Features

My Insanely Complex Personal Firewall – And Why It Actually Makes Sense

Here’s a subject I’ve been berated into speaking about at a few conferences and that people keep asking me to put into writing: the personal firewall system I’ve created at home that is both ridiculously more complicated than normal and that also makes perfect sense, and something others should likely follow.

Let me explain. Most home networks, and even most corporate networks, still basically throw every system they manage onto a single network segment. That’s totally fine if you trust every single device you are linked to – or if you simply don’t care about security. But with the rise of the Internet of Things, and the “bring your own device” policies, we’re connecting ever more novel and demonstrably insecure devices to our networks and to let them all send data along the same, single network segment is, to my mind, insane.

It’s especially insane when you learn how most IoT devices operate. Like a lot of people today, I have a few off-the-shelf cameras placed around my house and the property it sits on. I just want to be able to see what’s going on if I hear a weird bump or whatever outside. When I installed the cameras, I specifically configured their settings to not talk to the internet. (By the way, some cameras require you to view them via a cloud provider and simply won’t function if they don’t have that connectivity, but the kind I have at least claim to be configurable and are reachable without the internet). And yet despite my changing their settings, all of my cameras, to this day, constantly try and connect with the internet. As an end user, I have no idea what they’re trying to talk to the internet about or who they’re hoping to send data to. I just know that they aren’t doing what I’ve explicitly told them to do.

This isn’t exactly a surprise. Even a cursory look at the recent research will tell you that “security” cameras are frighteningly insecure. With just a little knowledge, it’s easy to find websites sharing camera feeds that are supposedly not on the internet. You can see into random people’s houses, all kinds of businesses and offices, as well as city streets watched by security cameras that were never intended to be public. There’s even plenty of reports recently of cloud-based cameras getting hacked into, and the hackers even conversing with their victims.  It’s a madhouse.

It’s not just cameras, either. My new dishwasher wants to connect with the internet so it can tell me when it’s done or allow me to remotely start it, something I really, really do not care about by the way (seriously, why would I remote start it when I still have to load it up?). But I also don’t have confidence that, even if my dishwasher’s security settings are maximally secure right now, the manufacturer will continue supporting it and sending out the regular security updates it will need over the decade or so I planning on keeping it.

So, while these devices make my life easier and better, I also don’t trust them for a second and have therefore built a home network and personal firewall that I feel is required to keep my system secure.

In addition to messing around with my device settings (which is already going a lot further than most people are either willing or able to go), I’ve also put my cameras, as well as a number of other devices, into their own network segments.

You can see the basic setup in the diagram below. While the whole thing looks crazily complex, it’s actually based on a simple principle of separation. My cameras are on one network segment, my other IoT devices (like my dishwasher) are on another, and my media player, my computers, my guest network, and so on, are each on their own as well. Each segment has its own virtual LAN that exists in a completely different IP space. That way, the cameras don’t get to interact with the IoT devices or anything else across the segments.

personal firewall

Ok, it does get a little more complex. I have things configured so that certain portions of my network can look in and see what’s going on with the otherwise isolated devices. Unsurprisingly, all this adds a level of complexity that is way beyond the patience of anyone but a professional and obdurate technologist. And yet I can’t argue with the way it’s been done, despite the fact that it is completely not normal. It’s simply true that, as more people install internet-connected doorbells, locks, baby monitors, appliances, and so on, home networks will need to be ever-more protected from possible attacks.

The whole thing routes through a single firewall device, which happens to be managed by the off-the-shelf open source firewall manager called Shorewall, which is basically a higher level overview wrapper to Linux iptables.

Each of my network segments has its own firewall rules. Then each of the segments runs through a switch into my personal firewall itself, which sits between the home network and my internet provider’s cable and is monitoring and then blocking or allowing all of the network traffic.

This isn’t exactly straightforward to set up, either, because you effectively end up compiling your firewall rules. My full ruleset, in iptables rules, is thousands of lines long – there’s a reason I use Shorewall to help simplify some of that complexity.

But think of my segmented home network and personal firewall as an early version of the network security solution that sooner or later pretty much everyone is going to need. Like most prototypes, it’s only approachable by those who already have a good idea of what they are doing that will someday be refined and polished as the ideas are sussed out, but I’m guessing that the fundamental design is also one that a lot of people will end up using.

If you’d like to play with making your own version, I’ve posted a stripped down version of what I’m doing, noting that I haven’t even tried to run this I sanitized and ripped things out of my existing setup, so that you could use it as a starting point here. This is very much an example and not something I’m planning to update or maintain – so please don’t start sending me patches!

If you’d like to see me talk on my personal firewall, check out the recording of my presentation at last year’s Southern California Linux Expo (aka SCaLE). You’ll find my talk about 6:47:00 into the recording.

For more information, follow John on Twitter (@warty9). And stay tuned to the Open Source Blog and Twitter (@vmwopensource) for more deep dives into open source technology.