Network security (Yamaha receiver)

[AllenB]

Best practice is to secure all IoT devices, so if someone does get into the network these devices cannot become an attack surface to compromise the others.
Does anyone know if there’s a way to secure a Yamaha A6A with a username and password? If I want to use the MusicCast app, it’s constantly vulnerable (since Network Standby must be on).
TIA.

 

[jinjuku]

Sorry that you never got any traction with this. Yes there is a way. If you have a firewall capable of VLANS and hosting an IP address (called SVI) then you can make an deny ACL that would block traffic from the VLAN that those IOT devices ride on.

So you could setup subnets as follows:

Computers: 192.168.0.0 255.255.255.0 with a gateway of 192.168.0.1
IoT: 192.168.1.0 255.255.255.0 with a gateway of 192.168.1.1
Guest Traffic (wireless and wired): 192.168.2.0 255.255.255.255.0 with a gateway of 192.168.2.1
HVAC_HomeControls: 192.168.3.1 255.255.255.0 with a gateway of 192.168.3.1

A typical CLI (typed out) ACL could look like this and it's applied to the inbound on the other VLANS:

ip access-list standard "Deny IoT Traffic"
10 deny 192.168.1.0 0.0.0.255 log
20 permit 0.0.0.0 0.0.0.0

Rules are evaluated in order. If we see 192.168.1.0 inbound on any of the other vlans we drop that traffic. If the traffic isn't 192.168.1.0 we permit.

Some firewall will do this with a Graphical User Interface.

 

[highfigh]

Best practice is to secure all IoT devices, so if someone does get into the network these devices cannot become an attack surface to compromise the others.
Does anyone know if there’s a way to secure a Yamaha A6A with a username and password? If I want to use the MusicCast app, it’s constantly vulnerable (since Network Standby must be on).
TIA.

If you disable WiFi on the AVR, nobody is going to use it as a way to hack your network and I NEVER recommend using WiFi when something has an ethernet port. I'm a Yamaha/Denon/etc dealer and have never heard of anyone using a Yamaha or other piece of AV equipment to hack into a network.

Even if WiFi has been enabled, they can't control the Yamaha or hack anything unless they know the encryption key for your network- the app won't find the Yamaha. Also, with the AVR connected to the network, there's no reason to enable Bluetooth, either.

 

[jinjuku]

If you disable WiFi on the AVR, nobody is going to use it as a way to hack your network and I NEVER recommend using WiFi when something has an ethernet port

The assumption that you can get Ethernet where ever you place equipment.

 

[highfigh]

The assumption that you can get Ethernet where ever you place equipment.

True, but if someone wants the best performance, that's not just a weak option. It's always possible, but many won't pay the cost, so they find a cheap way that they hope will work. Like a set of four repeaters that cost $50. Then, they get the neighbor kid or nephew "who's good at this stuff" to configure it.

Still, if someone uses a mesh network with good security (rather than a birth date, dog's name, address, etc as their 'secure password'), it should be easy enough to prevent unwanted access.

It's also easy enough to hide the SSID after setting up the network, so outsiders can't even see it, or to use a specific SSID for the wireless that's not the same as the wired network.

I found a site years ago that showed how long it would take for someone to find the password (understanding that it might be total BS) and by choosing the keys in a visual way, it showed that the 12 character code I used would take 10,000 weeks. Obviously, it would take less time with a randomizer, but is the OP seeing people parked outside of his house for days or does he have hackers as neighbors?

 

[jinjuku]

True, but if someone wants the best performance, that's not just a weak option. It's always possible, but many won't pay the cost, so they find a cheap way that they hope will work. Like a set of four repeaters that cost $50. Then, they get the neighbor kid or nephew "who's good at this stuff" to configure it.

Agreed it's layer 8 that is the weakness when it comes to wifi. Home users aren't getting into FreeRadius and 802.1x infrastructure. Just run WPA3 personal with a strong password.

Disabling the SSID beaconing doesn't provide any security enhancements. That's all easily discovered.

I'm currently framing in my basement and running both CAT6 and Single Mode Fiber. I'll still have Wifi though. Dropping in 2.5G PoE+ switching with SFP+.

