Home networks are becoming increasingly complex, and security threats as well. Once they were used mostly for personal communications, and entertainment. Now work at home, home automation, and more and more complex tasks performed online at different security levels make simple flat networks inadequate, especially form a security perspective. Does it really make sense that your work at home laptop, or surveillance cameras, are easily accessible from you children gaming PC?
Most consumer router/AP AiO (All-in-One) today offer a WiFi guest network, and a few an Ethernet one as well. Usually, this is implemented as a separate WiFi SSID, and with some internal firewall rules. Still these guest networks work only if the AiO is the only network device used – plug it into another network device and that separation upstream is lost, and also they are very limited – only one guest SSID, usually only one guest port.
Business networks has been using a VLANs (Virtual LANs) to segregate different traffic for a long time. VLANs modify the Ethernet frame adding additional fields (specified by the 802.1Q standard) to tag traffic with a 12 bit value (thus 4096 tags available) telling VLAN aware devices to which VLAN that traffic belongs to. Standard frames and 802.1Q ones can coexist, since devices are able to recognize them.
Thus these devices are able to keep different VLAN traffic separated without the need to install additional cables, and plug devices into different ones as needed. Just tag a device traffic with the proper tag, and it will be able to communicate with devices in the same VLAN only.
This way, “virtual” networks are created on the same cables, and despite bits travel along the same very cable, VLAN aware devices will keep the traffic separated. Your children gaming PC won’t be able to see your work-at-home laptop, or the NAS where all those important files are stored.
The modified Ethernet frame has also a field that allows for setting the frame priority to manage Quality of Service (QoS) at the Ethernet level, prioritizing frames delivery as needed, but this is a topic for another article.
To implement VLANs, you’ll need VLAN aware networking devices – routers, switches, and APs. While many network interfaces cards are able to manage VLANs, they are of little use if the upstream devices can’t do it.
Unluckily, few consumer routers, switches and APs are VLAN aware. They are designed for flat networks where everything is in the same network, but the guest one. It’s a far simpler setup, although a less secure one, good for the early home LANs, but is becoming inadequate.
Many prosumer devices instead have some VLAN support at least. For a a home network, you won’t need many VLANs and advanced features, just the basic one. You’ll stil need to spend a little more, but not a lot.
If you can’t replace the ISP router because your country rules don’t allow it, you can still deploy VLANs behind it, and just use the ISP router for internet access.
To deploy VLANs,, you’ll need at least:
- A VLAN aware switch, to create the virtual networks.
- A VLAN aware WiFi access point, to map SSID to VLANs.
- A VLAN aware router/firewall to control which traffic can move among VLANs and how.
For very simple networks the switch and router/firewall could be inside the same physical device.
VLAN and switches
Switches are the devices that allows to connect more than one end device to a network – they work, in very simple terms, as “port multiplies”. Your AiO “router” four/five Ethernet ports are simply a small switch embedded in your “router”. To be able to use VLANs, the switch needs to support them.
Usually VLAN are assigned to devices at the switch port level. While VLANs can be assigned also on network interfaces cards, that is not available on every device, and requires their configuration to be changed to change the VLAN. Thereby, usually is simpler to tag the traffic entering a specific switch port (and remove the tag when it exits it, so the device behind it doesn’t even know it’s in a VLAN).
Switches that are VLAN aware are called managed switches, because they can be configured as needed. Unmanaged switches cannot be configured and just switch packets based on their destination MAC address (some may also honor QoS priorities). A subclass of managed switches is the smart managed ones. Managed switches usually offer a full set of configuration options, and a command line interface to manage them, and usually a web based one also. Smart managed ones offer a somewhat smaller subset of options, a web based interface to manage them (sometimes, but not always, a CLI too), and are a little cheaper.
VLAN management is a basic options and is included in both. Smart managed switches may have some limitations, i.e. the number of VLAN supported, but for a home network (and most SMB ones), they are enough.
There is also another division, and that’s layer 2 (L2) switches, and layer 3 (L3) ones. The former have features acting only on Ethernet frames (which are at the layer 2 of the OSI networking model), while the latter can also act on data at the TCP/IP level (which is the layer 3 of the OSI model). To create and manage VLANs, L2 switches are enough. L3 ones allows for inter-VLAN routing on the switch itself, more about that later.
CreatiNG VLANS
Once you’ve got your (smart) managed switch, out of the box it will simply work as an unmanaged one. All traffic will be in the same network. You need to access its management interface, create VLANs, and assign ports to them. How to do that actually depend on the switch your using, although the basic settings are the same.
Start by defining the VLANs. You’ll need to assign a number – the VLAN tag – to each VLAN. Avoid using number 1, that is usually reserved for the default VLAN which is used by some network management protocols like STP (Spanning Tree Protocol) and others. Avoid using number 4096 for the same reason. To route traffic among VLANs usually an IP subnet is associated to the VLAN (more about this later), so it may be useful to use numbers that easily map the VLAN to its subnet.
Once VLANs are created, switch ports can be assigned to VLANs. There are two basic types of assignment (some network devices support more):
- Access port; the port belongs to a single VLAN. Ethernet frames are tagged with the assigned VLAN ID when they enter the port, and untagged when they exit the port (as seen from the switch), so devices that cannot handle tagged frames still work. Internally, only frames matching the VLAN assigned to the port are accepted.
- Trunk port: the port belongs to one or more VLANs. The Ethernet frames need to be already tagged when they enter the port. The port accepts only frames matching the VLANs assigned to the port.
