How to setup a Ghetto-Vlan at home to 'heavily' improve security.

Discussion in 'other firewalls' started by Mayahana, Jan 22, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    This is a technique I use (and developed) to heavily lock down a typical home router. Why this works is simple - most home routers have very limited SPI, and virtually no policy configuration. A lot of the good stuff is buried in inaccessible CLI's on the router. The most power, and root policy on any quality security appliance is "DENY DENY ALL". A home router has this, but only on the GUEST NETWORK for INTRANET ACCESS. So using this method you create a nearly impenetrable "DENY DENY ALL" for all intranet(LAN) access through your wireless. It doesn't get much more secure than that (for a home router).

    Introducing the Ghetto-Vlan. (TM)

    Segregate radios with ghetto Vlan's, and do space broadcasting limitations. We can get a bit advanced with consumer routers if necessary despite being limited with policies/routes.

    1) Hide the 5Ghz SSID (WPS off), assign a ridiculous password to it, turn on MAC filtration with a 'single point' to a device. This is your personal WiFi within the intranet for just you.
    2) Dial the power down to 0 on the 5Ghz, then 'tick' it up until you can just see it within the walls of your home at the location where you need it specifically.

    Alternatively - kill the 5Ghz Radio...Next;

    3) Completely Lock down the 2.4Ghz primary - MAC address filtration with empty MAC's.(filter ALL) Hide SSID, broadcast limitation, WPS off, Ridiculous Password, Radio Broadcast "Scheduling" with a 1 minute only window of broadcast.
    4) Assign a GUEST network to the 2.4Ghz radio, disable intranet access. (Ghetto VLAN) This is where ALL wireless on your network will pass through (even the hackers due to Deny Deny ALL root policy).

    You've successfully 'magnificently' secured your home network. All of your wireless activity will be funneled through the ghetto VLAN, as your primary 2.4ghz is effectively locked up. You can't disable the 2.4Ghz entirely without disabling the guest network capability, but you can disable it enough with ghetto-policies so it is unusable, and locked down, then force everyone to work within the restrictions of the guest segregation. (DENY DENY ALL INTRANET/LAN)
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Sounds very reasonable steps to secure your WIFI. However, I am not sure about the value of hiding the SSID. Any decent scanner can very easily locate hidden SSID, it will actually attract curiosity (something to hide!) and will create potential connection problems if your client WIFI is an densely populated WIFI area as other normal users will not see that the channel is already used and ....bingo.. more WIFI on same channels. Not good.
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Leave out the HSSID step then, but with RRP it shouldn't be an issue - but COULD be depending on gear. It's optional, and as you said only really sways local curiosity, but if you are using distance security it won't matter.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,124
    Location:
    USA
    What is the benefit of locking down the primary 2.4ghz and moving all traffic to the guest SSID/network? Is it for Intranet isolation? If so my Netgear router has the isolation option for both the primary and guest networks so not necessary. Note also that isolating the wifi from the intranet makes it impossible for PCs on the intranet to print to wireless printers.
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    There is almost always a trade off with security, but unless you have the capability to static a printer, the policy route the printer ahead of the deny/deny/all then yes, you won't be printing to a wireless printer. Many routers don't have intranet blocking on the primary interface, it's often excluded, but available on the guest functionality. The reason most consumer routers don't have intranet blocking as an option is because then you lose access to the router itself unless you can console into it, or open it to the WAN, and then opening to the wan is a potential bigger security hole.

    A workaround may be to MAC label anything on the primary 2.4 that will need to print, then put everyone else on the guest network. Put all of your appliances/smart appliances/DVR's and other things on the guest network to prevent intranet access, those won't need to be printed. I had all of my 'smart' stuff in the home on a restricted guest network when I ran the ASUS 87 as primary so even if those were hacked there would be no intranet access through them.
     
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,124
    Location:
    USA
    Tradeoffs of course; it's just good to minimize unintended consequences. I mentioned the issue with wireless printers because I lost access to mine and had to troubleshoot a bit before I realized it was due to having enabled wireless isolation.
     
Loading...