 

[highfigh]

Agreed it's layer 8 that is the weakness when it comes to wifi. Home users aren't getting into FreeRadius and 802.1x infrastructure. Just run WPA3 personal with a strong password.

Disabling the SSID beaconing doesn't provide any security enhancements. That's all easily discovered.

I'm currently framing in my basement and running both CAT6 and Single Mode Fiber. I'll still have Wifi though. Dropping in 2.5G PoE+ switching with SFP+.

Install everything in conduit- you'll need it if you live long enough and stay in that house for a long time.

What speed do you really need? I ran Cat5e when I did some work on my place in 2001 and it still performs fine for the speed that's available to be from Spectrum but I refuse to deal with ATT anymore. They make life a soul-sucking hell.

How would someone run WPA3 when that's not one of the options, without buying enterprise grade equipment? Look at the most popular consumer grade network gear- it's cheap and pretty crappy. People don't perceive the need for better equipment until it's too late.

 

[jinjuku]

I didn't run smurf tube. CAT6 is made for 10GBe and if I ever need something beyond that the SM OS1 is good for 400GBe.

WPA3 Personal is available on most consumer oriented WAPs

 

[AllenB]

Sorry that you never got any traction with this. Yes there is a way. If you have a firewall capable of VLANS ...

Wow. Thank you for the replies. I'll need to look into VLANs. Not sure if my router does this, but the approach makes sense. Thanks.

 

[AllenB]

If you disable WiFi on the AVR, nobody is going to use it as a way to hack your network and I NEVER recommend using WiFi when something has an ethernet port. I'm a Yamaha/Denon/etc dealer and have never heard of anyone using a Yamaha or other piece of AV equipment to hack into a network.

Even if WiFi has been enabled, they can't control the Yamaha or hack anything unless they know the encryption key for your network- the app won't find the Yamaha. Also, with the AVR connected to the network, there's no reason to enable Bluetooth, either.

Thank you for the reply. The A6A is connrected via Ethernet. It's a bit of a Catch 22: if someone can get into the network through whatever means, the lack of any security on the receiver means it is exposed. I don't know how likely that could be to compromise other devices.

 

[AllenB]

Install everything in conduit- you'll need it if you live long enough and stay in that house for a long time.
How would someone run WPA3 when that's not one of the options ...

Thanks for your comments. The A6A is hard-wired to the router via a Cat6 cable, but it turns out that both it and the LG TV only support 100Mbit Ethernet. Haven't had a problem with the the A6A, but the 100Mbit turns out to be inadequate for some YouTubes at 4K 60 frames with 5.1 sound, so I've had to unplug the cable from the TV and use WiFi.
I do have WPA3 Personal as an option.

 

[jinjuku]

Wow. Thank you for the replies. I'll need to look into VLANs. Not sure if my router does this, but the approach makes sense. Thanks.

What Firewall do you have?

 

[highfigh]

I didn't run smurf tube. CAT6 is made for 10GBe and if I ever need something beyond that the SM OS1 is good for 400GBe.

WPA3 Personal is available on most consumer oriented WAPs

I Have to say that I'm pretty surprised/disappointed that not a single manufacturer has mentioned WPA3 in a training webinar I have been involved with and their websites show that their products can use it.

 

[highfigh]

Thanks for your comments. The A6A is hard-wired to the router via a Cat6 cable, but it turns out that both it and the LG TV only support 100Mbit Ethernet. Haven't had a problem with the the A6A, but the 100Mbit turns out to be inadequate for some YouTubes at 4K 60 frames with 5.1 sound, so I've had to unplug the cable from the TV and use WiFi.
I do have WPA3 Personal as an option.

100Mbps shouldn't be inadequate and WiFi is almost never faster than hard wired- the protocols prevent it, but in most cases, it's not noticeable. I would test the cable and if it was pinched/bent sharply/pulled hard during installation, that probably causes the problems.

The recommended minimum bend radius for communications cabling is four times its diameter, so 8mm cable shouldn't be bent over an edge with less than 32mm radius and that means dropping it over framing lumber is a bad thing. Dropping it over HVAC ducts is even worse. Stapling network cables is another way to compromise its performance- it's one of the reasons we, in the AV/Network business use conduit. I have also seen communications/network cabling that was installed by electricians with Romex staples and they hammered them far too hard. They don't generally deal with networks and they don't know that pinching is incredibly bad, as is pulling too hard although the spline and thicker wire in Cat6 allows a bit more tension to be used but that's not saying it SHOULD be pulled harder.

