Working From Home, the final chapter?

Up until 5 months ago, I worked from home for 17 years. For a number of reasons, I took a job working in an office and tried to make the best of it. Going into an office everyday was quite tough for me; even though the commute was an easy 30 minute drive each way, that was still an hour out of my day. In order to avoid traffic, I had to wake up at 6 am and got to the office no later than 7:30. I hadn't used an alarm clock regularly in years, so waking up with an alarm was not pleasant. I've written about working from home and 8 years ago, I wrote that I couldn't work in an office full time!

Some may think that working from home is a luxury or that they couldn't do it because of all the distractions. For me, it isn't a luxury, but the only way I can work. I'm more focused at home and more relaxed. There is a sense of freedom for me not being confined to an office. I'm sure working from home causes me to work more, but I'll take that in exchange for flexibility.

Article after article I read, including this one talks about letting people work from wherever they work best. Unfortuantely not all companies are on board with this. I'm now back in a position that affords me this opportunity and with all the collaboration tools available today such as Slack and Google Hangouts, I can still feel like part of a team.

Blocking IP Cameras from Talking to the Internet

The recent distributed denial of service attack is said to have been caused by the Mirai botnet which basically turns IoT devices in attackers. One of the devices that is vulnerable is an IP camera that has a default username and password. While I don't have that brand of camera, my cameras have accounts that I can't remove and apparently one ONVIF account with a username/password that can't be changed. I'm pretty good at securing my network from people coming in, but what about things going out? A lot of these IoT devices talk to a server for firmware updates or whatever. Since my IP cameras only need to talk to my server that is recording video, there is absolutely no need for them to connect to the Internet. I decided to see what I could do to isolate the traffic; this is something I've wanted to do for 3.5 years ever since I got a Cisco router that did VLANs, but couldn't figure out a reason and didn't have the knowledge to do it. However, times have changed.

In my case, I now have managed switches UniFi Switch 8 and the 16 port version as well as an EdgeRouter Lite. Using this equipment, I was easily able to separate out the camera traffic on a VLAN that has no access to the Internet. Here's what I did:

1. On the EdgeRouter Lite, setup a new VLAN. From the Dashboard, click on Add Interface and then Add VLAN.
   
   
   
2. Setup the VLAN similar to the picture. The 1002 is the VLAN ID. Select the Interface for your LAN port. Enter the IP address for this subnet.
   
3. Click Save.
4. Switch to the Firewall/NAT tab. Select Firewall Policies.
   
   
5. Click Add Ruleset.
6. Set it up similar to this picture.
   . Repeat for CAMERAS_OUT and CAMERAS_LOCAL (in is for data coming from the camera subnet, out is for data going to the camera subnet, and local is data to and from the router.
7. After the rules are saved, select Actions to the right of the IN rule. Choose Interfaces.
   
8. Select the VLAN (ethernet port + VLAN ID) and the direction. Click on Save Ruleset. Then close the dialog.
   
   
9. Repeat the above steps for the OUT and LOCAL rulesets.
10. IN and OUT are now complete; basically we have just made all traffic from this new VLAN never goto the Internet or receive data from the Internet.
11. To the right of the LOCAL ruleset, click on Actions and select Edit Ruleset.
12. Click Add New Rule.
13. Enter NTP for the description and select Accept. Select UDP for the Protocol.
    
    
14. Click on Destination. Enter 123 for the port.
    
15. Click Save.
16. Create a new rule for DNS using UDP port 53.
17. Create a new rule for DHCP using UDP port 67.
18. Click Services at the top of the Edge Router interface.
19. Click Add DHCP Server.
    1.
20. Set it up like in this picture.
    
    
21. After setting up the DHCP server, you may want to Configure Static Map to assign specific IP addresses for each MAC address.
22. Before leaving this area, click on DNS and add the VLAN as a Listen Interface and click Save.
23. Now move over the UniFi Controller.
24. Goto Settings and choose Networks.
    
25. Click Create New Network. Set it up similar to this picture.
    
    
26. Click save.
27. Goto Devices and select the UniFi Switch. Click Ports and locate a port with a camera. Click the Pencil.
28. Change the VLAN to the Cameras VLAN. Click save.
    
