vjeko join:2013-09-18 23207 |
vjeko
Member
2014-Dec-16 9:11 am
newbie questions about home network securityI have the following network use scenario at home: (1) guests - Wifi access to internet (2)my software development/learning pcs (need internet access) (3)server synching/backup & NAS 2nd backup (write access only by me) (4)kids pcs (mix of fixed and Wifi) (5)home automation
At the moment I have just one network with one AP and DHCP from router only for Wifi. I'd like to improve the security and would appreciate some pointers and answers to the following:
(a)Is moving guests , home automation, my pcs and kids pcs to separate VLANs the only improvement in security that can be made ?
(b)How do you best secure the server & NAS when devices which need to access them need a connection to the internet ? Do you keep devices with internet access on a separate VLAN and have other means of transfering data to them ? |
|
|
said by vjeko:(a)Is moving guests , home automation, my pcs and kids pcs to separate VLANs the only improvement in security that can be made ? No. Look at securing the endhosts themselves -- ie. anti-x, seperate admin and user accounts, strong password, change password regularly, updates / patches, etc. Also look at securing all layers of the OSI stack -- ie. Application,Presentation,Session,Transport,Network,Datalink and Physical. VLANs are only a small part of it, but the usual one for segregating traffic. Offhand, PVLANs, or a full up zoned firewall separating your GUEST subnet from your and your kids PCs' subnet would be the near ultimate solution... with the attendant cost, time and learning to get and configure. said by vjeko:(b)How do you best secure the server & NAS when devices which need to access them need a connection to the internet ? Do you keep devices with internet access on a separate VLAN and have other means of transfering data to them ? Use the "permit what you need, deny and log the rest" and "least-priviledge" concepts of security as a starting point -- ie. what needs access to what? You may also want to look into what a DMZ is, or a 3-leg firewall. Last comment... before you go asking what gear can do this, first answer the following : - how fast is your internet connection currently? - what is your budget? - what is your technical skill level? - any other requirements for this piece of equipment -- eg. GigE vs FastE ports, POE, additional functionality like VPN, IDS/IPS, size, power draw, etc. My 00000010bits Regards |
|
vjeko join:2013-09-18 23207 |
vjeko
Member
2014-Dec-17 8:49 am
Your information is much appreciated ! I've implemented some of the basics regarding accounts, anti-x etc. but looks like I have a lot to learn and do Will create the VLANs and will then look into the DMZ. I don't intend to spend a lot of money on all this but would like to bring the security up to a reasonable standard (and learn something in parallel). At the moment I have an old Asus RT-n16 router (will create VLANs) and a lot of old pc hardware but am looking at purchasing some low power server hardware with virtualization capability - hopefully I can run the DMZ on that (lot of digging to be done ) |
|
|
to vjeko
I should warn VLANs only seperate traffic NOT segregate host(s) -- ie. if you have your (secure) PC in VLAN1, and a kids PC in VLAN2, your kids PC can still talk to your PC in VLAN1. Not sure if that makes sense, but I'm just going off my sense of what you're after, which is to isolate or secure some hosts / parts of your network into a TRUSTED zone. Here's another possible way to do this just for your reference. My 00000010bits Regards |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
to vjeko
This is my simple diagram home networking besides X-tra software layer I use for some machine & "Many way go to Rome" {{{ SMILE }}} keep it simple ... |
|
vjeko join:2013-09-18 23207 |
vjeko
Member
2014-Dec-18 7:35 am
Hellfire, correct me if I'm wrong (still haven't had time to readup on things): VLANs can talk to each other, but a router with firewall rules can be used to stop this or not (I know roughly how to setup a firewall on a pc but have absolutely no experience with routing/iptables etc. - so I could be talking rubbish )? If the above is true, wouldn't one router have the same effect as what is described in the article you linked to ? Also, I'm now not clear on what is the advantage of using VLANs (unless they were tagged i.e. I had the right hardware - router/switch/AP which could recognise the tags and segregate the VLANs - I presume this is the main purpose of the tags) ? Paradox787 - what do you use for the firewall ? One reason I'd really like further segregation is that I have a few apartments and guests on Wifi, so I'd like to completely separate them from my part of the network. I would also like to : -separate the kids from my network (it just makes things a bit more secure) - have at least one pc connected to internet - one web server for learning - ensure the backup server and backup NAS are secure and at the same time give the kids access to things they need to store At the moment I'm unclear on how to do all this nor what would be the smartest thing to do as the first step . |
|
85160670 (banned)"If U know neither the enemy nor yoursel join:2013-09-17 Edmonton, AB |
85160670 (banned)
Member
2014-Dec-18 10:56 am
vjeko ...... mine is simple straight forward, got Modem/Router from my service provider & I just bridge the modem cause i use better own good Router with SPI + NAT + anti Dos attack to make my own networking as secure as possible besides layer defences every computer @ my home {{{ SMILE }}} Here some images for your eyes only ..... BTW, I do NOT setup guest network & for your children I think you could use Parental control inside your own good router ¿ ¿ |
|
|
to vjeko
said by vjeko:VLANs can talk to each other, but a router with firewall rules can be used to stop this or not Which do you want, the LOOOONG answer, or the short 'n sweet answer? The LOOOONG answer is "if you have two VLANs on a layer 2 device but no layer 3 device, the two VLANs can't talk to one another." Put in a Layer 3 device -- and as you said, if you don't put any sort of rules in place -- and the two VLANs can talk to one another. It all goes back to what you want to do in the end. My 00000010bits Regards |
|
vjeko join:2013-09-18 23207 |
vjeko
Member
2014-Dec-19 7:01 am
Parad0X787 - not absolutely clear - is the firewall the one inbuilt into the ISP's router/modem which you have in bridge mode ?