As you can see, access ports are mostly useful for end devices, while trunk port for network device to network device connectivity (hence their name trunk). They are also used when the connected device already tags traffic (i.e. a virtual switch inside a virtual machines hypervisor).
Once ports are correctly assigned to the correct VLAN(s), device will be able to see only other devices on the same VLAN, this segregation is enforced by the network devices.
If you plug an unmanged switch to an access port, all devices plugged to this switch will be in the same VLAN. If you plug it into a trunk port, it will work if the port accepts untagged traffic too, otherwise it won’t.
Now we have a full segregation, that may not be always what we want. Only devices on the same VLAN where Internet access is located will be able to access the Internet, and if you wish to be able to configure your home automation from your tablet you can’t. So we need to allow some controlled access to a VLAN from another one.
VLANs, subnets and routing
Ethernet has no concept of routing packets among networks. You can bridge Ethernet networks, but that means all traffic will travel among them, with little control – using filters based on MAC addresses is not very friendly. It is much easier and more powerful to do that at the TCP/IP level.
For that reason is quite common to assign different IP subnets to each VLAN. For example, VLAN 10 may correspond to subnet 192.168.10.0/24, VLAN 20 to subnet 192.168.20.0/24 and so on. It doesn’t matter which subnet is assigned to which VLAN – it’s just important they are different.
Once each VLAN traffic is in a different subnet, a router with one or more ports assigned to each VLAN can route traffic among them as needed. If this router is also a firewall, it can control also which traffic is actually allowed. Thereby you may have rules that allow all subnets to access the Internet (but maybe home automation or surveillance cameras). a rule that allow your management devices to access the home automation settings and surveillance cameras – but not the children gaming PC, or the satellite/internet TV top box – and so on.
Your wok-from-home laptop(s) can be wholly segregated from your home network, and if needed allowed to connect only to the company VPN.
The guest network may access the Internet only, and if you wish, being able to use only a subset of services (i.e. HTTP(S) is OK, but RDP or SSH is not).
A compromised device will have an harder time to move laterally on other systems, compared to a flat network. You’ll need a router/firewall that can manage VLANs, and configure routing tables and firewall rules as needed. If you need to use the router provided by the ISP, this router can be installed behind it, and then only send the Internet traffic through the ISP router. It’s less complicated than it looks, and greatly enhances security.
Layer 3 switches allow routing to be performed directly on the switch, but without a stateful firewall writing rules to control which traffic is allowed to pass, and which not, using switch rules is usually much harder, since traffic in both direction needs to be taken into account. In small deployments is far easier to let a router/firewall handle both tasks.
VLANs and WiFi
As more and more home networks rely mostly on WiFi connections, if you wish to use VLANs you’ll need a way to map VLANs to WiFi connections as well. Thisi done mapping a VLAN to its own WiFi SSID. Think the SSID as the switch port – every devices connecting to the the same SSID will be assigned to the same VLAN. You will assign to SSIDs the same VLAN you would assign for the same device connected to an Ethernet port.
Of course the WiFi access point (AP) needs to allow for more than one SSID, and assign VLAN tags to them. The AP Ethernet port will become a trunk port, and needs to be connected to a trunk port on the switch (or router) connecting it to the rest of the network. Enabling SSID isolation will ensure all traffic needs to pass through the router/firewall to reach a different VLAN.
Again, most consumer APs don’t allow more than one SSID, plus maybe the “guest” one, and don’t allow for VLANs, so you have to move to prosumer models at least.
VLAN/subnets and firewall rules
Since VLANs are usually associated to subnets, becomes easier to write firewall rules to control which traffic can enter or exit a given subnet.
In the example above, line colors shows allowed network paths. A combination of VLAN, routing and firewall rules controls who can access what. Restrict access to only the specific protocols a subnet needs, and if possibile, only to the specific source/destination IPs. For example, the TV needs to access the NAS only through the protocols used to share files, it does not need to access the management interface. Additional controls should be deployed at the device level. In the example above, the TV should be able to access the NAS in read-only mode only, using a specific user and permission on the NAS itself.
Some router/firewall may have additional web filtering features, that can be activated on a per-subnet basis to increase network security, or can be even activated by a scheduler to restrict access to specific time slots.
Additional security consideration
If your users are smart enough, they could try to bypass VLAN restrictions plugging their devices into another Ethernet port. If WiFi passwords are strong enough, and not shared easily, accessing a different SSID is more difficult. Besides proper rules and education, there are also technical solutions like 802.1X authentication for devices, and WPA 2/3 Enterprise authentication for WiFi users, which allows to use per-user passwords instead of shared ones. It gets more complicated, though.
Or course mobile connections will be able to bypass your network rules. Tethered devices could be a higher risk since they can bring malware inside the network, but again it will have an harder time to move around, and could be spotted before making bigger damages.
Conclusion
Today the average network speed has get well beyond most people needs. Still advertising lean on it to sell newer devices, because most people still think only in terms of “speed”.
But in my humble opinion the time has come to start to think more about security than raw speed. We are using our home networks more and more for important, and sometimes critical, tasks. The network may be used for work, and access sensitive data. We use it to access our financial and health information. Home automation handles our home heating, cooling, and alarm/surveillance systems. Meanwhile, we also use it to play, stream data from third party source which are usually very interested in our data, while many IoT devices shown an abysmal security, and not a few also use it to access contents that may lead to dangerous situations. Raw speed may deliver your torrent faster, but a more secure network may protect you better when you, or someone in your household, download the wrong file.