Looking for IoT Firewall

Continuing the discussion from 21 Oct 2016 - Cannot access node-red or github websites:

Paul brought up a good point concerning locking down an IoT device. I’d like to make my emonPi and RasPi accessible from the internet. So I am looking for a firewall that allows me to place IoT devices in a separate network zone from my home network. So a red zone for Internet traffic, a green zone for my home network and an orange zone for IoT type devices.

I’ve used IPCop in the past but they haven’t done updates for a long time and they no longer support a forum in English. The german forum is difficult to understand via google translate.

I am guessing other OEM users have connected a home emoncms server or an emonPi to the Internet. So I am curious what other users have setup for their IoT devices exposed to the Internet.

(Not sure if this is the right category for this question…)

Hi Jon,

If you happen to have an extra router, here is an article about cascading two routers that does just what you’re looking for.

Edit - As Brian mentioned in the post below this one, the relevant info is about half-way down the page.

Ah the guys at GRC - excellent stuff on that site.

For someone new to this, the link Bill posted talks about routers in general - the dual router setup is the bit starting What can be done to improve LAN security with multiple machines?

I already run 2 router (improves coverage) and I have a third kicking around (TP-Link less than £20). The bit I have struggled with in the past has been DHCP assignment of IP Addresses. I’ll have a good read of this. Perhaps it is time to rebuild my network from scratch

Bill - thanks for the GRC info. I read thru the article - very interesting use of routers. I use the GRC site for “Shields Up” and have the SpinRite app.

I’m not a big fan of “double NAT”. I had double NAT problems years ago and I was warned away from double NAT by our company network gurus. But that was 8+ years ago and technology has changed.

I am looking for a true blue firewall to protect my home network and to help protect the IoT devices. A Linux distro is fine.

John, I use ipfire which is the opensource variant of ipcop. They are updating their distro almost daily and do have also an english forum. I use IPFire almost everywhere and I’m confident it could solve your use case.

I only use double NAT if I really need more security so that even once the hackers are in, they have to do it again on a next router. I did this for the water treatment system of our town. I wanted the extra security for the most sensitive parts like PLC etc.

I can understand thy your network Gurus did not want to have that in the past. It was the same here. Most of them are just really lazy guys and of course a double NAT setup requires serious thinking and a lot of extra rules and setup But today with the many possible VPN solutions it’s easy to bypass the routers and get in straight. You just need to be sure that you don’t introduce any additional holes. VPN may be a secure solution but only if setup right.

if you wand a nice Opensource routing firewall software. i always use pfsense, you can install snort for intrusion detection and filtering. being operating a small isp with 200 customers for close ten years now and switch to pfsense routing and firewall must be close to 7 years now. never had any problem and works well . as i have multiple segments in the network. as either a secondary nic or vlans depending on the type of network loading required

@Andreas_Messerli - I started looking into IPFire a few weeks ago. It did look just like IPCop. The thing I quickly noticed was the version numbers were very similar if not the same. At that time I assumed (bad to do!) that IPFire was not being updated. I am glad to hear there are almost daily updates. Time to look again.

@stephen - I just started looking at pfSense last Wednesday. I download lots of pages of their wiki to read. In the past I thought pfSense was OpenSource and free, but when I looked last week it seems they charge. Did you buy hardware or software or support for your setup?

Thank you!

no just had some simple small formed computers intel and amd with multiple NIC. install pfsense and away I went
https://www.pfsense.org/download/

still seams to be opensource and free-- i know they charged for help but they always did

Did you setup a DMZ (orange zone) as part of the pfSense install?

