Computer Software > Security

Excessive Security / Zero Trust at Home

(1/2) > >>

XGS_Is_On:
Hello Folks,

For reasons I can't really go into for right now I'm having to harden the home network a ton against intrusion after having it relatively chill for a while.

This something that you folks would be interested in my going into detail on as I progress? Obviously crazy fast broadband and all that is one thing, this'll involve micro-segmentation, intrusion detection and prevention and some other stuff that's not available to most home users so might be interesting.

roseway:
I'm sure that several members will be interested in the subject, even though your setup is way beyond anything that most of us would need. :)

XGS_Is_On:
Well, step 1 I need a meatier server to run VMs on. It needs enough juice to be able to do full Deep Packet Inspection on 20 Gbps of throughput - a 2 x SFP28 port NIC worth.

Can get a refurbished server with 2 x Xeon Gold 6154 CPUs, more than enough RAM and fast enough storage.

I'd quite like to implement an HTTPS proxy separately from the VM handling the DPI which will mean getting a certificate all devices will accept and the ones that won't go into an untrusted VLAN with the other Internet of Stuff devices.

Proxy ARP on the switches in the home to force everything internal through inspection as well and make forwarding decisions: bump in the wire goodness.

XGS_Is_On:
Materials so far acquired or used from stock for this network refresh from 2020 kit, replacement of a failed server and extension of wired network to another couple of rooms:

2 x 20m, 1 x 40m run of Invisilight SMF for extra resilience and capacity
1 x 2 x SFP+, 2 x 2.5 GbE switch
Dual-18C/36T CPU, 256 GB RAM workstation
2 x 2 TB M.2 SSD drives
2 x SFP28 DACs
AMD Pensando DSP DSC-25 card
2 x Mikrotik RB5009 routers
Mikrotik hAP AX2 Access Point
Mikrotik hAP AC2 Lite TC Access Point
QNAP TS-453 Pro NAS, 4 x 8 TB Seagate Green HDD (Spinning rust!) in RAID 10

Software:

VMWare ESXi 8u2
Mikrotik Cloud Hosted Router
Edgeconnect Enterprise EC-V SD-WAN virtual appliance
Syslog server on NAS, drinking in the logs
SIEM Platform: TBC

Looks like it'll be a two layer approach with the CHR terminating the main 8G and one of the RB5009s terminating the backup link. DMZ behind them alongside cross connects between EC-V and another RB5009 and the two routers terminating circuits. The only NAT happens at the CHR and RB5009 the Internet connections are plugging into - everything else is routed, with routes exchanged using a dynamic routing protocol, not static routes.

EC-V has the best security functionality by a mile so will be relied on heavily. Having routers outside it means compromising those routers gives you nothing. Compromising the DMZ gives you nothing. A few VLANs will be segmenting different things with WiFi APs and cabled ports guiding devices into the right VLAN.

VRRP between EC-V and the LAN-side RB5009 helps protect against failure. Every VLAN on the LAN-side of the EC-V, 5 of them, will have VRRP protecting it.

XGS_Is_On:
Aside from all that stuff various connections that aren't to known-good sites on the Internets will be going via Axis SSE.

Just for starters. Tons more to do, design and then build.

Navigation

[0] Message Index

[#] Next page