Simple Home DMZ

IoT is a term that bugs me, the Internet of Things. It implies sloppiness and that is generally what you get: cheaply built devices with little consideration for security. Worse, many of these devices encourage exposing them to the Internet so you can access them remotely via apps. They put your network and all devices on it at risk.

In corporate IT, any Internet exposed devices are placed in a de-militarized zone (DMZ) and isolated from the core corporate network, servers and workstations. It is surprisingly simple to emulate this on a home network with the use of another router and little more configuration than was needed to configure the existing router.

For around £30, a DMZ can be setup to connect any untrusted/IoT devices, helping to keep your devices secure from careless manufacturers and devices you have no control over.

The Theory

First some diagrams to show what I'm talking about.

Your Current Network

Most home networks look something like:

Your router, likely provided by your Internet provider sits between your PCs and the Internet. It creates a secure local network which your PCs, phones and tablets can communicate over. It prevents devices on the Internet from accessing your personal devices directly. A firewall.

The Risk

The diagram below shows how exposing IoT devices to the Internet becomes a security risk.

Because the IoT device is allowed inbound connections from the Internet, if it becomes compromised, the attacker can access any other devices inside your routers firewall.

The De-Militarized Zone

By turning your current router's network into a "DMZ" and attaching another "secure" cable/DSL router to it, you're effectively creating two protected networks. The secure network where your personal devices connect can access the DMZ network of your original router where your IoT devices are. This is one way, the IoT devices cannot access your personal devices.

How to Setup a DMZ

First, you need another router.

Finding a Router

Most routers are for ADSL or VDSL and will have the wrong connection. They have an RJ-11 connection. You need a router with an RJ-45 (network) connection. These are commonly used by "cable" providers such as Virgin Media. You can identify them as the Internet port is a standard ethernet port the same as the others:

This allows you to chain together the routers. Make sure the router you buy is like the above Netgear WRN2000.

Connecting Up

Once you've got the router, it will hopefully be a case of connecting everything up. For the most part, the instructions below will work:

  • Plug the new (secure) router's Internet port into a free port on the existing (DMZ) router
  • Access the secure routers admin interface
    • Make sure it has an "Internet" address/IP
    • Setup WiFi on the secure router if needed
      • Set a new SSID (name, i.e. mynet-secure)
      • Use a different channel to the DMZ router
      • Use a different password to the DMZ router
  • Connect devices to the secure router

At this point, it'll either "just work" or not and this depends on how the two routers are configured. If it works, congratulations, enjoy your more secure network.

For everyone else, the fix is simple. The secure and DMZ routers are trying to use the same network. We'll fix that now.

Router Configuration

Since this is for home users, I'm going to skip the detailed networking and only give information you need, this may not be technically accurate (there is far more to it), but it will enable you to get the job done quickly.

We've brushed on IP addresses and network ranges, so far you've seen 192.168.1.1 as a router address. The first 3 parts of that (192.168.1) identify the network, the final part (.1) identifies the device on that network.

For the secure router to pass data to the DMZ network, the network part needs to be different.

Change Router Network

You'll need to access the secure router's administation interface, this will be explained in the manual or on the sticker on the unit itself.

From there, locate the "LAN Settings", here you'll find the IP address the router is using and the DHCP range. The DHCP range are the addresses the router will assign to devices (your PC etc.)

Change the router's IP to one we know to be free, for e.g. 192.168.2.1, check the DHCP ranges automatically change to match and apply the settings.

At this point your PC and new router are on different networks, so you need to force your PC to get a new network address. The easiest way (for me to explain how) to do this is to toggle WiFi, reboot or pull the network cable.

Once you've got a new network address, you should have full access to the DMZ and Internet.