dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
703
vjeko
join:2013-09-18
23207

vjeko

Member

newbie questions about home network security

I have the following network use scenario at home:
(1) guests - Wifi access to internet
(2)my software development/learning pcs (need internet access)
(3)server synching/backup & NAS 2nd backup (write access only by me)
(4)kids pcs (mix of fixed and Wifi)
(5)home automation

At the moment I have just one network with one AP and DHCP from router
only for Wifi. I'd like to improve the security and would appreciate some pointers
and answers to the following:

(a)Is moving guests , home automation, my pcs and kids pcs to separate VLANs
the only improvement in security that can be made ?

(b)How do you best secure the server & NAS when devices which need to access them need a connection to the internet ? Do you keep devices with internet access on a separate VLAN and have other means of transfering data to them ?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

said by vjeko:

(a)Is moving guests , home automation, my pcs and kids pcs to separate VLANs the only improvement in security that can be made ?

No. Look at securing the endhosts themselves -- ie. anti-x, seperate admin and user accounts, strong password, change password regularly, updates / patches, etc.
Also look at securing all layers of the OSI stack -- ie. Application,Presentation,Session,Transport,Network,Datalink and Physical. VLANs are only a small part
of it, but the usual one for segregating traffic.

Offhand, PVLANs, or a full up zoned firewall separating your GUEST subnet from your and your kids PCs' subnet would be the near ultimate solution... with the
attendant cost, time and learning to get and configure.
said by vjeko:

(b)How do you best secure the server & NAS when devices which need to access them need a connection to the internet ? Do you keep devices with internet access on a separate VLAN and have other means of transfering data to them ?

Use the "permit what you need, deny and log the rest" and "least-priviledge" concepts of security as a starting point -- ie. what needs access to what?

You may also want to look into what a DMZ is, or a 3-leg firewall.

Last comment... before you go asking what gear can do this, first answer the following :

- how fast is your internet connection currently?

- what is your budget?

- what is your technical skill level?

- any other requirements for this piece of equipment -- eg. GigE vs FastE ports, POE, additional functionality like VPN, IDS/IPS, size, power draw, etc.

My 00000010bits

Regards
vjeko
join:2013-09-18
23207

vjeko

Member

Your information is much appreciated ! I've implemented some of the
basics regarding accounts, anti-x etc. but looks like I have a lot to learn and do
Will create the VLANs and will then look into the DMZ. I don't
intend to spend a lot of money on all this but would like to bring
the security up to a reasonable standard (and learn something in parallel).

At the moment I have an old Asus RT-n16 router (will create VLANs)
and a lot of old pc hardware but am looking at purchasing some low
power server hardware with virtualization capability - hopefully I can run the
DMZ on that (lot of digging to be done )
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to vjeko

MVM

to vjeko
I should warn VLANs only seperate traffic NOT segregate host(s) -- ie. if you have your (secure) PC in VLAN1, and a kids PC in VLAN2,
your kids PC can still talk to your PC in VLAN1. Not sure if that makes sense, but I'm just going off my sense of what you're after,
which is to isolate or secure some hosts / parts of your network into a TRUSTED zone.

Here's another possible way to do this just for your reference.

My 00000010bits

Regards
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned) to vjeko

Member

to vjeko
Click for full size
This is my simple diagram home networking besides X-tra software layer I use for some machine & "Many way go to Rome" {{{ SMILE }}} keep it simple ...
vjeko
join:2013-09-18
23207

vjeko

Member

Hellfire, correct me if I'm wrong (still haven't had time to readup on things):
VLANs can talk to each other, but a router with firewall rules can be used to
stop this or not (I know roughly how to setup a firewall on a pc but have absolutely no experience with routing/iptables etc. - so I could be talking rubbish )?

If the above is true, wouldn't one router have the same effect as what is described in the article you linked to ? Also, I'm now not clear on what is the advantage of using VLANs
(unless they were tagged i.e. I had the right hardware - router/switch/AP which could recognise the tags and segregate the VLANs - I presume this is the main purpose of the tags) ?

Paradox787 - what do you use for the firewall ? One reason I'd really like further segregation is that
I have a few apartments and guests on Wifi, so I'd like to completely separate them from
my part of the network. I would also like to :
-separate the kids from my network (it just makes things a bit more secure)
- have at least one pc connected to internet
- one web server for learning
- ensure the backup server and backup NAS are secure and at the same time
give the kids access to things they need to store
At the moment I'm unclear on how to do all this nor what would be the
smartest thing to do as the first step .
85160670 (banned)
"If U know neither the enemy nor yoursel
join:2013-09-17
Edmonton, AB

85160670 (banned)

Member

Click for full size
vjeko ...... mine is simple straight forward, got Modem/Router from my service provider & I just bridge the modem cause i use better own good Router with SPI + NAT + anti Dos attack to make my own networking as secure as possible besides layer defences every computer @ my home {{{ SMILE }}} Here some images for your eyes only ..... BTW, I do NOT setup guest network & for your children I think you could use Parental control inside your own good router ¿ ¿
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to vjeko

MVM

to vjeko
said by vjeko:

VLANs can talk to each other, but a router with firewall rules can be used to stop this or not

Which do you want, the LOOOONG answer, or the short 'n sweet answer? The LOOOONG answer is "if you have two VLANs on
a layer 2 device but no layer 3 device, the two VLANs can't talk to one another." Put in a Layer 3 device -- and as
you said, if you don't put any sort of rules in place -- and the two VLANs can talk to one another.

