Protecting my network from rogue IoT devices.

Mon Feb 29 17:49:16 UTC 2016

On 16/02/29 12:24, Javier Perez wrote:
>Probably Off Topic, but maybe tangentially related to Fedora.
>
>I read with interest this forum piece about IoT devices phoning home.
>
>https://isc.sans.edu/forums/diary/IoT+The+Rise+of+the+Machines+Guest+Diary/19173/
>
>What caught my attention is the following phrase: " My home network
>is hardened and any new (unknown) device connected to it receives an IP
>address from a specific range which has no connectivity with other hosts or
>the Internet but its packets are logged"
>
>I imagine it is done through the Gateway Router at home. Is there any
>tutorial somewhere to learn how to do this? 

Out of my head you would need to implement 802.1x with a radius-server
and depending on the Mac a device gets into one of two VLANs and then a
DHCP-server hands out an IP-address depending on the VLAN. The
DHCP-server has one network-device in one VLAN and one in another VLAN,
both have different subnets. And then there is an additional firewall
(needs probably 3 network devices, one for each VLAN, one for WAN) that
manages the traffic between the networks (firewalld, iptables,
nftables). The subnet that is in the VLAN for the unknown devices
redirects all traffic that should go into the internet through a proxy
(squid) which logs everything. The inter-network-traffic can be logged
by the firewall. At least that's what I would do with a
wired network.
I am not sure how you would realize that with WLANs.
The only idea I would have is that there are two different WLANs. One
for trusted, one for untrusted devices. The one with the untrusted
devices routes internet-traffic again through a proxy. And you need a
again the firewall for the inter-network-traffic. In both cases a router
might be enough, but tbh I am not sure right now.
I hope that gives you enough into your hand to be able to get to the
right answers in google.

That's completely out of my head and I never implemented the 802.1x-part
in my networks. If I'd implement something like that from scratch, I
would draw a network-diagram first ;)

Maybe this is also possible smaller. You can probably integrate a lot of
that into one server which handles all the parts given enough
network-interfaces. I'd rather use CentOS than Fedora for something like
that though because it is more stable.

Readers on this list, please correct me if all that is BS but that's the
way I'd try to implement something like what was described.

>Also, what program could one
>use on FedoraServer or FedoraWorkstation to host the log created by the
>router ( I imagine some sort of dd-wrt machine). 

You want now a log-server as well? How about an ELK-stack? But that's
huge (Elastic Search, Logstash, Kibana). rsyslog is afaik able to
receive remote logs as well. But I use rsyslog only to send logs out,
not to receive them (that's what I use Logstash for). That might be
enough. I don't know though what could create nice graphs from the logs,
there you would need some DB-backend from what something like Grafana or
Kibana can get data to draw graphs.

>Given that journalctl took
>over syslog duties, could I still use syslogd to receive the data from an
>external router or do I have to look somewhere else for that?

rsyslog still can be used in conjunction with journalctl.

Niels