Three Dumb Routers concept inroduced by Steve Gibson (2016)

[iFrogMac]

Hey guys,
I was poking around and came across an old Security Now episode about the Three Dumb Routers concept. It seems as growing security threats increase, this would be a good configuration to consider. (especially with more smart devices onboard.)

In my case, I have three routers I could use for this:
The RT-AX86U as the main router
Airport Extreme (6th Gen)
TP-Link Archer AX4400

The concept is to separate the different devices physically vs virtually, so the Asus would be the main router with wireless disabled.
The TP-Link would be the trusted router with 5Ghz enabled.
The Airport would be untrusted with 2.4Ghz enabled for the iOT devices to connect to.

While I haven't personally run into any problems with running all my devices on one current router, was curious if this would still be a good setup to consider today.
There is always the guest network option, but the more I've looked into it, the physical separation looks to be the better solution all around since guest networks aren't as secure as people have always thought they were.

I was curious what the thoughts were on this concept today, as it was introduced a while back, and I haven't seen much regular talk on it in current circles of communication.

 

[Tech Junky]

KISS is the best method to use.

If all of your IOT is WIFI then just use an AP that has the option of different SSID's and segregate based on the SSID, put them in their own subnet, and be done with it.

Any decent AP should have support for multiple SSID's. Mne has 8/band for a total of 16. Everyone seems to make this more complicated than it needs to be using all of these different network devices to isolate things. This whole idea of using routers as dumb AP's doesn't make sense either unless you have them sitting around in a box unused.

 

[L&LD]

With the RT-AX86U as the main router, the others are superfluous. And will more than likely cause issues, eventually.

 

[iFrogMac]

KISS is the best method to use.

If all of your IOT is WIFI then just use an AP that has the option of different SSID's and segregate based on the SSID, put them in their own subnet, and be done with it.

Any decent AP should have support for multiple SSID's. Mne has 8/band for a total of 16. Everyone seems to make this more complicated than it needs to be using all of these different network devices to isolate things. This whole idea of using routers as dumb AP's doesn't make sense either unless you have them sitting around in a box unused.

That's why I was asking, I have 4 routers, which 3 of are just sitting around not being used. So, with the Asus, in use, I would only need 2 of the unused ones. As far as the SSIDs the Asus has one for each band, and the guest feature, but if I'm going to separate the iOT devices from the rest of the network, I'd much rather use a second device so I don't have to give the SSID a new name and have to reconfigure all the devices. I'd much rather keep it simple, do the configuration, bring up the AP with a different subnet, and have everything just reconnect automatically. So, it sounds like a double, or triple NAT would be the easiest solution for physical devices.

 

[Christos]

I agree with Tech Junky. Just create a guest SSID and use it for iOT and anything not trusted.

 

[iFrogMac]

With the RT-AX86U as the main router, the others are superfluous. And will more than likely cause issues, eventually.

Well, that's why I was curious because this concept was given in a different time of the net. I wasn't sure if it would still work today, or if it was needed. I've used my smart devices on one network for years without problems, or concerns. In fact the new bulbs I changed over to say in their specs and support docs they won't even connect to a network that's not WPA-2 encrypted end to end.

 

[iFrogMac]

I agree with Tech Junky. Just create a guest SSID and use it for iOT and anything not trusted.

When I was looking into guest networks, I came across articles that suggest it's not anymore secure than just using the devices all on one network, and can in fact introduce extra security risks because of how the feature works. Those particular sources I'm not familiar with as far as having a history of do they publish reliable stuff. However, a friend of mine, that I've known for years before I even knew this forum existed, also backed up the guest networking clams. He actually told me to plug a switch into the modem and run two routers side by side so I have two complete networks without doing a double-NAT.

However, he also mentioned that for light bulbs it's not worth going through all the trouble. If someone was able to manipulate the lights they were most likely in the network by another means.

Anyway, you pretty much answered what I was looking to find out. That it's not really worth it today to go through all that.

 

[iFrogMac]

Here is a reference to the devices I mentioned above: https://faq.wizconnected.com/hc/en/3-wiz/faq/146-what-type-of-networks-does-wiz-support/

 

[bbunge]

Old concept is right. Something cobbled together from old equipment six plus years ago sure is not in tune with today's security practices!

 

[iFrogMac]

Old concept is right. Something cobbled together from old equipment six plus years ago sure is not in tune with today's security practices!

Well, it's always worth asking about because somethings you assume might be no longer used, may still be, and then there are things that were good at one time, and then things matured, and the concepts are no longer needed. That was my main reason for asking because I trust Steve, and the info he provides on security now, I was going to set it up if people thought it was still a good idea.

Seems like the way I have things set up right now though, is fine for the use case. I have.

 

[Tech Junky]

If you don't trust a device then don't add it to your network.

Put everything on its own network and don't connect it to anything else. Air gapping the setup prevents crosstalk or call home capability. You can deny service by using something like pinhole and slim the DNS queries and block attempts to those names.

For instance my sound bar tries to hit 3-4 domains and I block them even though its just a connectivity check to see if it's online. I also block stats from nest going back to Google. Plex tries to gather stats as well and gets blocked. Even my phone I block a ton of weird calls out to the internet. Grant only the least amount of access to still allow things to work.

 

[iFrogMac]

If you don't trust a device then don't add it to your network.

Put everything on its own network and don't connect it to anything else. Air gapping the setup prevents crosstalk or call home capability. You can deny service by using something like pinhole and slim the DNS queries and block attempts to those names.