My ISP speed is up to 150 Mbps down and 25 Mbps up and I do see that speed without the firewall. But with the firewall, and with 100 Mbps or 1 Gbps network cards, I only see 50 Mbps download and 20-25 Mbps upload. Do you see network slowdowns with pfSense?

no I have 100 mbps (sync- 100mbps up and down) no issue though you do realize that you might only see the 50mpbs simply due to backbone limitation. connect to multiple points at the same time and see if you have the same issue also alot of ISP that have high connection speeds are only to internal networks ( user with in the same provider ) or that the burst rate ( 20 seconds or less depending) you can configure psfsense in how ever you want. if you have multi public ip (NAT passthrough) or DMZ what have you… here a youtube video to help you along

oh i see i miss read your comment some what, if your fire wall set up the DMZ on a vlan opposed to a real NIC it split the connection speed in 1/2 or more depending how it is configured. also depends what your fire wall is doing if it inspecting every packet then there slow down too… so if you build one make sure it has lots of memory and a reasonable CPU if you are filtering and intrusion detection and all the do dads

This is just a general reply here, not aimed specifically at anyone;

I’m a fan on pfSense, although at home I tended to use hardware solutions with a cisco badge on them until recently, now using a pfSense box and very happy with it. What you do with it is very much up to you, the simple fact is that firewalling IS a complex subject, there is more to a good firewall than just being able to route traffic and open ports.

I fully recommend you look at the snort plugin for pfSense, this adds some automated intelligence to your firewall, its not fool proof, but its an extra layer than can really help.

For all things security - take a layered approach, don’t rely on one line of defence for anything.
Take SSH as the first simple example;

1. Make sure you use a non-standard username where possible, so not “root”, not “pi” and not “admin”
2. Use a complex password
3. Require SSH keys in addition to your complex password

In addition to all of the above, limit access to known IP addresses on the internet.
Now at this point, you turned your SSH security up to 11, all of that means nothing if you have another vulnerable service open… so…

If you are providing web services on the same box - front end them with cloud flare where possible: https://www.cloudflare.com - its FREE and adds a good layer of security including adding on HTTPS to your website if thats what you want (yes you want that if you use ANY kind of login for your page).

And on your web server - ONLY accept requests from Cloudflare - they provide their IP lists for this purpose.

One final trick, you may be the kind of person that locks down internet access already, or you may be the kind of person who leaves all the outbound traffic open - the latter isn’t a good thing. If you don’t want the hassle of locking down all of your outbound internet access, at least do the following;

Lock down outbound telnet, lockdown outbound DNS over TCP (its used for zone transfers - I’m quite sure you won’t ever be doing that) and lock down DNS over UDP to the servers you actually use (your ISP or OpenDNS maybe). Lock down SMTP (port 25) to your ISPs Mail servers (or turn OFF SMTP totally if you use G-mail for example). Similarly if you are not using SSH, turn it off.
Why do this? Because at least this stops you taking part is most of the bot-nets that are out there, it will stop your machines being un-willing zombies without you even knowing.

Finally, securing ANY device is never quite as straight forward as you might think, take the layered approach, don’t assume it won’t happen to you - there are an army (literally) of machines out there that are working around the clock to compromise every system they can, they will find yours and they will use any weakness to get in.

@Jon I use Sophos as my firewall, its installed on a HP microserver and its fantastic.
I also have a managed switch and use VLANs to create separate networks that would suite your needs.
pfSence is a project derived from M0n0wall, which was a fantastic firewall but only did basic things, which IMHO did perfectly and reliably but was forked off so people could develop more features into it. I have used it a few years ago and it wasn’t that fantastic, but its an active project and they have probably ironed out most the problems.
Sophos is build for commercial environment so its reliable and it works well, for me it includes things like antivirus scanning while downloading and content filtering to protect the kids. They offer a free license for home users and I believe the only thing they lock out is the customization of portals etc.

Regards
Dave

@Dave - The M0n0wall was the base for IPCop also. I’ll have to look into Sophos! Thank you!

@Andy_Taylor - I did see the snort plugin for pfSense. Does snort with pfSense do “detection” and report the issue or does it do “prevention” and block the issue? I ask because on IPCop it was only set-up to do detection and apparently didn’t work too well (It may have been how it was integrated, supported or updated on IPCop). For the current version of IPCop I believe snort is a separate install.

