Firewalla: New Device Quarantine

New Device Quarantine allows you to automatically monitor and control unknown, potentially dangerous devices on your network.

1. What is New Device Quarantine?
2. How do I enable New Device Quarantine?
3. What can I do with New Device Quarantine?
4. How do I identify unknown devices?
5. How do I know if I can trust a device?
6. How do I release devices from the Quarantine Group?
7. How do I use New Device Quarantine with the Firewalla AP7?
8. Examples

What is New Device Quarantine?

With New Device Quarantine turned on, every new device that joins your network will be automatically placed into a Quarantine Group, and if New Device Alarm is enabled, an alarm will be generated.

• Set custom rules and policies for the Quarantine Group
• Have full visibility over quarantined devices
• Freely remove devices from the Quarantine Group

Some use cases for New Device Quarantine:

• Lock down devices that randomize MAC addresses (e.g. clever kids trying to get around your rules and policies)
• Monitor all unknown devices for unusual or suspicious behavior

Firewalla will recognize devices with MAC randomization (e.g., iOS 14+) as new devices every time the MAC address is changed. This makes New Device Quarantine a good way to prevent devices from getting around your rules and policies.

• If you don't want your device to be quarantined every once in a while, you'll have to disable the random MAC feature on your device.

With the Firewalla AP7, you can set SSIDs and SSID + personal keys to automatically map devices to a group, user, or network. When devices connect to Wi-Fi using the SSID or SSID + personal key, they will be automatically assigned and follow the group, user, or network-specific rules, even if MAC randomization is on. Learn more about Firewalla microsegmentation with AP7 here.

Disclaimer: Firewalla is a router and firewall. It cannot control LAN traffic of devices on the same network. This means that Firewalla will not be able to restrict traffic generated by quarantined devices to other devices on the same LAN. If you do want to restrict LAN traffic, Firewalla supports network segmentation.

• With the Firewalla AP7, you can enable VqLAN and Device Isolation on your New Device Quarantine group to restrict all LAN traffic completely. Learn more about Firewalla's VqLAN here.

How do I enable New Device Quarantine?

• Go to your box's main page.
• Scroll down and tap on the "+ " more button.
• Tap on New Device Quarantine and turn it on.
• Go back to the main screen and tap on Devices. You'll see a new Quarantine Group.
• You can apply New Device Quarantine to specific networks on Firewalla Gold and Purple.

What can I do with New Device Quarantine?

New Device Quarantine creates a Quarantine Group with two pre-defined rules to block new devices from accessing the internet and other segments of your network.

• Block Traffic from & to Internet
• Block Traffic from & to All Local Networks (Gold/Purple Only)

You can treat the Quarantine Group like any other device group. This means you can:

• Add or modify the default rules
• Add or remove members from the group
• Set Routes for traffic from the group
• Send the group's traffic over a VPN using the VPN Client

Once one or more devices are quarantined, a banner will appear at the top of the main screen. Tap View Quarantined Devices to see all devices in the quarantined group.

How do I identify unknown devices?

Sometimes a new device appears on your network and it isn't obvious what it is. This is especially true when a device uses a private or random MAC address – we recommend disabling private MAC on your devices as a best practice. Here are some general tips to identify devices: 

1. If the device isn't quarantined, try putting it into the Quarantine Group to limit its ability to connect. This may help you quickly identify the device. 
2. Look at its network flows. The device's traffic may give you hints about what it could be.
3. Check the MAC address. If the MAC is not random, or you aren't sure, look it up using MAC vendor lookup and see if the manufacturer is a clue as to the device's identity. Note that in a random MAC address, the second digit will always be a 2, 6, A, or E and the rest of the address will be entirely random. For example:

   x2:xx:xx:xx:xx:xx
   x6:xx:xx:xx:xx:xx
   xA-xx-xx-xx-xx-xx
   xE:xx:xx:xx:xx:xx

4. Don't overlook IoT devices like switches and appliances or wearables like watches. Sometimes they join a network by "invitation" from another device, such as a paired phone.
5. Check the for patterns in the time the device joins or leaves the network. It may match when someone is home or not, which can be a clue.

How do I know if I can trust a device?

New Device Quarantine allows you to keep tabs on new devices and limit their access so their risk profile is small, giving you the time and confidence to decide if they're trustworthy. Let unknown devices run for a while and use Firewalla to observe what their normal behaviors are.

"Nice" devices

Devices are more likely to be trustworthy if they send data to secure servers like Amazon's AWS because this often means they have strong data security features.

IoT devices typically require very little internet access – they may only talk to just one or two domains when operating as designed. After observing what servers your IoT devices need access to, you can set rules to only allow access to those servers so that if they are ever compromised by malware or ransomware, they can't send data anywhere else. 

"Naughty" devices

Many devices lack the architecture and quality control to ensure secure data handling. These unintentional flaws leave devices open to being compromised. In other cases, devices may be harvesting your data without asking you for permission. If you're concerned that some of your devices are untrustworthy, separating these devices from the rest of your network mitigates your risk. Learn more about Building Network Segments.

How do I release devices from the Quarantine Group?

To release a device from quarantine, simply navigate to the Quarantine Group, swipe left on the device, and tap "Leave Group". 

This feature only takes effect on newly joined devices. Once a device has been discovered by Firewalla and you've released it from the Quarantine Group, it won't get quarantined again.

How do I use New Device Quarantine with the Firewalla AP7?

The Firewalla AP7 can automatically assign devices to groups, users, and networks based on the SSID or personal key they use. This includes new devices joining your network.

An SSID or personal key assigned to a group/user will take precedence over New Device Quarantine. 

New Device Quarantine will still apply to:

• New wireless devices connecting to another SSID (or using a different personal key) that has no group/user assigned
• New wired devices joining the network

To use New Device Quarantine with the Firewalla AP7, you have a few options. You can:

• Create an SSID with no group or user assigned to it.
  New devices connecting to the SSID will go into Quarantine.
• Assign the Quarantine Group to an SSID.
  All devices connecting to the SSID will go into Quarantine.
• Create a new Group, assign rules to it, and assign it to an SSID.
  All wireless devices connecting to the SSID will go to the group and have custom rules applied; all other new, wired devices will go to Quarantine. (For a quick example, see the tutorial here.)

Learn more about Firewalla AP7 microsegmentation here.

Examples

• You can create a Guest network with rules to prevent any access to local networks. To avoid having to approve access for every devices that joins the guest network, set a default Group for the guest SSID and no quarantine will happen for these devices even when New Device Quarantine is active on the network the SSID is assigned to. Devices will automatically follow all Rules you have set for the Group.
• For an IoT network, you may want to be more careful what devices are allowed. For this SSID, make sure Quarantine is active and do not set a default User/group and Quarntine will work as normal. You will have to approve new devices as they are added to the network in this scenario.