Divide and Contain
It's been almost two years since the first Covid-19 lockdown here in the UK and elsewhere in the World. It's clear that our working habits have changed. With many more people working from home, we are talking more about work/life balance. However, maybe it is now time to have a conversation about the work/life balance on our networks!
Many companies would not allow you to plug a personal device into their network, yet they ask you to plug their equipment into your home network without question. How do you protect yourself from cyber attacks against your employer?
Let's consider two changes that have accelerated over the last two years:
1: Work devices have been connected to networks that the IT team has no control over.
As companies, we entrust the security of our devices, information contained on them and systems they access to home networks.
These work devices probably have access to sensitive company or customer information. And, we have no idea what else is connected to that network. The person who "manages" that network may (through no fault of their own) have little-to-no knowledge of network security.
2: Employees have opened their personal home networks to untrusted work devices.
As employees, we allow devices total access to our home network. We have little control over these devices and we did not set them up ourselves.
Now, don't misunderstand me. When I say untrusted, I don't mean that we don't trust the companies we work for. I simply mean that they are devices that we do not have 100% control over and that we didn't set up.
There are many things that can be done to help ease some of the issues that may arise from this situation (hello, VPNs). In this post we're going to take a simple look at Virtual Local Area Networks (VLANs).
What is a VLAN?
While setting up VLANs can be a little complicated and requires some networking knowhow, the principle of what they are is actually quite simple.
A normal home router setup will have one network that all devices connect to; the IP address will be something like 192.168.1.0/24.
VLANs are simply additional, virtual networks we create to keep things separated. So you may create 3 additional virtual networks with the IP addresses 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24.
Each of these virtual networks, when correctly configured, will be its own totally isolated network.
OK, I hear you: "If non-techie employees have no knowledge of network security how can you expect them to be able to set up VLANs in their homes?"
That's a very good point so we will also look at a last resort, simpler alternative that doesn't involve any real networking knowledge.
Why bother with VLANs?
Aren't VLANs a little overkill and unnecessary for a home network?
For many, yes, perhaps. It depends on the individual situation and the individual themselves. For some it'll be overkill, for some it'll be necessary and for others it'll just be a fun thing they'll enjoy tinkering with.
I already use a VPN, do I still need VLANs?
A VPN can be a helpful tool for privacy and security. For example, if you are working from home, a VPN will create a secure tunnel connecting you from your location to your company's servers and all data passing through that tunnel will be encrypted so that if it is intercepted by a third party it will be of no use. This will allow you to do your work as if you are in the office.
What a VPN will not do is separate that device from your home network. So, if device/network separation is what you are looking for then a VLAN may be the answer.
What are we trying to achieve?
Think of a supermarket. They have a large area where they sell food, another area where they store food, and then there will be a relatively tiny area called the safe where they store the money.
In a way, we can think of these separate areas as VLANs.
We want the public we have invited in to be able to access the main area of the supermarket, think of this as a guest network for your friends or visitors. But we don't want the public to be able to access the warehouse, that area is just for some staff members. This might be our Internet of Things (IoT) network.
Lastly, there are very few people we want to allow access to the safe. We want to keep the public and also most of the staff out of that area. We need to know who's in the safe room, that they are authorised to be there, and we want to be as sure as we can be that they are secure. This would be our main personal network. Any device we trust goes here. Other devices - IoT, guests, work - ideally go on separate networks.
No, it's not a perfect analogy, but hopefully you get the general idea.
Let's consider ransomware. Opening an email attachment that turns out to be ransomware can quickly infect an entire network. So systematically separating devices into separate networks can help to defend against this.
Or if one of your insecure IoT devices gets infected with some cryptocurrency-mining malware or connected to a DDOS server, it's less likely to infect your personal or work computers if it's on its own IoT network.
The thing to remember with VLANs is that what affects one device on Network A is far less likely to affect a device on Network B.
There are other benefits to segmenting networks, like improved overall network performance, but that won't be noticeable in small, home networks.
OK, how do we do it?
If you're the sort of person who enjoys tinkering with computers and networks, then you may decide it would be fun and worthwhile to try setting up some VLANs. If you only have the router your ISP supplied you with, you'll probably need to upgrade it to one with more functionality. Be sure to find a good VLAN setup tutorial based on the type of router you buy. The method for each brand may be different and a misconfigured router will leave you less secure than before.
If networking is not part of your skill set and you don't want to try setting up some VLANs, a last resort option is to check your current router supplied by your internet company. Although it probably won't allow you to set up your own VLANs it will possibly let you enable a separate guest network. In some cases, it's simply toggling a slider in an app and choosing a name and password for the guest network. Other times you may have to login from a browser and go through some menus.
This solution is not ideal to use just for work (where will your guests go?) which is why it's a last resort option, but it does at least allow you to separate your personal and work networks.
Setup can be complicated, particularly when firewall configurations must be made. Also, some manufactures have different methods of creating VLANs. Some will be totally isolated by default: you'll have to set firewall rules to allow communication where needed. Others will be open by default and you'll have to set firewall rules to block inter VLAN routing and other traffic.
The extra cost can be prohibitive. You probably already have a normal router from your ISP and it serves your purposes 99% of the time. Spending a couple of hundred pounds on a new router just to set up some VLANs might be enough to put you off.
But, if your wallet can stand it and if you're capable of doing it yourself (or finding some good tutorials online) then have a go. Divide and contain!