An Updated Guide to Do-It-Yourself Network Segmentation

Above looking down view of purple highways overlapping illustrating the complexity of segmenting a network.

Share

For a “Star Wars”-themed take on network segmentation, check out “I Find Your Lack of Segmentation Disturbing.”

Network segmentation is not only for large corporations – you can segment your home network or small business network securely, and for a reasonable price, too. If you want to ensure the security of your network, network segmentation is a necessity (especially in this era of rampant Internet of Things (IoT) devices co-mingling with more traditional workstations). This way should a security incident occur, you don’t risk entire network compromise – rather, it will only affect an isolated portion of your network.

This is our (updated) guide to “do-it-yourself network segmentation” where we’ll walk through how network segmentation can be accomplished practically with inexpensive equipment.

The Hardware and Firmware We’ll Be Using

For our example, we’ll be using an ASUS RT-AC3200 as our hardware platform as it gives us relatively modern hardware (Wireless AC and Gigabit Ethernet) for a low price. The default ASUS firmware is pretty capable itself, but we’ll use the DD-WRT firmware since the router supports it, and it will give us an extremely powerful and flexible working environment. Not sure if your router supports DD-WRT? You can find out here.

We won’t cover how to flash the router with DD-WRT, but follow flashing instructions carefully or you may end up with a bricked router. And while we will use DD-WRT in this example, the ideas and concepts presented here are applicable to other platforms. (Some recommended alternatives to DD-WRT you might consider are OpenWrt or Gargoyle Firmware.)

PART 1: PLANNING

To start, you’ll need to design your new network layout. Identify each device and map out what access each device needs. For example, your PC will need to communicate with your smart printer, but you probably want your IoT devices on a separate network altogether. And should you have a temporary visitor, you may want them to access a separate network away from your trusted devices.

NOTE: This is the most important part of the process! Make sure you’ve enumerated all of these requirements before you even begin.

A layout visualizing how three networks will interact


Figure 1
– A layout visualizing how our three networks will interact with our router and connect to the Internet.

Based on our requirements in the example above, let’s create three wireless networks. We’ll name these according to their intended use: Fox - General, Fox - Guest, and Fox - Work. The General network will host any personal devices (e.g., Wi-Fi cameras and smart TVs), the Guest network will host visitors’ devices; finally, the Work network will be a dedicated network for work-specific devices (e.g., work-sanctioned laptops).

Each of these networks will have a different IP subnet for organizational purposes. We’ll keep the wired network on the default subnet 192.168.1.0/24 and use 192.168.2.0/24, and 192.168.3.0/24 for our wireless networks.

PART 2: IMPLEMENTATION

Now it’s time to actually segment our network. Closely follow the steps below to ensure your efforts are successful, and your home or small business network will become that much more secure.

Wireless Networks. In this example, we will be building a network where Fox – General has both 2.4 and 5GHz capabilities; however, the Fox – Guest and Fox – Work networks will be 5GHz specific. If you need both 2.4GHz and 5GHz wireless bands, you’ll need to bridge the wireless networks together or use separate SSIDs for 2.4/5GHz. You might need the 2.4/5GHz capabilities if some of your IoT devices still require 2.4GHz. However, many devices are making the switch to 5GHz.

To kick things off, go to Wireless → Basic Settings in DD-WRT to change the name of the router.

Changing Name and Timezone



After changing the name of the router, go to Wireless → Basic Settings in DD-WRT to set up your wireless networks. We want Fox – General to have both 2.4GHz and 5GHz capabilities. As shown in the GIF below, we are changing all of the SSIDs to Fox – General. Once this is successfully set up, save your settings and apply changes. The below image displays these steps (highlighted).

Creating Fox General



Our next step is to set up the virtual networks for Fox – Guest and Fox – Work. Under Virtual Interfaces, click Add Virtual AP to create two other wireless networks (Guest and Work) and configure them in a similar fashion.

Creating Virtual Interfaces

Now, we need to configure the wireless networks using more or less the same method:

how your screen will look while you configure your networks


Figure 2
– This is how your screen will look while you configure your networks. Pay attention to the different options.

Be sure to take a moment to save and apply your changes.

Now that our networks are properly set up, let’s get our security settings in place. Go to Wireless → Wireless Security. Use WPA2-PSK and CCMP-128 (AES).

Setting Up Security



Select a unique, strong WPA Shared Key for both the Fox – General and Fox – Work networks. This password should be randomly generated and not ever guessable. For advice on security best practices regarding passwords, check out this blog post. The Fox – Guest network password should be short, simple, and easy to remember. After all, this is the network password you will be giving out to guests. Note: Fox – General is a bridged network and will show up as two networks. Make sure both of these networks have the same strong password.

After Setup Security


DHCP
– If we want our devices to be automatically assigned an IP address by the router (a requirement for many IoT devices), we’ll need to ensure we have DHCP set up. To implement DHCP, go to Setup → Networking and look at the DHCPD section. Add a DHCP server for the interfaces of each wireless network we have configured so far (w|0.1, and w|0.2). Again, you’ll want to save changes at this point.

DHCPD



The final step in this tutorial is to reboot the modem and router. If you followed this guide closely, you should find that upon rebooting, your network has been segmented into three wireless networks!

CONCLUSION

This guide is only intended to give you an idea of what’s possible in terms of network segmentation; there are many configurations you could explore such as using VLANs to allow multiple isolated networks to traverse one physical switch. You could also implement strict firewall wall rules using iptables. Or, you could set up logging and monitoring to identify anomalous network activity. These open source firmware images provide some flexibility to set up your network, so get creative and play around with it.

ADDITIONAL RESOURCES

Network Segmentation for Beginners

Equipment We Used for This Tutorial

Segmenting Enterprise Networks

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Matt k

About the author, Matt Keeley

Security Researcher

Matt Keeley is former Senior Security Consultant at Bishop Fox specializing in application penetration testing, product security reviews, and source code analysis. He holds a Bachelor of Science in Computer Science (Cybersecurity) from Arizona State University Master of Science Computer Science from Georgia Institute of Technology. During his sophomore year at ASU, Matt co-founded the DevilSec cybersecurity club, where he presents weekly red/blue team topics to students and arranges for top speakers, CEO’s, and guests of honor to present on industry related subjects. Matt is an avid security researcher and is considered an internal subject matter expert for product security reviews. He was also recently quoted in IT Business Edge and interviewed on the InfoSec Prep podcast. Matt currently holds his OSCP, OSWE, OSCE, OSWP and CRTO certifications.

More by Matt

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.