For instance my sound bar tries to hit 3-4 domains and I block them even though its just a connectivity check to see if it's online. I also block stats from nest going back to Google. Plex tries to gather stats as well and gets blocked. Even my phone I block a ton of weird calls out to the internet. Grant only the least amount of access to still allow things to work.

Well, by nature, I'm not a paranoid person, so connection check, statistics, things like that really don't bother me. I was more concerned about the cheaper more basic devices being hacked. However, after reading the documentation Wiz provides about requirements to connect to a network, I feel better just leaving everything on one router now, and just keeping separate SSIDs for each band, like I've been doing for the decade of having high speed internet.

Thanks for the feedback.

 

[eibgrad]

Let me play devil's advocate.

The problem here is that NOT all guest network implementations are created equal. We have those like ASUS that have the private and guest networks sharing the same ethernet/IP network, and relying on a layer 2 firewall (typically ebtables) for separation between them. This is the reason there is no possibility of supporting wired devices for the guest networks! Something that might be useful when these additional networks are used for other purposes, such as IoT. It also typically means that guests can still manage to "see" network devices on the private networks due to network discovery, if NOT necessarily access them.

The alternative is to place guests on their own ethernet/IP network, and provide separation at the IP level. Now you have complete isolation, w/o network discovery revealing network devices. And you can support wired devices. And you can disambiguate that network from the private network based on IP, which is useful for things like the VPN Director's routing policy. That's why YazFi exists! It attempts to mitigate these shortcomings, but only partially. It doesn't support VLANs, so no wired devices.

The three (3) dumb routers solution solves all these problems. But it's a bit clumsy to implement, and obviously has a significant footprint. It would be far easier to just use a router w/ firmware that natively supported user-defined VLANs, VAPs, bridges, etc., such as FT (FreshTomato). Something like FT makes all this trivial to implement. I'd much rather grab an inexpensive T-Mobile TM-AC1900 off eBay ($35-40 USD shipped), install FT, and use it to solve the problem. But years ago, such hardware was more expensive and so users were looking for ways to leverage what they already had.

The better *hybrid* solution would be to continue using the Merlin router for your primary, and a secondary router (daisy-chained behind it) supporting FT for everything else, even actual guests! That was something Steve suggested only this past week as being more practical these days. But what he left out was the need (or at least preference) to have a highly configurable secondary router so you didn't need to make it the primary. IOW, something NOT so dumb that it limits your configuration options.

 

[iFrogMac]

Let me play devil's advocate.

The problem here is that NOT all guest network implementations are created equal. We have those like ASUS that have the private and guest networks sharing the same ethernet/IP network, and relying on a layer 2 firewall (typically ebtables) for separation between them. This is the reason there is no possibility of supporting wired devices for the guest networks! Something that might be useful when these additional networks are used for other purposes, such as IoT. It also typically means that guests can still manage to "see" network devices on the private networks due to network discovery, if NOT necessarily access them.

The alternative is to place guests on their own ethernet/IP network, and provide separation at the IP level. Now you have complete isolation, w/o network discovery revealing network devices. And you can support wired devices. And you can disambiguate that network from the private network based on IP, which is useful for things like the VPN Director's routing policy. That's why YazFi exists! It attempts to mitigate these shortcomings, but only partially. It doesn't support VLANs, so no wired devices.

The three (3) dumb routers solution solves all these problems. But it's a bit clumsy to implement, and obviously has a significant footprint. It would be far easier to just use a router w/ firmware that natively supported user-defined VLANs, VAPs, bridges, etc., such as FT (FreshTomato). Something like FT makes all this trivial to implement. I'd much rather grab an inexpensive T-Mobile TM-AC1900 off eBay ($35-40 USD shipped), install FT, and use it to solve the problem. But years ago, such hardware was more expensive and so users were looking for ways to leverage what they already had.

The better *hybrid* solution would be to continue using the Merlin router for your primary, and a secondary router (daisy-chained behind it) supporting FT for everything else, even actual guests! That was something Steve suggested only this past week as being more practical these days. But what he left out was the need (or at least preference) to have a highly configurable secondary router so you didn't need to make it the primary. IOW, something NOT so dumb as to limit your configurations options.

I had also asked my friend who I've known several years about this, he's got a lot of high end experience in software development, security, and other related fields. He told me that this wouldn't be a bad solution for a business who had top secret data to protect, or someone who needs tighter security, but for a single home user with only a few devices, that it was pretty much overkill.

The other thing I was thinking is, the devices I use, granted not all the time, need to be able to communicate with the app on the local network. Not always, but for control and configuration. Steve also uses an Asus router, in a recent episode, stated that he uses an RT-AC68U which is an older router, but seems to be a popular model, even today because of it's stability. How reliable is the information on Android Central? I read an article there on a similar topic back a few weeks, and while they did give a guest network as an option, they said for most users just separating the devices per band was good enough, which I've already been doing. Separate bands with 2 SSIDs.

 

[L&LD]

Separate bands/radios don't mean separate networks/subnets!

 

[iFrogMac]

Separate bands/radios don't mean separate networks/subnets!

I know, that's what I was saying, after reading. the article I had decided to just go with the built in band separation of the router. I only brought up this topic, as mentioned because I came across it yesterday, and since I hadn't seen any real talk of it in years asked if it was still relevant. Out of all the replies here,@eibgrad gave the best in context answer to the original question.