Guys you've got me -without further reading I'm lost i.e. it's not at all clear to me how I would formulate a solution to all my requirements. I'm not even sure what the difference is between the two wifi router solution (link Hellfire gave) and my ideas with VLANS and router rules etc. Having said that, would you point me in the direction how you would fulfill my requirements ?- maybe I can at least improve the security a little.
The setup I have at the moment is as follows: ISP's TP-Link modem in bridge mode ASUS RT-N16 router running Shibby Tomato ordinary switch connected to pcs, Buffalo AP, server and NAS backup. I have one extra wireless router/ modem and one wireless router/AP on hand if that helps |
|
|
to vjeko
Actually you've only posed two questions rather than "given your requirements." Put another way, "more secure" is not a product you buy but a process. said by vjeko:I'm not even sure what the difference is between the two wifi router solution (link Hellfire gave) and my ideas with VLANS and router rules etc. Did you read the article I supplied? The WHOLE article? Specifically the following comment quote: I recently helped a community center with its network setup. They needed to provide Internet connection to tenants who were renting space, in addition to their own shared Internet. They also shared a number of folders on the network, but weren't too careful about password protecting the shares.
Rather than trying to (unsuccessfully) enforce good file-sharing practices among users who didn't really have the inclination to learn them, I took a more pragmatic approach and separated the tenant and community center computers into their own private LANs.
Replace "community center" with any mix of your PCs now and "other tenents" with guest access. Make sense? The point is that design isolates your guests from your network alot more thoroughly than if you were to just just plain VLANs... due to the way VLANs work, based on the LOOOONG answer I gave you above. Did you also look into DMZ and 3legged firewalls as well? Does that make sense to you, and is it something you're looking to implement? Regards |
|
HELLFIRE |
said by HELLFIRE:Actually you've only posed two questions rather than "given your requirements." ...okay, I take that back, I missed this... never ask me to do deep thinking on Friday evening while slepdep and/or drunk. said by vjeko:I would also like to : -separate the kids from my network (it just makes things a bit more secure) - have at least one pc connected to internet - one web server for learning - ensure the backup server and backup NAS are secure and at the same time give the kids access to things they need to store ...what I said in my last post still holds though. You COULD go with the setup in the smallnetbuilder article, just add more routers behind the first router as needed if you TOTALLY want to isolate things from one another on the cheap and simple. If you just want a single device, I'd look into something that can do security zones / multi-leg firewall -- you did get a chance to read up on that, yes? With it, you split the network into 5 zones : KIDS YOU WEB SERVER BACKUP INTERNET.
KIDS X X X V V
YOU X X V V V
WEB SERVER X V X ? ?
BACKUP V V ? X ?
INTERNET X X X X X
You could get more granular and specify the port(s) and dates/times the rules are active even... Regards |
|
vjeko join:2013-09-18 23207 |
vjeko
Member
2014-Dec-20 2:32 pm
Hellfire, yes I did read it but I don't get the difference between that solution and using my Tomato router with firewall rules etc.. (in case I can get away with one device,)I think it's best for me to stop here and get to reading/digging and trying out things and come back when I know/understand something properly . You've pointed out what I need to learn - that is the most important thing. Before doing that, just wanted to hear from Paradox0X787 regarding my question about his firewall (whether it is on the bridged modem) as I am not doing anything on my bridged modem (I had no clue you could do anything there, thought bridged meant just passing the modem signal through ). |
|
1 recommendation |
to vjeko
said by vjeko:but I don't get the difference between that solution and using my Tomato router with firewall rules etc.. I'd say there's no difference in the final destination; the difference is in how one gets there. As for if it can / how to use tomato to do this is outside the scope of this thread, and it's best to take a look at the user guides and/or forums for tomato on how to do such a thing, and whether its within your skillset. EDIT: found this ; MAY be a "quick" guide for Tomato (shibby) for setting up a multileg firewall.. feel free to give it a browse. My 00000010bits Regards |
|