Hacker News new | ask | show | jobs
by mindslight 2640 days ago
Upgrading to managed switches, I had thought about making a bunch of VLANs in a similar manner. But I ended up settling on something much simpler.

There are essentially just two segments / types of switch ports (I may have stuck with the many-vlans thing if switch ports had RGB LEDs showing what zone they were in...). First, the "trusted" network, which does switch management, servers, reasonably-behaved hosts, etc.

Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.

For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself. Two hosts on the same segment can see drastically different routing tables and Internet connections. This isn't perfect, as it can be easily spoofed unless I start pushing the switchport-mac mapping out to the switches. But it works for now.

But I believe "sandboxing" in the original comment was talking about the machine itself, not network access. So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM. In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of. No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.
2 comments
shasheene 2640 days ago
Carefully constructing a household network topology and being disciplined with separate physical machines appears to be a strong mitigation.

But will your colleagues who play competitive online games be willing to buy a separate machine used only for remote employment, and be willing (and able) to construct such a network topology correctly?

Most household routers don't even support VLANs.

link
tya99 2640 days ago
> Then, a second "access" segment. Ports in this segment are setup to not be able to talk to one another through the switching fabric at all - the only thing they can talk to is the router. Ports on the same switch are prohibited from talking by the switch's config, and different switches are given different associated VLANs. This is good for visitors, Android, Internet of Trash, etc.

Yes essentially that's what VLAN 3 and 4 are (trusted). They are able to talk to each other but VLAN 2 (untrusted) cannot. VLAN 2 cannot access my server on the LAN or any other network resources, except in certain situations where I open a single HTTP port to a specific directory that is read/only. This is where guests would be. I use this to copy 'certain' files to my untrusted hosts. The exploitation surface area is extremely low. Switch configuration can only occur when on VLAN 1 (management). I also can control which VLAN people access via WiFi via my Unifi Controller. One SSID is a trusted network, the other is untrusted. I only use EAP so I can control exactly what users have access to what VLANs via FreeRadius. All of this is documented [0][1]

> For routing, the horizon seen by each device is controlled directly by its own macaddr on the router itself.

Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful. My Windows machine where my gaming happens is "untrusted" and is in port 2 on the switch, my trusted machines are in port 3 and 4. My other family members also have certain devices they consider 'trusted' and those are in VLAN 3/4 while they have devices that are 'untrusted' in VLAN 2. It took some time to educate everyone, but I drew pictures, and explained it nicely. Unfortunately this is the world we currently live in.

I was concerned that a APT (advanced persistent threat) might have the time to monitor the system for idleness and then attempt such an activity. At least that is what I would do.

> But I believe "sandboxing" in the original comment was talking about the machine itself, not network access.

Well they are sort of the same thing in this situation because it's physical sandboxing.

> So PC gaming means being disciplined about getting another machine, or at least a second GPU for PCIE passthrough in a VM.

> In general I think we're in a time of decommodification. The easiest way to sandbox between security boundaries is separate machines, of which there is an inexpensive surplus of.

Exactly.

No need to have banking and games on the same tablet, when a second hand nexus7 (flo) is $40 on fleabay.

This is exactly my point. In regard to my mobile phone I use a Redmi Note 5, with LineageOS, without Google Apps. If I tablet gamed I would have a 7" tablet specifically for that. I would tether it to my phone via WiFi AP and the CPU/GPU would probably be more powerful than you'd get in a phone anyway.

I only install things through F-Droid. I have made a significant attempt to de-google my life and have been successful.

Right now all I have on there is

• andOTP org.shadowice.flocke.andotp

• AnySoftKeyboard com.menny.android.anysoftkeyboard

• Barcode Scanner com.google.zxing.client.android

• BusyBox ru.meefik.busybox

• Call Recorder com.github.axet.callrecorder

• DAVx⁵ at.bitfire.davdroid - Used for syncing with my private Radicale instance.

• Draw com.simplemobiletools.draw.pro

• F-Droid org.fdroid.fdroid

• Fennec F-Droid org.mozilla.fennec_fdroid

• Flym net.frju.flym - RSS yay.

• Ghost Commander com.ghostsq.commander

• K-9 Mail com.fsck.k9

• Maps com.github.axet.maps - Provides a native experience for OSM maps. If I need Google Maps I just use a web browser.

• Markor net.gsantner.markor - Awesome text editor/markdown editor

• MuPDF viewer com.artifex.mupdf.viewer.app

• oandbackup dk.jens.backup

• OpenKeychain org.sufficientlysecure.keychain - PGP mail yes.

• OpenTasks org.dmfs.tasks - Used for syncing tasks with my private Radicale instance

• OpenVPN for Android de.blinkt.openvpn

• primitive ftpd org.primftpd - I upload/download via sftp to my phone without plugging it in with ssh keys (ie /sdcard/.ssh/authorized/keys)

  sftp_phone() {lftp sftp://user:DUMMY@{{ IP_OF_PHONE }} -e 'set sftp:connect-program "ssh -a -x -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o MACs=hmac-sha2-512,hmac-sha2-256 -i ~/.ssh/id_rsa"'}
• RedReader org.quantumbadger.redreader

• Revolution IRC io.mrarm.irc - Yeah I still use IRC and not IRC bridges, yet with Riot because of https://github.com/vector-im/riot-web/issues/2320

• Riot.im im.vector.alpha

• Share to Clipboard com.tengu.sharetoclipboard

• Silence org.smssecure.smssecure

• VLC org.videolan.vlc

[0]: http://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_...

[1]: https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

link
mindslight 2639 days ago
To put it in term of your network, I didn't want to deal with having to differentiate between VLAN3/VLAN4 switch ports (and wanted to leave room to grow multiple outgoing VPNs).

Also I don't see the need for hosts on VLAN2 to be able to talk to one another. Which enables me to default to putting decently trustable things in my access zone as well (like say an RPi running Raspbian/Kodi).

> Remember MAC Addresses can be spoofed which means you can get things like VLAN hopping if you're not careful

Oh for sure, which is why I alluded to eventually pushing out per-port mac address config to the switches. But my primary concern is browser/pocketsurveillance traffic not going out my ISP's IP, and this suffices for now.

(Thanks for the dump of Free android apps you find useful. Not really on topic for the thread, but I personally appreciate it)

link