If possible, use a laptop to do a speed test with it wired to the Cat6 at the TV end- I'm betting that it won't be as fast as it is at the router or switch (if you installed one for the AV system. Then, test the WiFi speed as a comparison.

If you're using a repeater for the TV, get rid of it- they typically cut the speed roughly in half. A mesh network is different and the speed will be excellent if it has been placed correctly.

 

[AllenB]

What Firewall do you have?

The firewall is what Asus provides in its WiFi 6 routers. Reasonably secure. If I was using WiFi I could put the receiver on a dedicated guest network, but using ethernet I'm investigating VLANs.

 

[AllenB]

100Mbps shouldn't be inadequate and WiFi is almost never faster than hard wired- the protocols prevent it, but in most cases, it's not noticeable. I would test the cable and if it was pinched/bent sharply/pulled hard during installation, that probably causes the problems. ...

It's a brand new CAT6 cable. Could swap it with another to see if it's faulty.
WiFi is definitely faster: the NetFlix app on the LG TV reports a connetion speed of 209 Mbps (using 5 GHz WiFi to a 250 Mbps fibre internet connection).

 

[highfigh]

It's a brand new CAT6 cable. Could swap it with another to see if it's faulty.
WiFi is definitely faster: the NetFlix app on the LG TV reports a connetion speed of 209 Mbps (using 5 GHz WiFi to a 250 Mbps fibre internet connection).

If WiFi is faster, the cable has a problem- who terminated the ends?

Do you have a laptop computer with an ethernet port? If so, connect it with the ethernet, move your mouse's cursor to the network icon at the lower right corner, right click and select 'Open Network and Sharing Center. Look for 'Change Adapter Settings and you'll see Local Area Connections- disable the wireless network connection and enable the wired, then right click on the wired connection that's active (it will; show the name of the network and the network card info)- you should see Disable at the top with Status below that. Click on Status and a new box will open. It will show two lines for connectivity (IPv4 and IPv6), Media State, Duration (how long the computer has been connected) and Speed. Speed should be 1.0 Gbps with most routers. I have seen that with every computer I checked when it was wired, whether desktop or laptop. This can be checked for WiFi by disabling the wired connection and enabling the WiFi- the speed for WiFi will depend on the wireless card- an older computer might show 72Mbps or 150Mbps and newer ones will be in the 30Mbps-1.0 Gbps.

If you want to chase the rabbit down the hole to check the wire assignments at the ends, you can buy a cable tester, but you'll probably only use it once.

WiFi can be nearly as fast as wired, but it should never be faster.

For $27, you can buy a 100' Cat6 ethernet cable from Monoprice- it would help this time and anytime in the future. A 15' cable is $15.

 

[Trebdp83]

It's a brand new CAT6 cable. Could swap it with another to see if it's faulty.
WiFi is definitely faster: the NetFlix app on the LG TV reports a connetion speed of 209 Mbps (using 5 GHz WiFi to a 250 Mbps fibre internet connection).

The TV’s Netflix app will report the download speed of your network rather than the actual throughput of the TV to the router. You can check the Tx Rate on your Asus router. Look for Clients on the Home page and click on Show List. The LG TV, if wifi 5(ac) should show something like 700-800Mbps. If it is a newer wifi 6(ax) model, it may show 1000-1200Mbps. If it does half of that in actuality, it’s still faster than the 100Mbps ethernet port. You can connect a usb to ethernet adapter to the TV’s usb 2.0 port to get faster speeds from a wired connection if moving big files around from a media server.

 

[jinjuku]

The firewall is what Asus provides in its WiFi 6 routers. Reasonably secure. If I was using WiFi I could put the receiver on a dedicated guest network, but using ethernet I'm investigating VLANs.

Without knowing the exact model #, as ASUS makes many of what you describe, here is a page on VLAN with port isolation setup:

[Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS Global

 

[ban25]

Many TVs, particularly from Sony and LG, have slow 100 Mbps Fast Ethernet NICs. In those cases, WiFi will perform better, or one can add a Gigabit USB NIC: