Best Home Network Setups with Defense in Depth / Layered Security

j86schroeder

Can anyone give me some ideas on some setting up layered security at your house?

Cable Modem set in passthrough > IDS or IPS (Which brand? Hardware/Software) > Cisco/Juniper Firewall?

Thanks.

PC509

I use a pfSense setup with Snort. Simple, but it is a pretty powerful device. I just use an old PC (i5 series) for it, which handles my 25/2 connection just fine (DSL... sucks).

I would love to go with a Cisco ASA, but just like the pfSense setup.

Cert Poor

• armed guards 24/7
• a moat with sharks with frickin lasers
• catapults
• mantraps
• every door physically locked requiring multi-factor authentication. Even the bathroom. Forgot your PIN? Pee in a bucket.
• get rid of all copper cabling and replace with fiber optic
• line entire house with TEMPEST/EMI/RFI material to create Faraday cage
• dogs
• tigers
• Home Alone-esque honeypots

(OK, so the only thing above I seriously dream about doing is wiring my entire house with fiber instead of copper. After I get rich.)

As a home user, can you really afford the enterprise stuff for personal use? I mean, buying a $50-100K Palo Alto firewall (or two) would break the bank. So would a fleet of Cisco or Juniper equipment. And UTM appliances.

Even SMB equipment like Barracuda or Sonicwall can be pricey for home use.

For home use, stick with Free and Open Source. For IDS/IPS, look into Snort and Suricata. For firewalls, look into things like pfSense or Untangle. Follow best practices on ruleset creation and default deny and whitelisting. Tuning IDS/IPS is tough (at least for me).

I found out Splunk offers a free tier. That'd be cool in a nerdy overkill way to run at home to aggregate and analyze data.

Practice good security through isolation. Create good VLANs to segment your network. Segment your WLAN traffic on its own VLAN. Segment Guest WLAN on its own VLAN that's even more locked down. Captive portals with time-based vouchers for guests. If you have IoT devices, put them on their own VLAN. Switch all WLAN from WPA2-PSK to WPA2-Enterprise. I use EAP-TLS at home and love it. Certificates out the wazoo. Mutual authentication.

I think I need to change my pants.



Edited to Add: Also remember that availability is a key part of your security posture. Next phases in your home projects can be to add redundancy. Instead of one WAN connection, buy two and set up active-active or active-passive. Instead of one edge router/firewall, use two. UPSs everywhere. A home generator. Good backup and DR practices with off-site backups.

dhay13

I use pfsense with Snort

Cable modem > pfsense firewall > (wireless) Router > switch >

markulous

dhay13 wrote: »

I use pfsense with Snort

Cable modem > pfsense firewall > (wireless) Router > switch >

I forgot that pfsense offers a snort add on to their product.

What kind of hardware did you use?

j86schroeder

Thanks for all of that information! Very helpful. Now of course I am poor, but I was researching as well to see if there was something in particular that I needed to buy. It sounds like dealing with home network security, stick with free and open source.

Get a box and install pfsense firewall, which will be a firewall that is inline with the whole network.
Modem set in pass through hitting pfsense firewall box, then going to a router.
(Problem is my modem is actually all in one router/wifi/modem) What is the best home router if i just disable routing and wifi on my all in one modem?

Modem / Pfsense firewall / Router / Switch / Wireless Router
If I wanted to setup 802.1x on that network using EAP-TLS, do I actually need another box? I have never setup authentication before especially mutual authentication where both the client and the server doing the authentication. Which leads to my next question, where can I find information about setting up a honeynet/honeypot? I do not have much experience with virtualization other than downloading VirtualBox and getting an image of Win2012 and Win7 setting it up for PXE Boot to do deployment.

If I am going to do 802.1x, I will need a good switch correct, that is what is going to enable me to do some network segmentations/VLANs

After the switch add in the Wireless router.

dhay13

markulous wrote: »

I forgot that pfsense offers a snort add on to their product.

What kind of hardware did you use?

I had an old Gateway FX6800 laying around that I installed it on. Way overkill for pfsense but it's what I had...lol. pfsense is very lightweight so not much needed. Just about any old PC would work

markulous

dhay13 wrote: »

I had an old Gateway FX6800 laying around that I installed it on. Way overkill for pfsense but it's what I had...lol. pfsense is very lightweight so not much needed. Just about any old PC would work

Right, especially for a home network. I think I may go this route too instead of what I proposed in my other thread. Seems easier to setup pfsense and snort on one box right at my modem rather than another stateless firewall, a switch, and a span port to setup security onion.

TechGromit

I keep my network air-gapped, best security defense layer you can get.

thomas_

If you use a wireless keyboard and/or mouse make sure it's not a model vulnerable to mouse/keyboard jacking.

Cert Poor

j86schroeder wrote: »

Get a box and install pfsense firewall, which will be a firewall that is inline with the whole network.
Modem set in pass through hitting pfsense firewall box, then going to a router.
(Problem is my modem is actually all in one router/wifi/modem) What is the best home router if i just disable routing and wifi on my all in one modem?