I’ll look into cloudflare also (I did read thru Paul’s implementation efforts).

In the IPCop firewall log I can see output that is blocked. I’ll have to look for what I did lockdown for output. (Sad to say I cannot remember since I setup IPCop many years ago).

@stephen - I removed the extra zone (DMZ) and the download is still slow. Even with the network removed and computer directly to the firewall. Once I turn off services within the firewall then the download speed is faster. Since I plan to replace the IPCop firewall I make sure I check the replacement for the same issue.

Lots of homework! Thank you to all for the comments!
Jon

@Jon the pfSense snort plugin does detection and prevention - it’s well worth a look.

Don’t know what you exactly want to achieve, but I closed my entire network for inbound access and only allow connection through a VPN. This gives me the possibility to connect to my NAS and raspberry pi whenever needed while giving me the security I need without having to rely on OOB security on either the NAS or the raspberry

[quote=“Dave, post:13, topic:1952”]
I use Sophos as my firewall, its installed on a HP microserver and its fantastic.
[/quote]Which version do you use? XG or UTM?

[quote=“Andy_Taylor, post:12, topic:1952”]
lock down DNS over UDP to the servers you actually use (your ISP or OpenDNS maybe)[/quote]

@Andy_Taylor - I am testing the pfsense firewall and I am struggling getting a few items set-up. I need a push in the correct direction for DNS lockdown. Is there “term” I should be searching on the pfsense forum or pfsense wiki to setup a DNS lockdown. I hate it when I am an “un-willing zombie!”

What I mean here is;

Decide on how you want to use DNS, are you using the onboard DNS forwarder on PFSense (I would encourage this since its flexible and simple). Once you decide how you want to use DNS, force this choice with a mixture of DHCP settings to your clients and firewall rules to remove the possibility of using anything else.

1. Under the menu “System > General”, set your chosen DNS servers (OpenDNS family safe in my case, 208.67.220.123 and 208.67.222.123

2. On the same page, un-tick DNS Server Override (so that you don’t use your ISP DNS Servers instead).

3. Confirm that “Dissable DNS Forwarder” is also unticked.

4. Under the menu “Services > DNS Forwarder” make sure that the service is enabled, and that DHCP registration is on, along with static DHCP registration (these make for a nicely working system auto adding DNS records for DHCP clients).
   I also set “Do not forward private reverse lookups” - since I do not want lookups for internal addresses to be forwarded to OpenDNS.
   Set the interface you want DNS Forwarder to be listening on (LAN) and save the changes.

**NOTE: At this point DNS forwarder should be working correctly, it should be answering queries and forwarding them to your chosen external DNS provider (OpenDNS in my case).

5. Assuming that you use the DHCP server on PFSense, check the setup on the “Services > DHCP Server” page, confirm that there are NO DNS servers configured here, if that is the case the DHCP server will hand out your DNS Forwarder server IP as the DNS server for the clients to use.

**NOTE: DNS is now setup and should be working correctly, make sure all the clients get these settings BEFORE modifying the firewall - or some of your clients may find their DNS settings get broken by the next steps. The standard lease time on PFSense is 2 hours, so all the clients will have got the new settings after 1 hour.

6. next we add some firewall rules.
   Add some allow rules at the top of the LAN ruleset, allow UDP from LAN Net (your whole LAN) to LAN Address (the LAN IP address of the firewall) on port 53 (DNS) - this will allow the expected DNS lookups to the correct place.

7. Add the deny rule after the above allow rule.
   deny TCP+UDP from LAN Net to ANY port 53 (DNS) - this will deny any other DNS traffic.

This same idea of deny first then allow works for other services you might KNOW you don’t want allowed to talk to the internet. For example, I block Telnet and SMTP outbound from the LAN and also SSH out from the DMZ (among a few other things).
On your DMZ (IoT devices zone) try to only allow the access those devices need, rather than having a rule that has “allow any to any on any service”

Andy