From a7f680b44eae24c414efecc112a865510ffca5ef Mon Sep 17 00:00:00 2001 From: Safa Orhan Date: Tue, 16 Dec 2025 19:01:33 +0300 Subject: [PATCH 1/3] Create hep-0002.md --- hep-0002.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 hep-0002.md diff --git a/hep-0002.md b/hep-0002.md new file mode 100644 index 0000000..37d192d --- /dev/null +++ b/hep-0002.md @@ -0,0 +1,48 @@ +👉 | HEP 2: Network Security Structure +--- | --- +Authors | [@safaorhan](https://github.com/safaorhan) +Status | Active +Related PRs | [#4](https://github.com/konyahackerspace/heps/pull/4) +Related HEPs | - + + +## Summary +This HEP describes how we can manage the internal network on a fundamental level +to prevent unauthorized access to our network and internet connected devices in +the space. + +## Rationale +Hackers of all kinds of backgrounds would be common guests of our space. The idea +of "hacking a hackerspace" might sound exciting for some of them. Also, motivated +with curiosity some of our members might try to tinker, configure and eventually +break things on our network, rendering other hackers frustrated. These precautions +would help us contain possible attempts of dangerous curiosity. + +## Securing Physical Access to the Router +One of the easiest and most frustrating attack vector is to gain physical access +to the router, follow factory reset sequence on the hardware and hence disconnect +all connected devices from the network. This would let the attacker to reconfigure +the network as he'd like and create many further attack vectors. + +We must keep the router in a difficult to reach place, possibly locked in a hard +plastic enclosure to discourage tampering. + +Another layer to prevent and remedy physical access would be to issue surveilliance +to close proximity of the router, so if anybody attempts to tinker, the community admins +would get notified of the attempt, possibly with picture evidence. + +## Storing Router Admin Credentials Securely +We should ensure the credentials to admin dashboard of the router to be stored securely. +The less people to know it the better. We shall use the password manager of hackerspace's +Google account aside with other critical passwords. + +## Creating Multiple Wireless Networks +We shall create different wireless networks serving different purposes: + +\# | Type | Hidden | Criticality | Purpose +--- | --- | --- | --- | --- +1 | Infrastructure | Hidden | Most Critical | Security systems, smart sensors, automation devices lives in this network. +2 | Member Network | Visible | Critical | Computers and smartphones of the members, printers, 3D printers, shared or interactive electronics live here. +3 | Guest Network | Visible | Less critical | Only guests are connected, no smart devices should connect here. + +We shall not provide LAN access to the router since it's not easy to control who is connected to what and nowadays wireless is fast enough. From 4669100a01c626ffd3e5c01298097c69a48677bf Mon Sep 17 00:00:00 2001 From: Safa Orhan Date: Tue, 16 Dec 2025 21:15:46 +0300 Subject: [PATCH 2/3] Update hep-0002.md --- hep-0002.md | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/hep-0002.md b/hep-0002.md index 37d192d..56e9471 100644 --- a/hep-0002.md +++ b/hep-0002.md @@ -43,6 +43,49 @@ We shall create different wireless networks serving different purposes: --- | --- | --- | --- | --- 1 | Infrastructure | Hidden | Most Critical | Security systems, smart sensors, automation devices lives in this network. 2 | Member Network | Visible | Critical | Computers and smartphones of the members, printers, 3D printers, shared or interactive electronics live here. -3 | Guest Network | Visible | Less critical | Only guests are connected, no smart devices should connect here. +3 | Guest Network | Visible | Less critical | Guests are allowed, temporary projects and experiments are welcome. + +We shall not provide LAN access to the router since it's not easy to +control who is connected to what and nowadays wireless is fast enough. +If the router supports it, we can isolate wired network from the wireless one, too. + +### 1. Infrastructure Network +If a device is meant to help operate the space and doesn't need others +to interact with it over the network, it shall live within the infra network. + +Good examples of these devices are: +- A Raspberry Pi with HaOS installed +- A connected LED-light controlled by a PIR sensor +- A security camera +- An RFID reader that opens the door +- A smart switch that publishes to SpaceAPI + +Changing the password of this network would be the most troublesome. But for +security purposes we can schedule yearly maintenance time to update infra password. + +### 2. Member Network +The usual network a member would connect his laptop or smartphone. Shared +electronics that members would access should be placed in this network. + +Some examples would be: +- 3D printers, so that members can send jobs over the network +- Regular printers and scanners +- Other tools and devices controllable via members over the network + +We can change the password for this network a couple of times in a year +as a security measure. And only let current members know the new password. + +### 3. Guest Network +When guests arrive to the space for events and one-off visits, they can connect to +this network. So that they won't have access to the internet connected tools. Also +when someone wants to experiment with something, share password to attendees on a +workshop, create a new IoT device or similar, they can use this network. + +The ssid and password of the guest network can be placed on NFC tags and placed +on the walls. A QR can be okay but less safe, since we have a wall of glass on the +roadside. + +Lastly, we can change the password of this network frequently to deal with free +loaders and since it would be really effortless to do it. + -We shall not provide LAN access to the router since it's not easy to control who is connected to what and nowadays wireless is fast enough. From ec956e2bc4ffda419dd054cbab2cbc9856e6f64a Mon Sep 17 00:00:00 2001 From: Safa Orhan Date: Tue, 16 Dec 2025 21:55:53 +0300 Subject: [PATCH 3/3] Fix spelling and grammar. --- hep-0002.md | 59 ++++++++++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/hep-0002.md b/hep-0002.md index 56e9471..627e672 100644 --- a/hep-0002.md +++ b/hep-0002.md @@ -8,32 +8,32 @@ Related HEPs | - ## Summary This HEP describes how we can manage the