Skip to content

HEP 2: Network Security Structure #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
safaorhan wants to merge 3 commits into
base: main
Choose a base branch
from
Open

HEP 2: Network Security Structure #4

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a7f680b
Create hep-0002.md
safaorhan Dec 16, 2025
4669100
Update hep-0002.md
safaorhan Dec 16, 2025
ec956e2
Fix spelling and grammar.
safaorhan Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions hep-0002.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
👉 | HEP 2: Network Security Structure
--- | ---
Authors | [@safaorhan](https://github.com/safaorhan)
Status | Active
Related PRs | [#4](https://github.com/konyahackerspace/heps/pull/4)
Related HEPs | -


## Summary
This HEP describes how we can manage the internal network on a fundamental level
to prevent unauthorized access to our network and internet-connected devices in
the space.

## Rationale
Hackers of all kinds of backgrounds would be common guests of our space. The idea
of "hacking a hackerspace" might sound exciting for some of them. Also, motivated
by curiosity, some of our members might try to tinker, configure, and eventually
break things on our network, rendering other hackers frustrated. These precautions
would help us contain possible hostile attempts.

## Securing Physical Access to the Router
One of the easiest and most frustrating attack vectors is to gain physical access
to the router, follow the factory reset sequence on the hardware, and hence disconnect
all connected devices from the network. This would let the attacker reconfigure
the network as he'd like and create many further attack vectors.

We must keep the router in a difficult-to-reach place, possibly locked in a hard
plastic enclosure to discourage tampering.

Another layer to prevent and remedy physical access would be to issue surveillance
to the proximity of the router, so if anybody attempts to tinker, the community admins
would get notified of the attempt, possibly with picture evidence.

## Storing Router Admin Credentials Securely
We should ensure that the credentials for the router's admin dashboard are stored securely.
The fewer people who know it, the better. We shall use the password manager of hackerspace's
Google account aside with other critical passwords.

## Creating Multiple Wireless Networks
We shall create different wireless networks serving different purposes:

\# | Type | Hidden | Criticality | Purpose
--- | --- | --- | --- | ---
1 | Infrastructure | Hidden | Most Critical | Security systems, smart sensors, automation devices live in this network.
2 | Member Network | Visible | Critical | Computers and smartphones of the members, printers, 3D printers, shared or interactive electronics live here.
3 | Guest Network | Visible | Less critical | Guests are allowed, temporary projects and experiments are welcome.

We shall not provide LAN access to the router since it's not easy to
control who is connected to what, and nowadays, wireless is fast enough.
If the router supports it, we can also isolate the wired network from the wireless one.

### 1. Infrastructure Network
If a device is meant to help operate the space and doesn't need others to interact with it over
the network, it shall live within the infra network.

Good examples of these devices are:
- A Raspberry Pi with HaOS installed
- A connected LED-light controlled by a PIR sensor
- A security camera
- An RFID reader that opens the door
- A smart switch that publishes to SpaceAPI

Changing the password of this network would be the most troublesome. But for security purposes,
we can schedule yearly maintenance time to update the infrastructure password.

### 2. Member Network
The usual network a member would connect their laptop or smartphone to. Shared electronics
that members would access should be placed in this network.

Some examples would be:
- 3D printers, so that members can send jobs over the network
- Regular printers and scanners
- Other tools and devices controllable by members over the network

We can change the password for this network a couple of times a year
as a security measure. And only let current members know the new password.

### 3. Guest Network
When guests arrive at the space for events and one-off visits, they can connect to
this network. So that they won't have access to the internet-connected tools. Also,
when someone wants to experiment with something, share the password with the attendees in
a workshop, create a new IoT device, or similar, they can use this network.

The SSID and password of the guest network can be placed in NFC tags and placed
on the walls. A QR can be okay, but less safe, since we have a wall of glass on the
roadside.

Lastly, we can change the password of this network frequently to deal with free
loaders, and since it would be really effortless to do it.