Home Network Segmentation

Enterprise environments utilize network segmentation to limit risk and exposure during a compromise or generally misbehaving devices.  However at home, the vast majority of people just utilize one network and have all devices attached.  Work devices, kids devices, TV's, game consoles, etc. all sharing the single network.  When is the last time you patched your systems?  Your kids?  Spouse?  How about that old phone you just can't throw out because "it still works"?

I would like to explore a method of introducing network segmentation into the home to limit exposure of home assets.  Since I cannot possibly know each and every vendor device on the market for home networking that exists in the past, present and future, please take this information as a guideline for future consideration when purchasing home networking gear.

Device categories

Before we begin to talk about the ways to segment devices it is helpful to understand what devices we have and what categories these devices fall into.  When we look at all the devices we have connected to our home network we will discover several categories.  For myself I have:

• Family devices (mine, wife, printer, file server)
• Kids devices
• Gaming consoles
• TV's
• IOT
• Guests

I could have broken down the grouping further, but in general these were all the categories I needed.  Each category of device has a different requirement to access the network and trust level.  I want to treat each category differently.  As an example, the IOT devices run my cameras and home automation but should never be able to access or be accessed by the Internet.  In addition, with very few exceptions, they should never be able to access any internal system.  For my family devices, they do need access to the Internet and since I stand the best chance of making sure they everything it that environment is patched, I trust them slightly more.  TV's and Gaming consoles need access to the Internet but no access to anything else in my network.

Your situation will undoubtedly be different, but hopefully you can see the process I used to categorize and understand what devices I have an what actual requirements they need.

Methods of Segmentation

Now what options exist to segment devices on a network.  Without specialized knowledge and equipment here are a few ways that are practical.  The first is the use of different IP address space.  Second is to use a different VLAN in conjunction with a different IP address space.  And the third is to utilize a different wireless SSID for each type of device.

Multiple IP spaces

If you haven't made any custom changes to your home firewall/router (you do have a home firewall/router?!?) you probably are using the 192.168.1.0/24 network.  There is nothing wrong with this IP space in general.  But because it is well known, there has been specific browser based attacks to scan this LAN and find vulnerable systems.  If your browsers are all patched up then no worries.  If not.. So what should you do?  If possible create additional IP spaces for different devices categories.  This will require a home firewall that can have multiple internal IP address ranges and possibly support multiple dynamic IP assignments (aka DHCP).

Virtual LANs (VLANs)

In most home situations there will be one LAN (Local Area Network) to go along with the single IP space.  A second way to provide segmentation in the home is to create multiple LAN segments.  When done within one device it is often referred to as a virtual LAN (aka VLAN).  

So what is a LAN / VLAN?  A LAN segment is a grouping of devices that share a single broadcast domain (That is getting a bit technical, so think if it like this.  A broadcast domain is like a room.  When you are within that room you can hear everyone else within the room.  But outside that room you are unable to hear anyone).  A VLAN allows you to split up the broadcast domain (single room) into multiple broadcast domains (multiple rooms) on the same network hardware.  Now, if you combine the previous idea of multiple IP spaces and assign an IP space to each VLAN you now have segmented your different device categories.

Now we are halfway to a segment home network. But is we leave things like this we will quickly notice issues.  First is that I may want one of my segment to be able to communicate with another segment.  This is where the firewall/router begins to shine.  For each VLAN we create we assign a unique IP space with the firewall/router being the gateway.  So any traffic from the segment must pass thru the firewall/router.  So any traffic from one segment must pass through the firewall/router to get anywhere else.  Now with some judicious use of firewall rules we can limit or prevent communication between different segments.

SSIDs

Finally let's talk about wireless networks.  Wireless networks consist of a wireless client and a wireless access point (AP).  AP's generally come in 2 flavors; the simple wireless to wired bridge type; and the wireless router type.  Some AP's can be both.  The good news is that the type of AP really doesn't matter as I'll address both.

First the wireless bridge type.  This is perhaps the easiest to configure because the only thing we need to do is decide on an SSID the for LAN segment we are going to connect the AP on and an authentication method and the remainder of the LAN work can be re-used.

Second, wireless router type of AP will be configured very similar with the addition that a new VLAN/IP space will be created with that type of AP and the AP will be the router.

Quick Aside:  Since wireless frequencies used by wireless networking are shared among everyone, the wireless airspace can get quite noisy.  Having multiple SSID's to separate out wireless segments can easily grow to the point where the wireless airspace becomes so noisy that performance is degraded.  At my home, my devices can see at least 13 other SSID's of my neighbors and it's not unusual to see more.  This doesn't mean that you should not use multiple SSID's, it just means that creating more SSID's isn't free.

Advanced stuff

Network Access Control (NAC)

Network Access Control (NAC) can be it's own set of future? articles.  If you have heard of NAC a story of how NAC broke and entire enterprise an prevented every computer from working.  While that can be true, the truth is a little more nuanced.

Fortunately NAC for the home is much simplier.  It generally consists of a pre-shared key (PSK) to get access to the wireless network. And for many home network devices this is the limit of NAC that they are capable of.  However some home network gear is able to both authenticate the user/device with a unique username/password and also pass along additional attributes (for instance VLAN assignment).  Utilizing NAC functionality and VLAN assignment you can deploy a single SSID and still achieve segmentation.

Wrapping things up

After more than 1200 words is what I've said even possible?  With the correct equipment, yes. (see below)  Even if you cannot achieve all the steps I've outlined above, some segmentation of your home environment will make it harder for a unpatched smart TV to compromise all systems within your home.

Did I miss something?  Are there other things that can/should be done to better segment one's home network?

Example

Below are some screenshots of my configuration. I utilize Ubiquiti's Unifi AP, Switch and Firewall/router.  I have no affiliation with Ubiquiti.  Their hardware, while not the least expensive is 1) maintained and 2) gets me 80% of what I want to do with 20% of the effort.  You do not need Ubiquiti equipment to some or all of what I have shown.