An Updated Guide to Do-It-Yourself Network Segmentation

For a “Star Wars”-themed take on network segmentation, check out “I Find Your Lack of Segmentation Disturbing.”

Network segmentation is not only for large corporations – you can segment your home network or small business network securely, and for a reasonable price, too. If you want to ensure the security of your network, network segmentation is a necessity (especially in this era of rampant Internet of Things (IoT) devices co-mingling with more traditional workstations). This way should a security incident occur, you don’t risk entire network compromise – rather, it will only affect an isolated portion of your network.

This is our (updated) guide to “do-it-yourself network segmentation” where we’ll walk through how network segmentation can be accomplished practically with inexpensive equipment.

The Hardware and Firmware We’ll Be Using

For our example, we’ll be using an ASUS RT-AC3200 as our hardware platform as it gives us relatively modern hardware (Wireless AC and Gigabit Ethernet) for a low price. The default ASUS firmware is pretty capable itself, but we’ll use the DD-WRT firmware since the router supports it, and it will give us an extremely powerful and flexible working environment. Not sure if your router supports DD-WRT? You can find out here.

We won’t cover how to flash the router with DD-WRT, but follow flashing instructions carefully or you may end up with a bricked router. And while we will use DD-WRT in this example, the ideas and concepts presented here are applicable to other platforms. (Some recommended alternatives to DD-WRT you might consider are OpenWrt or Gargoyle Firmware.)

PART 1: PLANNING

To start, you’ll need to design your new network layout. Identify each device and map out what access each device needs. For example, your PC will need to communicate with your smart printer, but you probably want your IoT devices on a separate network altogether. And should you have a temporary visitor, you may want them to access a separate network away from your trusted devices.

NOTE: This is the most important part of the process! Make sure you’ve enumerated all of these requirements before you even begin.

Figure 1 – A layout visualizing how our three networks will interact with our router and connect to the Internet.

Based on our requirements in the example above, let’s create three wireless networks. We’ll name these according to their intended use: Fox - General, Fox - Guest, and Fox - Work. The General network will host any personal devices (e.g., Wi-Fi cameras and smart TVs), the Guest network will host visitors’ devices; finally, the Work network will be a dedicated network for work-specific devices (e.g., work-sanctioned laptops).

Each of these networks will have a different IP subnet for organizational purposes. We’ll keep the wired network on the default subnet 192.168.1.0/24 and use 192.168.2.0/24, and 192.168.3.0/24 for our wireless networks.

PART 2: IMPLEMENTATION

Now it’s time to actually segment our network. Closely follow the steps below to ensure your efforts are successful, and your home or small business network will become that much more secure.

Wireless Networks. In this example, we will be building a network where Fox – General has both 2.4 and 5GHz capabilities; however, the Fox – Guest and Fox – Work networks will be 5GHz specific. If you need both 2.4GHz and 5GHz wireless bands, you’ll need to bridge the wireless networks together or use separate SSIDs for 2.4/5GHz. You might need the 2.4/5GHz capabilities if some of your IoT devices still require 2.4GHz. However, many devices are making the switch to 5GHz.

To kick things off, go to Wireless → Basic Settings in DD-WRT to change the name of the router.

After changing the name of the router, go to Wireless → Basic Settings in DD-WRT to set up your wireless networks. We want Fox – General to have both 2.4GHz and 5GHz capabilities. As shown in the GIF below, we are changing all of the SSIDs to Fox – General. Once this is successfully set up, save your settings and apply changes. The below image displays these steps (highlighted).

Our next step is to set up the virtual networks for Fox – Guest and Fox – Work. Under Virtual Interfaces, click Add Virtual AP to create two other wireless networks (Guest and Work) and configure them in a similar fashion.

Now, we need to configure the wireless networks using more or less the same method:

Figure 2 – This is how your screen will look while you configure your networks. Pay attention to the different options.

Be sure to take a moment to save and apply your changes.

Now that our networks are properly set up, let’s get our security settings in place. Go to Wireless → Wireless Security. Use WPA2-PSK and CCMP-128 (AES).

Select a unique, strong WPA Shared Key for both the Fox – General and Fox – Work networks. This password should be randomly generated and not ever guessable. For advice on security best practices regarding passwords, check out this blog post. The Fox – Guest network password should be short, simple, and easy to remember. After all, this is the network password you will be giving out to guests. Note: Fox – General is a bridged network and will show up as two networks. Make sure both of these networks have the same strong password.

DHCP – If we want our devices to be automatically assigned an IP address by the router (a requirement for many IoT devices), we’ll need to ensure we have DHCP set up. To implement DHCP, go to Setup → Networking and look at the DHCPD section. Add a DHCP server for the interfaces of each wireless network we have configured so far (w|0.1, and w|0.2). Again, you’ll want to save changes at this point.

The final step in this tutorial is to reboot the modem and router. If you followed this guide closely, you should find that upon rebooting, your network has been segmented into three wireless networks!

CONCLUSION

This guide is only intended to give you an idea of what’s possible in terms of network segmentation; there are many configurations you could explore such as using VLANs to allow multiple isolated networks to traverse one physical switch. You could also implement strict firewall wall rules using iptables. Or, you could set up logging and monitoring to identify anomalous network activity. These open source firmware images provide some flexibility to set up your network, so get creative and play around with it.

ADDITIONAL RESOURCES

Network Segmentation for Beginners

• What is Network Segmentation? – This introductory article from Illumio explains the principles behind network segmentation.
• Implementing Network Segmentation and Segregation - A guide from the Australian Cyber Security Centre that defines segmentation and segregation, and reviews best practices for both.
• IoT Devices Need Their Own Wi-Fi Network – This podcast delves into the security risks introduced by having IoT devices on the main network.
• Why Network Segmentation Matters – An argument for the importance of network segmentation for organizations.

Equipment We Used for This Tutorial

• DD-WRT
• ASUS RT-AC3200

Segmenting Enterprise Networks

• A Framework to Protect Data Through Segmentation – This guide by Cisco provides an in-depth and comprehensive overview of how to manage the segmentation of an enterprise network. It’s a longer read, but extremely thorough.
• Making the Case for Network Segmentation in AWS – In this Security Intelligence article, Brett Valentine discusses how you can achieve network segmentation in specialized Amazon Web Services (AWS) environments.
• Network Segmentation and Basic Traffic Management Concepts – A deep dive into more of the specifics behind how to theoretically segment an enterprise network.