internal network on a fundamental level -to prevent unauthorized access to our network and internet connected devices in +to prevent unauthorized access to our network and internet-connected devices in the space. ## Rationale Hackers of all kinds of backgrounds would be common guests of our space. The idea of "hacking a hackerspace" might sound exciting for some of them. Also, motivated -with curiosity some of our members might try to tinker, configure and eventually +by curiosity, some of our members might try to tinker, configure, and eventually break things on our network, rendering other hackers frustrated. These precautions -would help us contain possible attempts of dangerous curiosity. +would help us contain possible hostile attempts. ## Securing Physical Access to the Router -One of the easiest and most frustrating attack vector is to gain physical access -to the router, follow factory reset sequence on the hardware and hence disconnect -all connected devices from the network. This would let the attacker to reconfigure +One of the easiest and most frustrating attack vectors is to gain physical access +to the router, follow the factory reset sequence on the hardware, and hence disconnect +all connected devices from the network. This would let the attacker reconfigure the network as he'd like and create many further attack vectors. -We must keep the router in a difficult to reach place, possibly locked in a hard +We must keep the router in a difficult-to-reach place, possibly locked in a hard plastic enclosure to discourage tampering. -Another layer to prevent and remedy physical access would be to issue surveilliance -to close proximity of the router, so if anybody attempts to tinker, the community admins +Another layer to prevent and remedy physical access would be to issue surveillance +to the proximity of the router, so if anybody attempts to tinker, the community admins would get notified of the attempt, possibly with picture evidence. ## Storing Router Admin Credentials Securely -We should ensure the credentials to admin dashboard of the router to be stored securely. -The less people to know it the better. We shall use the password manager of hackerspace's +We should ensure that the credentials for the router's admin dashboard are stored securely. +The fewer people who know it, the better. We shall use the password manager of hackerspace's Google account aside with other critical passwords. ## Creating Multiple Wireless Networks @@ -41,17 +41,17 @@ We shall create different wireless networks serving different purposes: \# | Type | Hidden | Criticality | Purpose --- | --- | --- | --- | --- -1 | Infrastructure | Hidden | Most Critical | Security systems, smart sensors, automation devices lives in this network. +1 | Infrastructure | Hidden | Most Critical | Security systems, smart sensors, automation devices live in this network. 2 | Member Network | Visible | Critical | Computers and smartphones of the members, printers, 3D printers, shared or interactive electronics live here. 3 | Guest Network | Visible | Less critical | Guests are allowed, temporary projects and experiments are welcome. We shall not provide LAN access to the router since it's not easy to -control who is connected to what and nowadays wireless is fast enough. -If the router supports it, we can isolate wired network from the wireless one, too. +control who is connected to what, and nowadays, wireless is fast enough. +If the router supports it, we can also isolate the wired network from the wireless one. ### 1. Infrastructure Network -If a device is meant to help operate the space and doesn't need others -to interact with it over the network, it shall live within the infra network. +If a device is meant to help operate the space and doesn't need others to interact with it over +the network, it shall live within the infra network. Good examples of these devices are: - A Raspberry Pi with HaOS installed @@ -60,32 +60,31 @@ Good examples of these devices are: - An RFID reader that opens the door - A smart switch that publishes to SpaceAPI -Changing the password of this network would be the most troublesome. But for -security purposes we can schedule yearly maintenance time to update infra password. +Changing the password of this network would be the most troublesome. But for security purposes, +we can schedule yearly maintenance time to update the infrastructure password. ### 2. Member Network -The usual network a member would connect his laptop or smartphone. Shared -electronics that members would access should be placed in this network. +The usual network a member would connect their laptop or smartphone to. Shared electronics +that members would access should be placed in this network. Some examples would be: - 3D printers, so that members can send jobs over the network - Regular printers and scanners -- Other tools and devices controllable via members over the network +- Other tools and devices controllable by members over the network -We can change the password for this network a couple of times in a year +We can change the password for this network a couple of times a year as a security measure. And only let current members know the new password. ### 3. Guest Network -When guests arrive to the space for events and one-off visits, they can connect to -this network. So that they won't have access to the internet connected tools. Also -when someone wants to experiment with something, share password to attendees on a -workshop, create a new IoT device or similar, they can use this network. +When guests arrive at the space for events and one-off visits, they can connect to +this network. So that they won't have access to the internet-connected tools. Also, +when someone wants to experiment with something, share the password with the attendees in +a workshop, create a new IoT device, or similar, they can use this network. -The ssid and password of the guest network can be placed on NFC tags and placed -on the walls. A QR can be okay but less safe, since we have a wall of glass on the +The SSID and password of the guest network can be placed in NFC tags and placed +on the walls. A QR can be okay, but less safe, since we have a wall of glass on the roadside. Lastly, we can change the password of this network frequently to deal with free -loaders and since it would be really effortless to do it. - +loaders, and since it would be really effortless to do it.