internet (to the carriers modem direcly via cat 6). Every company on the planet does this.
+Rennie Allen that is the first option I list in the OP, with its pros and cons.
Note: my ISP doesn't provide a modem but actually better: an Ethernet jack which DHCP assign public IP addresses.
You can connect a switch to it and each real or virtual machine gets its own public IP, which makes option 1 even easier to implement.
+François Simond just to be extra secure, you should make sure the switch you use has strict port isolation. I don't see why anything beyond this is needed (if you are welcoming blackhats into your home, you're giving them physical access and you're toast no matter what you do, so you have to trust your guests).
+Rennie Allen hehe yes the idea is to find a reasonable balance, essentially to avoid accidental malware exploitation like +Troy Hunt's mother in law example and uncontrolled password replication from Windows10 while being able to still cast media easily.
+François Simond how can you get a malware infestation on your network, ftom something a guest does on the guest network? I agree I don't trust an $80 router to do strict isolation. However, an industrial quality Cisco 1Gbps switch that I buy second hand off eBay and update the firmware from Cisco's site, I do trust.
+Rennie Allen the guest network isolation usual capability prevents guest wireless devices to see each other, so media casting won't work.
It also doesn't prevent wireless devices to talk to wired ones, so none of the feature I'm seeking are provided.
Well, of course, looking for solutions with simple and affordable equipment doesn't present the same challenge as if you buy industrial hardware offering enterprise features already.
+François Simond no, that is not typical, that is actually extremely unusual. I have visited hundreds of companies and used their guest networks and they almost never allow adjacent devices to see each other, but even so, it still doesn't affect you as long as you don't connect to the guest network (why would you?)
+Rennie Allen I described the isolated guest network feature of the Netgear R6300 as it is, nothing more, nothing less.
What I wish to implement has different goals and features the companies you are talking about. Remember, it's for a home.
If you don't isolate the guests from each other, they can get infections from each other, but that still doesn't affect your network. An isolated network achieves your goal, end-point isolation protects your guests from each other (which is a good idea, but not strictly required to meet your stated goals).
+Rennie Allen I suppose you didn't read the OP Pros/Cons
I wish chromecast had 802.1x support…
Anyway chromecast guest mode doesn't require to be on the same network, it should work with isolated APs. Haven't tried though..
+Sfera Dev Yes Chromecast Guest mode is a funky option, also in its implementation described here:
https://support.google.com/chromecast/answer/6109292?hl=en
I don't think the Android TV (Nvivia Shield) has an equivalent tho.
Just tell everyone to bring their own 3/4G with their device. (sim)
Works here, because most isp's still have unlimited data available, prices vary from 15 euros a month up to 40-50 depending on bandwidth.
+jani koskela may I ask which country?
Seems you arrive to the same approach as +Troy Hunt 😀
+François Simond for me, any option that involves connecting devices with unknown provenance to each other, just isn't an option.
+François Simond sure; Finland.
Major carriers are (telia) sonera.fi , dna.fi and elisa.fi
+jani koskela oh funny, Telia is in Sweden as well but their mobile data contract are segmented by monthly quotas instead of bandwidth as listed here:
Finland:
https://www.sonera.fi/kauppa/liittymat/nettiliittymat/liikkuva-netti
Sweden:
http://www.telia.se/privat/telefoni/abonnemang-kontantkort/produkt/mobilabonnemang#/specifikation
I didn't expect that from the same operator in two countries next to each others!
I'm moving to Sweden tho and thinking about how to share a 500/100 broadband since the mobile contracts are not unlimited 😉
Edit: and wow, despite the unlimited data the prices are pretty low.
You could get open-mesh.com access points which have multiple ssid and guest isolation from the lan and other ssid users built in. Roaming would be available for all users.
;Edit to add full URL to minimize confusion.
+Trae Greenlee I don't know what it means yet but I'll look that up, thanks! 😊
They actually have quotas in talk+data packages, listed here: https://www.sonera.fi/kauppa/puheliittymat/sopiva+minulle with from only 2 to 20GB a month, but unlimited still available with extra fee.
Sonera has been talking about abolishing unlimited/cheap data for years and they have been gradually raising prices and lowering data caps. Other operators gladly follow since they don't have to get the blame..
Another thing which I require is getting a public non-natted ip, available for free (via separate apn) from elisa/saunalahti, for yet another extra fee from sonera and nowadays dna filters almost all ports <1025.
You make an excellent point actually. I would like to achieve the same. I run DD-WRT on my APs (both linksys broadcom devices). They should support VLAN tagging along with WiFi roaming. This would allow me to isolate the WiFi guests from my home network.
I'm waiting for my new switch with VLAN support to arrive to test it though.
A few links that made me believe this is indeed possible:
http://phil.lavin.me.uk/2012/10/creating-a-guest-wifi-with-802-1q-vlan-tagging-in-pfsense-and-dd-wrt/
http://www.dd-wrt.com/wiki/index.php/WDS_Linked_router_network
http://www.dd-wrt.com/wiki/index.php/VLAN_Support
Obviously I don't know what hardware you're using, and if it supports VLAN tagging, but some third party firmware might solve that 🙂
+Mark Stapper it seems you have good stuff going on with all the good elements 😊
I hope it'll all work as expected!