Recent content

** WIP ** How to over-engineer your home network to perfection

Submitted by hkoning on
Overengineered network

Note: this article is applicable to home and small business network architecture

-- words in progress --

Introduction

I cleverly preempted your first question ("why the heck are you making it so complicated, no-one is trying to compromise my network anyway") by including "over-engineered" in the title... :)

However, I would argue that there is no harm in making your home network properly secured and safe.  It is useful to learn 'the right way to do it' even if it may be slightly overkill.   And you never know, you may become famous, or your home-based startup may suddenly take off, and you'll be glad you've set things up to scale.  

Oh - and by the way, your home network IS under constant attack even if you don't notice it. A typical home network deals with tens of thousands of attempts to get past your perimeter every day. 

An enterprise grade home network setup

If you are more adventurous and dedicated to setting up a great home network, here's how you could do that.

You will need one device (workstation, laptop) to do the setup.  A laptop is handy since you need to connect your setup device with an ethernet cable to the things you're setting up, and something that you can move about helps :) 

Physical network - the things that cost money (<$1,500 total)

You will of course still need the ISP's magic box.  Assuming you have that, invest in the following equipment:

  • Gateway device & firewall appliance (same box), ~$300
  • Multi-port managed switch ~$100
  • One or more WAPs ~$200 each
  • Ethernet patch cable (CAT-6) ~$50-$100 depending on the number you need and the length
  • UPS - ~$300 (optional)

We used the following (and all of these are higher grade and more expensive than listed above as we like to over-engineer :) )

  • Gateway device: we choose the pfsense netgate 2100
  • Managed switch : we choose a 48 port POE (power over ethernet) Cisco managed switch (bought it used from ebay)
  • WAP: We choose the Unifi cloud key and nano WAPs
  • UPS: We choose the CyberPower CP1500PFCLCD 

Logical network - the things that cost time 

Sadly, there seems to be no 'intermediate' solution that you can buy and just works - I think there should be, but there isn't.  So assuming you've bought the above equipment, you will need to set it up and configure and you will need to have a certain level of knowledge or curiosity to be able to set this all up.  Or phone a friend and an offer of free & copious amounts of craft beer may get you the help you need :) 

Design your network segmentation: suggesting:

  1. INTERNAL - everything that is trusted
  2. DMZ - everything that needs to be exposed to the internet
  3. WIFI - the wireless world  of things you trust
  4. GUEST WIFI - the wireless world of things you are not sure of
  5. IOT - the world of things you should definitely not trust.  

In sequence, you will do the following (see the following chapters for details):

  • Have your ISP configure their magic box's to 'modem only' (bridge mode, pass-through mode, or whatever it is called).
  • if you invested in the optional UPS, connect the power of all devices to the UPS.  This will prevent your network from going down if there is a short power failure, and protect your devices. 
  • Connect your switch to the cabling in your house
  • Setup your gateway: define the VLANs, DHCP and the firewall rules
  • Setup your managed switch
  • pfsense is the software we use to provide the firewall heavy lifting. It comes with great documentation on how to configure it.  

