To prevent hackers from infiltrating your installation, it is recommended to segment your network into several pieces, isolated from each other. A good way to do this is to use the Raspberry Pi miniature computer.
In most connected households, the topology of the home network is always the same: all the equipment is connected directly to the operator’s Internet box and shares the same local network. The problem is that with the proliferation of home terminals, a wide variety of equipment is finally put in one bag. On the same network, we will have the fixed computer that allows you to make online purchases, the NAS drive that saves all the family photos, the children’s laptops that are starting to hang out on peer-to-peer networks, poor quality and totally vulnerable connected objects, etc.
Segment to better secure
Mixing tea towels and napkins in this way is not advisable. A hacker who manages to infect one of the connected objects or one of the laptops can quite easily gain access to other equipment. This is why security experts recommend segmenting a network as much as possible. In one part, we could, for example, put the important equipment that absolutely must be protected (parents’ computers, NAS), and in another we could house high-risk terminals such as children’s laptops or connected objects.
A first simple method to achieve this is to connect two Wi-Fi routers to the Ethernet sockets of the Internet box. Their respective networks will naturally be isolated from each other. On the other hand, it will no longer be necessary to use the Wi-Fi network of the Internet box because it is not isolated from the other two. The problem with this solution is that we do away with the Internet box network and have to buy two new routers. It’s a bit of a mess.
The solution that we advocate – and that we call “HomeFW” – is to take a Raspberry Pi 3, transform it into a Wi-Fi access point with a built-in firewall and connect it to the Internet box. This method is a little more complex to implement, but it is less expensive and it offers more possibilities. It was shown to us by David Jacoby, security researcher at Kaspersky Labs, during a press conference in 2017. The expert was particularly concerned with connected objects, which are often riddled with flaws. “Manufacturers are not prepared to invest in security because it would cost them too much. We must therefore manage differently to limit the risk ”, he explains, to justify his demonstration.
In such a configuration, users connected to HomeFW can connect to the Internet, but the firewall prevents them from going to search the network of the Internet box. Conversely, the equipment connected to the Internet box will not be able to access the HomeFW network. The segmentation is perfect.
Installation steps
Creating such a device is not very complicated, but you should not be afraid of the command line. You also need to have some equipment. The configuration requires having a screen with HDMI socket, a keyboard and a mouse with USB sockets, as well as an Ethernet cable to connect the Raspberry Pi 3 to the Internet box.
1 – Flash the system
Download the latest version of Raspian, an operating system based on Linux Debian which is made specialized for Raspberry Pi computers. You must then “flash” – that is to say install – this system on a microSD card (min 16 GB). The easiest way is to use the software Etcher which is very easy to use. The procedure is strictly the same as for creating a bootable USB stick.
2 – Initialize the system
At the first start, the system will ask you to choose the language and to change the password. Choose one that is strong.
You do not need to connect to the Wi-Fi network. On the one hand, the Raspberry Pi is already connected to the Internet through the Ethernet cable. On the other hand, the Wi-Fi module will be used to create the access point. So click Skip at this step.
The system will then offer you to search for updates, which must be accepted by clicking on Next. It may take a little while. Are you going to make some coffee?
3 – Download the code
Open a command window by clicking on the fourth icon from the left at the top. The icon represents a window with a top sign and an underscore. Write the command below, then validate.
> git clone https://github.com/gkallenborn/HomeFW HomeFW
The computer will then download the script for the firewall (firewall.sh), the configuration file (configurations.txt) and information files in a new folder called HomeFW.
4 – Install the software
It is then necessary to download and install the software which makes it possible to create our famous secure access point. In this case: hostapd (Wi-Fi access point software), isc-dhscp-server (software that will assign IP addresses to connected terminals), dnsmasq (DNS service software) and iptables (firewall software). To do this, you must run the following command and, during installation, validate each time this is requested. The term apt-get install initiates the installation of the software listed after. The term sudo indicates that the entire command is started with administrator privileges.
> sudo apt-get install hostapd isc-dhcp-server dnsmasq iptables
5 – Configure the access point
For the access point to function correctly, a number of configuration files must be modified. This is the most important part. Concentrate, because you can’t go wrong. The best is to open two command windows side by side. In the first, display the contents of the configuration.txt file with the following command:
> more ./HomeFW/configurations.txt
In the second window, you will use the “nano” text editor to modify the files, by copying and pasting the lines from one window to the other. Be careful to follow the instructions in the configurations.txt file. Here are the commands that must be executed successively:
> sudo nano /etc/hostapd/hostapd.conf
> sudo nano /etc/dhcp/dhcpd.conf
> sudo nano /etc/sysctl.conf
> sudo nano / etc / default / isc-dhcp-server
> sudo nano / etc / default / dnsmasq
> sudo nano / etc / network / interfaces
Then restart your Raspberry Pi 3, by running the following command:
> reboot
6 – Activate the firewall
At this point, you should see an access point titled “IOT” if you scan for nearby Wi-Fi networks. But this new network does not allow access to the Internet and it is not necessarily waterproof compared to the network of your box. To do this, you have to run the firewall.sh script. Run the following commands:
> HomeFW cd
> chmod + x firewall.sh
> sudo ./firewall.sh
The first command allows you to go to the HomeFW directory, the second makes the script executable and the third executes it. And here is the work. You now have a Wi-Fi network called “IOT” totally isolated from the rest of your network. Well done.