Post

Even the firewalls are silently quitting

Posted
By Ryan Aspden 7 min read

It’s not just white and blue-collar workers quietly quitting these days – even my firewall/router decided to quietly quit on me the other week. What I initially thought was a performance issue with my Internet Service Provider (ISP), turned out to be a problem with my own networking equipment.

Let me back up for a moment – My home network consists of a fibre connection provided by Tuatahi First Fibre and my ISP. The Tuatahi fibre optical network terminal (a.k.a. ONT) connects to my Fortinet network appliance, which acts as a combination firewall, router, and switch. From there, I use a Fortinet wireless access point that most of my home IoT devices connect to.

The Fortinet hardware looked like this…

A picture of a Fortinet Fortigate 51E firewall and FortiAP 321C appliance

At some point earlier this month, something in my FortiGate appliance began to fail – but not in a catastrophic way. What my family and I experienced was a mixture of normal connectivity, and then periods of painful lag/buffering. Over the space of 3 weeks, these slow periods became more frequent, though the performance never completely deteriorated to the point where it was consistently poor. This was the worst kind of fault, an intermittent AND inconsistent one!

So, how did I diagnose the FortiGate appliance was to blame? Simple – when I plugged my laptop directly into the Tuatahi Fibre ONT (with the computer’s local firewall dialled up to max), I consistently got full line speeds. But when my laptop computer was connected via a wired link through the FortiGate appliance, the speeds became unreliable.

In fairness, they’ve had a good run – both the FortiGate appliance and the FortiAP are nine years old and had passed through multiple owners before landeding in my hands. Still, I found it surprising that the failure wasn’t total. Instead, the appliance quietly degraded over time.

Side note: Cloudflare’s speed test website is an incredible tool for diagnosing bandwidth related issues.

So what’s my home network setup now?

I’ve been impressed with Fortinet’s equipment. Although they’ve experienced their share of vulnerabilities, the equipment is rock-solid when properly patched and functionally segmented. I’ve since upgraded to the newer Fortigate-50G appliance and FortiAP-321K wireless access point.

A picture of a Fortinet Fortigate 50G firewall and FortiAP 321K appliance

Why go to the trouble of using business-grade gear at home? There are several reasons; chief among them is trust. Trust in the reliability and security of the IoT equipment connected to your home network.

Every device on your network represents a potential entry point for (cyber) harm. You’re not just placing trust in the device itself; in the case of many modern IoT products, you’re also placing trust in the security of the manufacturer’s cloud infrastructure. That includes trusting it to be free from vulnerabilities – now and for the entire lifespan of the device connected to your network. That’s a significant leap of faith, especially in an age of increasingly sophisticated cyber threats (i.e. hackers).

Since I can never fully rely on that level of security, I choose to limit my risk. Using more robust, business-grade IT equipment at home gives me the ability to implement tighter controls and reduce my personal exposure to potential threats. I’ll talk further on the following sections.

To segregate my IoT equipment

Some of the IoT devices connected to my home network are essential for the well-being of my family. For example, my solar system, battery energy storage system, and hot water management system are all connected devices. If any of these were to be compromised (i.e. hacked) for some reason, the impact on my family would be very real.

To reduce that risk, I’ve gone to great length to segregate my IT and IoT equipment, such that each device connects to a segregated network. Each network is designed with the principle of least privilege in mind – devices cannot communicate with each other unless there’s a legitimate reason to do so. For example, the IP cameras I purchased from AliExpress have no reason to ever communicate with my solar inverter, so they live on separate networks. On top of that, even devices within the same network are isolated from each other using a feature that blocks intra-SSID traffic (read more here).

This might seem like overkill, but in a world that’s increasingly interconnected, I see this as a necessary precaution. Nearly all IoT devices are Internet-connected, and these connections can be abused to act as reverse tunnels into your home network. That means manufacturers could use the same connection to connect back into your device and snoop around your network. While 99.9% of vendors would never engage in this kind of behaviour, their security standards aren’t always bulletproof, so hackers who break into the cloud infrastructure of manufacturers could. Case in point: this well-known attack via a smart fish tank thermometer.

Thus, my home network is segmented into four Virtual LANs (VLANs), spanning both wired and wireless connections:

  • Trusted IoT VLAN – For critical and trusted devices like my solar inverter, battery energy storage system, and hot water controller.
  • Untrusted IoT VLAN – For off-the-shelf consumer devices such as IP cameras, smart TVs, robotic vacuum cleaners, fridges, washing machines, ovens, etc.
  • Workstation VLAN – For daily-use devices like my family’s mobile phones and laptop computers.
  • Management VLAN – For administering the Fortinet system and, when necessary, managing devices in other VLANs (i.e. for my trusted laptop computer).

A picture that outlines the architecture of my home IT network

A picture of the Fortigate admin dashboard showing smoe of the devices connected to my network

To control when and how devices can access the Internet

Internet access in my network is tightly managed through strict firewall rules on the FortiGate firewall. Again, I follow a least-privileged approach – all connections to the Internet or other devices in my network are blocked by default unless explicitly permitted. The FortiGate also provides granular control over which services and ports are allowed, and even when those connections can be made (by time of day or day of the week).

I find this granularity is incredibly useful. For instance, I allow my inverter to connect outbound to a very specific cloud monitoring service. With application control, traffic inspection and bandwidth shaping enabled, I can tightly control what goes out and have a high likelihood of preventing anything undesirable from coming back in.

Similarly, as a parent, I use the same system to block access to certain websites for workstation computers (i.e. phones and laptops), either permanently (e.g., explicit content) or on a schedule (e.g., YouTube gets blocked at bedtime).

To help with diagnostics when things go wrong

One of the most underrated features of the FortiGate appliance is the visibility it offers. It logs everything – from DNS requests, to traffic flows, right the way through to real-time bandwidth usage at a device level.

These insights have proven to be helpful when I’ve needed to troubleshoot in the past. I’ve used these logs to; identify connectivity issues, keep a watchful eye on suspect IoT devices, and spot bandwidth hogs.

A picture of the Fortigate admin dashboard

So is it worth the cost?

At this point, you might be wondering: Is it really worth investing in this kind of equipment? Why not just use the Wi-Fi router that my ISP provides?

Honestly, for the average Joe, I think the Wi-Fi router provided by your ISP will be perfectly fine for a little while longer. However, I do believe we are close to a point where folks must take more responsibility for the security of their home network, especially with the growing number of internet-connected devices finding their way into homes.

The risks associated with IoT are very real. Consumers are (figuratively) swimming in an ocean of IoT devices, many of which are built as cheaply as possible, often with minimal attention to security. While I’m not suggesting everyone rush out and buy a business-grade firewall appliance, I do recommend people learn about the security features already built into their home Wi-Fi router.

Many routers come with features like device isolation and basic firewalls – they just need to be enabled. Taking the time to configure them can significantly improve your home network’s security posture. The last thing you or I want is for the IoT refrigerator to become the reason our bank account gets drained, as supermarket prices are already doing that in the physical realm.

General
risk management cybersecurity iot
This post is licensed under CC BY 4.0 by the author.