Isolation within the Personal Cloud

Tools for segmenting the network are approaching consumer-grade price points. Pictured: TP-Link TL-SG1024DE-V1-011 Gigabit Switch

Tools to segment the network are approaching home-user price points.
Pictured: TP-Link TL-SG1024DE-V1-011 Gigabit Switch

This is a bit preliminary because I haven’t had much time to work on my office network re-wire project and don’t have a lot of screen time with my brand new hardware.  However, I found a device that should help with those of you in the Personal Cloud community who are busy building prototypes, testing, and hacking.  I didn’t realize it but the price of a managed switch is down to the $150 range.  When I first started buying gigabit switches, the 5- or 8-port units were at least $100 and a managed switch was $400~$500.

I just picked up a 24-port Managed Gigabit switch.  It’s the “friendly” SMB version which I suppose means it is a bit light on features compared to a full L2 or L3 managed switch. However, it was only $150 and supports VLANs so you can segment off a bank of ports into a separate network – perfect for those Internet of Things devices you don’t trust, for guest wireless access, for isolating your beta testing network from your critical business workstation/laptop, etc.  And it is serious where it counts – 48GBps backplane allows full duplex Gigabit traffic on all 24 ports simultaneously, according to the spec sheet.  For my purposes, it has port mirroring so I can snoop on all those IoT devices and see if the next wave of LG TVs phone home like the current ones do, or any of the other devices outed at Def Con and other places don’t get fixed.

One of the things that we in the IoT and pClouds communities need to wrap our heads around is how an ordinary person could implement a VLAN and VPN in their home or office without requiring a nerd-for-hire (i.e. someone like one of us).  The idea that all of these devices need to be hardened to the point they are all considered equally trustworthy to share the network with the things that run our lives is crazy. Do you really want that LG TV on the same network as the machine where you do your banking? Or a $30 digital photo frame with software written by the lowest bidder and implemented by someone without the skill to review it?  At some point as we move forward with Personal Clouds and IoT, flat networks in the home become a liability.  They are currently one of the biggest security issues in the corporate world and once you have a large network, migrating to a segmented network is a big project.  If flat home networks remain the norm, even as we start adding dozens and then hundreds of devices of varying quality, we will have learned nothing from the lessons of the corporate world.

If we assume a segmented network in the home, one way to do that is to hang multiple routers off of the broadband modem.  One router for each segment doesn’t sound like much until you start wondering whether you want your car talking to the $30 digital picture frame.  And what about all that UP&P and DLNA stuff?  Want that munging up the settings on the same network as the car or business workstation?  And in the era of BYOD, will the office begin to impose isolation requirements on home networks in order to provision email to your workstation and phone? Just like 64k used to seem like a lot of memory, the one or two networks today’s routers give us will soon seem cramped. I can’t give you better examples because we haven’t invented the things to drive that need yet. But then Sir Tim Berners-Lee didn’t tell you all about Wikipedia, Netflix, blogs, Google and Amazon back when he was just Tim Berners-Lee and busy introducing HTTP.

I’m not comparing myself to him, I’m just saying we can’t see to the other side of this singularity from here just as we could not in 1982 look at the first HTTP daemon and extrapolate out to Web 2.0 from it.  What Tim did do though was design the system to scale into the World Wide Web back when Gopher and WAIS were the biggest collaborative, user-built network the world had ever seen. What I’m suggesting is that we should similarly design based on a home with hundreds of networked devices, requiring fine-grained isolation, and have the forethought and vision to do so at a time when a high-end router with a guest network is the biggest vendor-provided home network the world has ever seen.

It occurs to me that no matter what project it is we all are working on, and whether we are keeping it quiet or collaborating wildly, all our customers/users face this issue sooner or later. Perhaps one area even those of us working in secret can collaborate on is to move the discussion forward towards user-friendly, packaged solutions for segmented home networks. The particular switch I bought has a GUI but it also has a Command Line Interface. Call it a CLI, call it an API, what it means is that any dashboard software could remotely manage and configure the switch.There are many more devices in this class and price range. That seems to me to beg for either a standard switch management language (hell, there may be one today and I don’t yet know about it), or a Hardware Abstraction Layer that interfaces different network devices to the same API. In the meantime, high-end products like whole-home automation packages, might want to consider integrating and reselling pre-configured managed switches with friendly, branded GUIs to their customers.

I don’t know what the answer looks like as a hardware/software package, only that we don’t get there if we follow the model of the established players and try to erect walled gardens for our customers around our products, rather than let help our customers erect their own walled gardens that support all their products regardless of who manufactured them. The network is the pool we all swim in. Folks like Belkin, WeMo, Insteon, Karotz, Linksys, Sonos, Lixil and others like them are busy pissing in it. If our customer can’t secure their network properly, we all lose. Ten years from now if we are not routinely talking about the “private network,” “guest network,” and “machine network” in the home, and if we do not have a significant number of “advanced” users with function-specific, class-of-service VLANs for various types of devices, then we’ve done something wrong.

Feel like addressing this issue? I hang out at the Personal Clouds mailing list with a whole crowd of people working to make last years science fiction next year’s reality. I also sometimes have these discussions in a consulting capacity under a Non-Disclosure Agreement. Either way, let’s build something together.

Disclosure: I have not been paid or otherwise compensated to feature the TP-Link product pictured in this post and I’m not endorsing it. In fact, once I’ve had a chance to work with it a bit, I may come back and post a negative review. Don’t know yet. It just happens to be the one I now own and have some hands-on experience with in the home office.

Comments

  1. Agree! With the exception that I’d guess that most of those devices do/will connect via WiFi rather than Ethernet. I’m thinking it might be we’ll end up with multiple, non-routable vlans (perhaps virtual ones running off the same WiFi antenna but with different subnets). Management should be the same however regardless of how they are (un)wired.

    • Yeah, I haven’t figured that part out yet. My new Wi-Fi router has a number of “security” features like UPnP and remote management. Not sure they understand the word “security” which may mean packaging Off The Shelf hardware with Tomato firmware that is either customized or the needed features integrated to the open-source codebase. Once the features are implemented *somewhere* the commercial vendors will eventually follow.

Leave a Reply