Gateway/firewall appliance

  • First, we'll do a standalone setup - your gateway is not yet connected anything.
  • Connect your setup device with an ethernet cable to any port; it won't be the WAN port, but read the install instructions, and open a browser to access the configuration screens per the instructions
  • Setup the VLANs  - one for each of the network segments you need (see above).  For example:
example
  • and you can call them anything.  In this example:
    • the Management network is INTERNAL - everything that is trusted
    • the Server network is the DMZ - everything that needs to be exposed to the internet
    • the WiFi subnet is the WIFI - the wireless world  of things you trust
    • The Guest network is the GUEST WIFI - the wireless world of things you are not sure of
    • The IOT subnet is the IOT - the world of things you should definitely not trust.  
  • Assign the VLANs to the appropriate physical ports (sometimes a single ports can have multiple VLANs) - and this depends on your device.   The more ports you have, the more bandwidth you can provide in parallel as the traffic will be split.   So - if you have 5 VLANs and 4 ports, choose which two you want to combine. 
  • Setup your gateway to be a DHCP server for all interfaces but the WAN.  
    Recommend to assign IP addresses to each MAC address  for every device on every segment.  Limit the number of addresses that are assigned at random to max 2. On a segment that is more important to you, to not allow ANY random assigned IP addresses (e.g. the management network).   So really, you should allow extra IP addresses only on the segments where you expect devices to come & go, i.e. your guest network.  For testing and for adding new devices, it may be handy to allow one randomly assigned IP on your INTERNAL segment to assist with getting the MAC address for new end points. 
  • You'll want a DNS entry for every device (on every segment) you plan to connect to internally.   Most gateway appliances will assign DNS entries automatically based on the DHCP entries you've just created.   But if it doesn't, create it manually for those devices that require one - and you can always add later.   Remember that even if you don't create a DNS entry, you can also always use the IP address to connect to a device - having a DNS entry just makes it easier.  Also remember that a DNS entry on your gateway does not make a device accessible from the outside - it is just assigning a name to an IP address for easier readability. 
  • On your gateway, now create the firewall rules.  For each segment, create rules that dictate what is allowed in terms of connection.  Also create rules for connections between segments and from segment to the internet.  Allow the absolute minimum required. 
    • As in: configure the firewall settings in the gateway with implicit deny for everything - only allow the things you want. How to do this is very specific to the device - check the instructions.  Do not allow any segment to connect to anything else - including the internet.   A good gateway device will have this as the default. 
    • Example below showing a rule allows the local VLANs (USR MGT, WIFI, etc) traffic on outbound port 443 and port 80.  Our device allows you to create a rule that applies to multiple VLANs, if yours does not, you may have to create multiple rules.  Also note that these are TCP ports and not the physical ethernet ports we've talked about so far.  This goes beyond what we're trying to explain: read more in XXX,  You may also need to create rules for UDP ports.   Use good comments and descriptors where your device allows it!
    •  
  • Create any additional firewall rules that are VLAN specific to allow the minimum amount of connectivity you need.  This could be traffic from a VLAN to another VLAN, or from the VLAN outbound to the internet. 
  • Example below - the first rule says to allow any packet from any source IP and any port (information which is included in the packet) with destination listed as any address on the IOT VLAN to port 53.  This will allow DNS inquiries only on the designated DNS server for this subnet.  The second rule is disabled.  The third rule blocks everything else. BUT remember in the above example, we also allowed on the IOT VLAN any outbound traffic on destination ports 443 and 80.  If my thermostat tries to connect to its OWN DNS server somewhere out on the internet, the firewall rule below will not allow this since it only allows a DNS request in the address range for the IOT VLAN.  Note that this does not prevent DNS over HTTPS because we have allowed port 443 via the first rule above.  (We do have a block list for all known DNS over HTTPS servers to catch most, but not all, of this).
example
  • Note that you probably don't need to do anything on a stateful firewall appliance like the one we used to support connections established from  inside your network.  So your laptop connecting on port 443 to a website will be allowed response traffic back to your laptop, because your laptop initiated the traffic, and a stateful firewall will by default allow this.
  • Out of scope for now is If you need to support internet facing services such as your own hosted servers that might need to accept connections that were not initiated from inside your network.
  • There are additional intrusion detection systems (IDS) and intrusion protection systems (IPS) features available on most gateway devices.  These tools will do things like dynamically provide lists of suspect IP address and suspect traffic patterns based on known patterns that you can block.   
    For instance we use a combination of  SNORT and PFBlocker and you can see below how much traffic is being blocked just by PFBlocker alone.  This does not only add security, it also reduces unnecessary traffic on your network. 
example
  • We also have defined rules that do not allow traffic to or from certain geographical regions.  Or inbound on certain ports. And our settings will also block your IP for an extended period if you've tried to come in on a port we're not allowing (like Telnet) because there should be NO reason for any IP to try to connect to that port.  It is a good way to detect and block the automated scanners on the internet - and there are a lot.
screenshot

 

Managed switch

  • Your switch will have a factory default IP or will get one from your DHCP server.  
    • connect to your switch and configure
      • tagged and untagged ports
  • everything in your house, every endpoint, will connect to a port in your switch.  Your switch needs to be big enough, have enough ports, for all of them. 
  • Every port in your switch can be set up as
    •  
    •  
      • tag - number between 0 and 4,095 (max  based on the VLAN standard, which is a binary 12 bit number) 
      • however, no-one uses 0
      • and 1 is the default for the admin VLAN
      • VLAN are at the mac level, layer 2 of the OSI model
  • Connect the gateway to the managed switch
    • for each port in the switch define which VLAN it is on
    • end points connected to a port in the switch
    • one port connects to pfsense
    • wifi has multiple networks - they pass multiple VLANs on the switch
    • Patch cables and managed switch
  • NOTE: you can do the wrong thing with your switch ports and lock yourself out of your switch admin. 
  • Configure VLANs -- add more detail here
  • Set up your WAPs to provide a mesh wifi -- add more detail here
  •  
  • Connect your gateway appliance to one of the modem's ports, and connect your gateway appliance to one of the managed switch ports
    configuration and firewall rules-- add more detail here
  • SNORT-- add more detail here

Wireless Access Points - WAPs

Operational procedures

  • Diagram your network.
  • Define a maintenance schedule.  Everything you have set up will need regular software updating.

When it stops working...  some common problems

 

 

  • (If you are hosting anything - static IPs and properly certificate for the devices -- if you are providing access from the 'outside'.  Will keep this out of scope for now :) )
  •  

For further reading

  • The Art of Network Security Architecture, Benjamin Johnson, available as Kindle e-book
  •  

Network Design principles

  • your network should be segmented,  keeping communication and access restricted to a specific 'traffic lane' within your network.  This ensures that users (and processes) have access only to devices in that segment, and cannot go out exploring outside of their lane.
  • your network should be zero-trust
  • your network access should be disallow by default
  • your network should be user-friendly.  You want to provide access for your visiting friends, so they can look up that definition and obliterate you in scrabble.    You want your own devices to have uninterrupted access, regardless of where they are.   I wanted to be sure to have internet access in the yard as well, so range is important.  I want to be able to use my phone as a remote for the audio and video, which requires it to be on the same wifi. 
  • You'll want to design your network to meet your requirements.  Do you just want to provide access to the internet for anyone in your place?  Are you expecting to make content or services (think: website) available to the internet?  Do you have a printer that you want everyone to be able to use?  What is your home entertainment setup and needs (audio, video)?  Do you plan to have video cameras or home security?  Home automation?  Each of these define some of the capabilities you will need.
Tags: Geek Gathering

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.