29. Power cycle that port and the device will come up on the new VLAN.
30. On my Mac (the machine recording video), go into Network settings, click the gear and select Manage Virtual Interfaces.
    
31. Click the + button and select New VLAN.
    
32. Enter the VLAN ID for the Tag and give it a name.
    
33. Click Create and then click Done.
34. Select the new interface, select Configure IPv4 Manually. Alternatively you can use DHCP.
    
35. Re-configure your security software (in my case SecuritySpy) with the new IP addresses.
36. I also changed the NTP address in the cameras to be 10.0.2.1 as the router will now block all traffic trying to go outside. The EdgeRouter Lite happens to be running an NTP server which is quite convenient.

Yes, there are a lot of steps here, but this makes me feel a bit safer. Without a managed switch and a router that can handle VLANs, this would be difficult, if not impossible. Unfortunately most people won't be able to do this and their IoT devices will be targets. I have no idea how we're going to solve the problem of IoT devices getting hacked, used to launch hacks, or generally cause havoc on the Internet.

Please let me know if I missed anything or there are any mistakes.

Native vs Web App for IoT Devices

Recently I was chatting with a friend about a new WiFi router. I hadn't heard of it and he sent me a link to it. The first thing I noticed about it was that the configuration was done via an iOS or Android app. As an iOS developer, I know that a native app is going to generally provide a better user experience than a web app. However, as a consumer, I shy away from devices that only have a native app interface. If the app stops working, isn't updated quickly when an OS gets updated, or the company stops supporting the app, I'd be out of luck. In addition, I like being able to configure devices using my desktop machine and most devices don't have a Mac app for configuration.

The native apps are great, but they have to be secondary to a web interface for any IoT device. I mentioned this to my friend and he understood right away my point. I look at the serial to Ethernet gateway I have that I bought used 3.5 years ago and is likely not made any more and am glad that it has a web interface. Granted it is a very specialized device on my network, but the web interface is the only reason that I'm still able to use it. If it were a device that I wanted to look at more often, like a router that I needed to control various aspects of it, the lack of a web interface makes the device a no go in my opinion.

I wish that more companies would implement web interfaces first for their IoT devices and have native apps as secondary interfaces. I'm not saying that all apps should be web apps; in fact, I believe that native apps provide a better user experience. I am saying that web apps should always be a backup option in case the native app isn't available or doesn't work.

Keeping Network Devices Updated

Some time ago, IPv6 disappeared from my home network. After a bit of research, I found out that Time Warner Cable had a problem with my cable modem (Motorola SB 6183) and IPv6 so they pushed out a firmware that disabled IPv6. Recently I read in the Time Warner forums that a firmware update would be out soon that has this fixed.

This got me thinking about IPv6 on my home network. While I'm not sure exactly why I need it, I'm curious about it. Do all my devices support IPv6? Should I move everything to IPv6? Both of these questions are not my focus right now as my IPv4 network is fine, and I don't want to put my head around it. What this did bring up, however, is the availability of updates for devices on my network; not just IPv6 support, but security and stability fixes.

My network has a large number of devices from a number of manufacturers. I have 7 video cameras, 7 Squeezebox devices, 3 Macs, 3 iPhones, 5 iPads, a sprinkler controller, Apple TV, Fire TV, Amazon Echo, serial to Ethernet adapter, 3 WiFi access points, 2 managed switches, printer, a Vera, and a partridge in a pear tree. These devices range from being a few months old to some being many years old. How do they get updates? Are they still made? As a tech person, I try to keep on top of all the updates and keep my network secure.

One of the problems with keeping all these devices updated is that some of the manufacturers are no longer around or the devices are no longer supported. Does this pose a security risk? Devices that update their firmware automatically like the Amazon Echo make this whole upgrade issue moot (until the company goes out of business or moves on). What does the average person do with all these devices? The simplest solution for devices that don't update their own firmware, unfortunately, is to replace them every few years. This is a complete waste, but potentially the only solution. The problem is going to get worse as more and more devices are put on the network.

What do other people do to keep devices updated? Maybe I need a quarterly update day to check all my devices.