Help improving network security (restricting LAN guests)

Started by Davdas17, August 30, 2020, 06:06:24 AM

Previous topic - Next topic

Davdas17

I have VM Super hub 3, and want to isolate LAN connected guests so they cannot sniff around my network and see personal devices in any way

Can I restrict via Mac addresses at all?

I have a spare Super hub 2 which I have tried to do this but no luck - I've got a connection through it but no idea how to restrict LAN connected devices to treat them as Guests

I do have a guest WIFI set up, but this is no good for LAN guests

Any help and advice is very much appreciated as trying to secure my home network.  C:-)

deanwebb

I looks like guest functionality is only on the wireless side: https://www.virginmedia.com/help/virgin-media-set-up-a-guest-network-on-your-hub

So, the question comes down to this... which is more important, that the guests be on the LAN or that the guests not be able to browse your devices?

I'll say that even for most businesses, we have this issue and it's typically resolved with the guest traffic going to the wireless network. In this case, I don't think that the VM Super Hub is going to give you that layer of security.

The "LAN connected guests" part looks to me to be a potential sore spot in the future, if you're not able to guarantee that everyone connecting to your LAN is going to both promise to behave properly AND have PCs with proper endpoint security AND not have any zero-days that can slam into other boxes on the LAN. So if you could describe the requirements around the LAN guests, that could help drive at the right security solution.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Davdas17

For example:
My nosey friend has remote access to our shared windows machine, which is LAN connected to my main internet router, and this computer is running 24/7.
When they visit they also use a LAN port to get connected to their laptop

With remote access and full admin control of the shared computer, I'm not sure what the exact risks out there are to sniffing my personal data from my other LAN & WIFI connected devices etc, but I think its essential I work on getting the shared device, and guest lan connections isolated from the rest of the network.

If theres no free solution (or anything I can do to make use of the spare Super hub 2), I can buy a recommended switch or hardware that can help me achieve this

Thanks in advance for any help and advice

deanwebb

If he has full admin and remote access, but you do not trust him, then the first order of business would be to remove his full access. All he needs is a packet sniffer on the LAN interface and he will be able to read all traffic coming and going to that PC. This will include any passwords sent in plaintext as well as hashed passwords. Hashed passwords can be used on Windows to defeat security measures, and if he has full admin access, he has the means to utilize such measures.

And then say "no" to the LAN access from a machine you have zero control over. If you would not trust him with your credit cards and cash, you do not want to permit them to have access to your network on that level.

Obviously, this being a personal relationship, I'm sure that there are other complicating factors, but I would also say that I do not allow anyone on my LAN unless I trust them. Since I work for a security vendor, I can install an agent on the PCs to check for antivirus and other protective measures, and build trust from there. For everyone else, I have a guest wireless that does not permit access to the LAN servers I run.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

I don't know much about the super-hub, but if it is just a nosy friend then you probably don't need to do anything. Almost all your traffic is going to be encrypted. So they are not going to get much even if they can sniff your LAN traffic which isn't a guarantee anyway. If the super-hub is actually a switch (I would guess it is unless it is over 20 years old) then they aren't going to see your LAN traffic without actively attacking your network. If your friends are attacking your network you need better friends. That just leaves your friends putting malware riddled gear on your network. That may be a concern, but most of that would be resolved by keeping your gear patched, and changing default passwords.

There are "free" solutions. PFSense is a common firewall. Need a PC with a couple or three network interfaces, and setup a trust and untrust side. Once you have something in the middle you can start playing with other tools like Snort. However, that is just another device on your network that needs patching, and upkeep.

While I was writing this Dean posted, and made a good point. I missed the part in your post that your friend has remote access and full admin. If you don't trust your friend then nothing you put on the network is going to be secure. Especially on that shared system. Physical access to a network is king, remote admin is a pretty close second. Why does he have remote access and full admin to that box? Your free solution there is to get rid of the remote access, and/or remove his admin rights.

-Otanx

Davdas17

thank you for detailed responses. For peace of mind do you know what checks I can do on the PC (Windows 10) to see if there is any hidden traps he can be using to sniff out the network or anything suspicious? Also can he sniff out passwords, websites another PC is using on the network if the PC he remotely accesses is rigged with something? (Without me even knowing even though I'm using the PC and he has remotely connected on - telnet or CMD style access)

Other than that would you recommend any cheapish switch I can plug the LAN into then create a filtered Guest VLAN of some sort? which can also be a WIFI extender for a Guest wifi too? That way my Main Router is used by my trusted devices, and 1 LAN connection out of that router then goes into a 'potential' switch or router which is set up to be a Guest LAN and WIFI? I really think this sounds like the best plan as Super Hub does not seem to have many security features unless I've overlooked it

I appreciate further help and advice  :twitch:

deanwebb

All he needs is wireshark and a network interface in promiscuous mode. Very easy to do. Anything in plain text - HTTP (not HTTPS), FTP, SMTP - will have usernames/passwords also in plain text.

Cracking HTTPS would be a bit trickier to do, so it's easier to check for usernames/passwords at compromise dumps from where webpage databases were hacked and work with those.

But you mention telnet - that's a tool of the Devil himself. It is plain text. Do NOT use telnet on any network device that you don't want used to host or redirect traffic to the kinds of pornography sites that will get you placed in jail for.

I'm starting to wonder if this guy really is your friend or if that's just what you call someone who steals your network access and engages in cyberattacks on your devices... :)

No security measure is good if you give an attacker permissions or a path around it. If you do not trust this person, change your passwords and remove all admin accounts that are not yours personally. After that, look for a WiFi mesh system. I use Google WiFi. It has both a family network and a guest network and will not allow traffic from one to spill over to the other.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Davdas17

#7
there's a chance he isn't attacking my devices but going forward I think its best to keep a Guest LAN configured, as well as a Guest WIFI

so I already have a guest wifi through the super hub

Like you've mentioned the google mesh wifi, is there a similar one which allows me to have Ethernet guest ports? a switch that allows Ethernet and WIFI Guest, isolated from rest of the network sounds great, though my main concern at the minute is Ethernet. Or a cheap managed switch that can be configured to seperate itself from rest of the network via vlan or some clever options?

Update, my super hub 3 has IP filtering rules, so I can potentially set 'unsecure' device's IP, and block it from communicating with 'secure devices' IP addresses. So this can potentially block the device talking to it, will that stop sniffing for that secure device? or only stops it from pinging etc, if so I can manually add our main computer IP's?

deanwebb

No Ethernet guest. Basically, unless you're ready to sink time or money into a network access control solution, once you let someone plug in to your Ethernet, you are trusting them with everything.

That being said, you can go for a switch that is capable of layer 3 routing functions and plug that into your SuperHub as an intermediate, allowing you to define certain ports as yours and other ports as guest network ports, but the cheaper solution is to point to the wifi and say that that's for the guests.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.