Just use pfSense as your edge router as well.

j86schroeder wrote: »

Modem / Pfsense firewall / Router / Switch / Wireless Router

Use your current consumer wireless router as a wireless access point only. In other words, turn off all routing/NAT/DNS/DHCP functionality. Let pfSense handle all router functions, NAT, DNS, and DHCP.

j86schroeder wrote: »

If I wanted to setup 802.1x on that network using EAP-TLS, do I actually need another box? I have never setup authentication before especially mutual authentication where both the client and the server doing the authentication.

There's a FreeRADIUS2 package for pfSense that will handle your 802.1x authentication for your WLAN. A FreeRADIUS3 package is in the works.

j86schroeder wrote: »

If I am going to do 802.1x, I will need a good switch correct, that is what is going to enable me to do some network segmentations/VLANs

If you want physical port security with 802.1x, then yes, you'd probably need a managed switch. For WLAN 802.1x security, you wouldn't.

j86schroeder wrote: »

After the switch add in the Wireless router.

Reminder to use it as a WAP only and not a router.

jamesleecoleman

I'm looking actually buying an appliance though pfsense. Untangled is a little more expensive.

j86schroeder

Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
I am already using at least a 20key special character along with WPA2-AES/CCMP

I dont see Virtual Box....

https://doc.pfsense.org/index.php/Installing_pfSense#Virtual_Machines

Danielh22185

Well now I found a use for my old PC my wife keeps nagging me to find a use for or get rid of


Edit:

Just found a Udemy course on this too:

https://www.udemy.com/pfsense-turn-ordinary-pc-into-enterprise-firewall-for-free/

markulous

j86schroeder wrote: »

Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
I am already using at least a 20key special character along with WPA2-AES/CCMP

I dont see Virtual Box....

https://doc.pfsense.org/index.php/Installing_pfSense#Virtual_Machines

It may not be officially supported, but you can definitely try. Just need to give it it's own IP on your network and have two NICs and you'd want to put it before your Router. Not sure how well it'd work for your main rig like that connected directly to a WAN. That seems a bit problematic, but doesn't hurt to try either.

jamesleecoleman

Shoot, I've tried to use Untangle in a vm for a firewall/ids and it didn't go well lol. I did find a guide to do it but I do believe that people have gotten it to work. I kept losing the internet connection.

Ertaz

I use the little Zotac box. Runs like a champ for 50/5. https://www.zotac.com/us/product/mini_pcs/zbox-ci325-nano

Cert Poor

j86schroeder wrote: »

Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
I am already using at least a 20key special character along with WPA2-AES/CCMP

I dont see Virtual Box....

https://doc.pfsense.org/index.php/Installing_pfSense#Virtual_Machines

You really need a dedicated machine for best results. You can use a machine with only one NIC, but you'd then have to use a managed switch and set up VLANs so that individual ports on the managed switch become your WAN and LAN (bare minimum) and other interfaces.

There's some dirt cheap options online by Chinese makers that are pfSense capable. You won't be able to do hardcore gigabit routing and packet filtering over OpenVPN (especially) and definitely can't do IDS/IPS using Snort/Suricata over most Atoms and Celerons, especially on a decent sized WAN. But those cheap units do well for basic firewalling and routing and are great for learning and tinkering.

I think some of the cheaper ones are $100-200.

• 2-port for $169
• 4-port for $199

Edited to add: Those come without RAM or mSATA storage, which would add to your cost.

By all means, you can play around with the pfSense image in VirtualBox, but it may be difficult to bridge and force route all your traffic through the VM. But it may be possible.

kurosaki00

German shepherd and a .45?

geo8

There is lot of very interesting information in this thread. Indeed there is nothing like having one's own little sandbox.
But my questions is -- How do you guys generate enough events and traffic to simulate a bit of enterprise type scenario?

stryder144

I have a cable modem > Ubiquiti UniFi Security Gateway > Ubiquiti UniFi Switch 8 PoE 60W > Ubiquiti UniFi Cloud Key > Unifi AP AC Pro. I plan to add a Sophos UTM between the cable modem and the gateway. I have an old Dell desktop that I am going to use for that purpose.

I went to a Cloud Security Alliance Meet Up where they gave a presentation for Elastic Stack. Thinking about trying to integrate that into the mix. I want to use it to help analyze the traffic and figure out what might be good vs bad traffic. The only issue I have is that I have limited hardware resources to accomplish all of this. With the volume of attacks in the wild and the different type of traffic present on my home network (SOHO-sized), I think I could generate enough data to analyze.

NavyMooseCCNA

kurosaki00 wrote: »

German shepherd and a .45?

Two attack cats and an AR-15.

yoba222

Good timing to bump this. I'm thinking about weaning myself off DropBox. My home router seems to have a lot of features, like can use as a SFTP server and/or a web server, but I don't know if I trust it and it doesn't seem to offer brute force IP address dropping. Was thinking some kind of pFsense box and then a Raspberry Pi in a DMZ.