It all goes back to what you want to do in the end.

My 00000010bits

Regards
vjeko
join:2013-09-18
23207

vjeko

Member

Parad0X787 - not absolutely clear - is the firewall the one inbuilt into the ISP's router/modem which you have in bridge mode ?

Guys you've got me -without further reading I'm lost i.e. it's not at all
clear to me how I would formulate a solution to all my requirements.
I'm not even sure what the difference is between the two wifi router solution
(link Hellfire gave) and my ideas with VLANS and router rules etc.
Having said that, would you point me in the direction how you would
fulfill my requirements ?- maybe I can at least improve the security
a little.

The setup I have at the moment is as follows:
ISP's TP-Link modem in bridge mode ASUS RT-N16 router running
Shibby Tomato ordinary switch connected to pcs, Buffalo AP, server and NAS backup.
I have one extra wireless router/ modem and one wireless router/AP on hand if that helps
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to vjeko

MVM

to vjeko
Actually you've only posed two questions rather than "given your requirements."
Put another way, "more secure" is not a product you buy but a process.
said by vjeko:

I'm not even sure what the difference is between the two wifi router solution (link Hellfire gave) and my ideas with VLANS and router rules etc.

Did you read the article I supplied? The WHOLE article? Specifically the following
comment
quote:
I recently helped a community center with its network setup. They needed to provide Internet connection to tenants who were renting space, in addition to their own shared Internet. They also shared a number of folders on the network, but weren't too careful about password protecting the shares.

Rather than trying to (unsuccessfully) enforce good file-sharing practices among users who didn't really have the inclination to learn them, I took a more pragmatic approach and separated the tenant and community center computers into their own private LANs.
Replace "community center" with any mix of your PCs now and "other tenents" with guest
access. Make sense?

The point is that design isolates your guests from your network alot more thoroughly
than if you were to just just plain VLANs... due to the way VLANs work, based on
the LOOOONG answer I gave you above.

Did you also look into DMZ and 3legged firewalls as well? Does that make sense to you,
and is it something you're looking to implement?

Regards
HELLFIRE

HELLFIRE

MVM

said by HELLFIRE:

Actually you've only posed two questions rather than "given your requirements."

...okay, I take that back, I missed this... never ask me to do deep thinking on Friday evening while slepdep and/or drunk.
said by vjeko:

I would also like to :
-separate the kids from my network (it just makes things a bit more secure)
- have at least one pc connected to internet
- one web server for learning
- ensure the backup server and backup NAS are secure and at the same time
give the kids access to things they need to store

...what I said in my last post still holds though. You COULD go with the setup in the smallnetbuilder article,
just add more routers behind the first router as needed if you TOTALLY want to isolate things from one another
on the cheap and simple.

If you just want a single device, I'd look into something that can do security zones / multi-leg firewall -- you
did get a chance to read up on that, yes? With it, you split the network into 5 zones :

                KIDS    YOU     WEB SERVER      BACKUP  INTERNET.
KIDS            X       X       X               V       V
YOU             X       X       V               V       V
WEB SERVER      X       V       X               ?       ?
BACKUP          V       V       ?               X       ?
INTERNET        X       X       X               X       X
 

You could get more granular and specify the port(s) and dates/times the rules are active even...

Regards
vjeko
join:2013-09-18
23207

vjeko

Member

Hellfire, yes I did read it but I don't get the difference between that solution and
using my Tomato router with firewall rules etc.. (in case I can get away
with one device,)I think it's best for me to stop here and get to reading/digging and trying out things and come back when I know/understand something properly . You've pointed out what I need to learn - that is the
most important thing.

Before doing that, just wanted to hear from Paradox0X787 regarding my question about his firewall (whether it is on the bridged modem)
as I am not doing anything on my bridged modem (I had no clue you could do anything there, thought bridged meant just passing the modem signal through ).
HELLFIRE
MVM
join:2009-11-25

1 recommendation

HELLFIRE to vjeko

MVM

to vjeko
said by vjeko:

but I don't get the difference between that solution and using my Tomato router with firewall rules etc..

I'd say there's no difference in the final destination; the difference is in how one gets there.

As for if it can / how to use tomato to do this is outside the scope of this thread, and it's best
to take a look at the user guides and/or forums for tomato on how to do such a thing, and whether
its within your skillset.

EDIT: found this ; MAY be a "quick" guide for Tomato (shibby) for setting up a multileg firewall.. feel free to give it a browse.

My 00000010bits

Regards