Skip to main content

Work From Home and basic Zero Trust Networking

· 5 min read

As many of us now work remotely, and have many devices of various trust in our homes, there has been a good use case for keeping them separate. Turns out, this can be quite easy to accomplish on inexpensive network equipment.

Network Overview

Work From Home has become a reality for many people, especially in the last few years. However, the trust and security implications need some consideration.

Here are some typical home network connected devices:

  • Smart TV(s)
  • Personal device(s)
  • Printers/MFCs, Media Centres, NAS devices, and other network appliances
  • Work Devices (assuming a separate work device)

Do we trust all of these devices equally? Do they specifically need to connect to each other?

Companies have been compromised from individuals' personal websites that were hosted on their network. Other undesirable outcomes can be seen as possible. To consider:

  • Smart TV has no need to see other devices - chances are these are exploitable appliances that are not frequently (or easily) updated or protected.
  • Personal devices likely need to talk to each other and to the network appliances
  • Work devices usually have no need to use home network appliances. Also, should a work device be compromised via a company-wide breach, we definitely do not want our personal devices to get compromised along with it.

Considering the above, one possible topology is 3 segments, with devices not permitted cross-segment communication. That is:

  • Vendor segment (for untrusted appliances - Smart TVs, etc)
  • Work Segment (for work devices only)
  • Personal segment (for trusted personal devices)

If desired, we can also add a 4th segment for Guest access (or, use Vendor segment for these users for simplicity or other reasons).

The specific implementation is going to be use of Guest Wi-Fi networks, as we can generally assume that all equipment is connected over Wi-Fi.

With the rationale outlined, let's consider what we can use to accomplish some simple network segmentation in a WFH setting so that different categories of devices are protected from each other.

Equipment considerations

The choice of hardware can be narrowed down to three types:

  • Enterprise networking gear (Cisco, Fortinet, etc)
  • Specialty equipment / custom software (Mikrotik, pfSense, openWRT, etc)
  • Consumer hardware (Asus, Netgear, etc)

The above topology is certainly feasible with any of the options provided.

Some considerations for optimal decision can be:

Ease of setup, price, availability, and capability.

These are summed up in the table below:

TierProsCons
EnterpriseMost capable, DocumentedVery expensive, all-in-one Wi-Fi is rare, can require ongoing license fees, can have a steep learning curve
SpecialtyCheap and capableAvailability, steep learning curve
ConsumerModerately priced, just enough features, may already have oneFeatures can be limited

A notable downside of high end enterprise hardware is tha vendors typically do not offer Wi-Fi in their all-in-one solutions, but rather offer "dumb" Wi-Fi Access Points that serve in a larger collection of devices. While perfectly sensible for a large office, this is usually excessive for WFH set up and adds both cost and complexity.

A solution like a Mikrotik hap ax2 or ax3, in theory, is absolutely amazing. There is clearly a steep learning curve and unlike Cisco/Fortinet gear, there is zero work experience to help with that. However, the device capability is excellent and the price puts even consumer hardware to shame - that is, if you can actually buy one.

Custom software/firmware like OpenWrt is similar, except the hardware tradeoff is that we now need to find a suitable compatible hardware base to use, rather than buying one.

Consumer hardware has the appeal that it is far cheaper than enterprise kit, and is readily available. However, the features may be limited, and the documentation will often fail to explain their limits (or even lack thereof).

As an example, both Netgear and Asus refer to Guest Wi-Fi in their docs - without any details on how many Guest networks can be set up. Hence, the rational assumption is that their devices can only set up one Guest network. This is not always the case - the AX5400 ASUS routers can run 3 guest network per Wi-Fi band, but the docs do not allude to that at all.

Final thoughts

Any network separation is better than none.

A good starting option is to see if your existing router can provide Guest Wi-Fi and use that feature.

If you have access to affordable enterprise hardware that suits your needs and fits with your work experience, that may be a suitable solution. Note that an all-in-one Wi-Fi router is rarely offered by enterprise vendors.

Otherwise, a device like the above Mikrotik may be a good fit, however, availability may be an issue. I planned to use one myself however buying one in Australia has proven to be far more challenging that getting either of the above alternatives.

If none of the above suits, then searching for a suitable base device and running custom firmware may be the way to go.