Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[XGS_Is_On]

Hello Folks,

For reasons I can't really go into for right now I'm having to harden the home network a ton against intrusion after having it relatively chill for a while.

This something that you folks would be interested in my going into detail on as I progress? Obviously crazy fast broadband and all that is one thing, this'll involve micro-segmentation, intrusion detection and prevention and some other stuff that's not available to most home users so might be interesting.

[roseway]

I'm sure that several members will be interested in the subject, even though your setup is way beyond anything that most of us would need.

[XGS_Is_On]

Well, step 1 I need a meatier server to run VMs on. It needs enough juice to be able to do full Deep Packet Inspection on 20 Gbps of throughput - a 2 x SFP28 port NIC worth.

Can get a refurbished server with 2 x Xeon Gold 6154 CPUs, more than enough RAM and fast enough storage.

I'd quite like to implement an HTTPS proxy separately from the VM handling the DPI which will mean getting a certificate all devices will accept and the ones that won't go into an untrusted VLAN with the other Internet of Stuff devices.

Proxy ARP on the switches in the home to force everything internal through inspection as well and make forwarding decisions: bump in the wire goodness.

[XGS_Is_On]

Materials so far acquired or used from stock for this network refresh from 2020 kit, replacement of a failed server and extension of wired network to another couple of rooms:

2 x 20m, 1 x 40m run of Invisilight SMF for extra resilience and capacity
1 x 2 x SFP+, 2 x 2.5 GbE switch
Dual-18C/36T CPU, 256 GB RAM workstation
2 x 2 TB M.2 SSD drives
2 x SFP28 DACs
AMD Pensando DSP DSC-25 card
2 x Mikrotik RB5009 routers
Mikrotik hAP AX2 Access Point
Mikrotik hAP AC2 Lite TC Access Point
QNAP TS-453 Pro NAS, 4 x 8 TB Seagate Green HDD (Spinning rust!) in RAID 10

Software:

VMWare ESXi 8u2
Mikrotik Cloud Hosted Router
Edgeconnect Enterprise EC-V SD-WAN virtual appliance
Syslog server on NAS, drinking in the logs
SIEM Platform: TBC

Looks like it'll be a two layer approach with the CHR terminating the main 8G and one of the RB5009s terminating the backup link. DMZ behind them alongside cross connects between EC-V and another RB5009 and the two routers terminating circuits. The only NAT happens at the CHR and RB5009 the Internet connections are plugging into - everything else is routed, with routes exchanged using a dynamic routing protocol, not static routes.

EC-V has the best security functionality by a mile so will be relied on heavily. Having routers outside it means compromising those routers gives you nothing. Compromising the DMZ gives you nothing. A few VLANs will be segmenting different things with WiFi APs and cabled ports guiding devices into the right VLAN.

VRRP between EC-V and the LAN-side RB5009 helps protect against failure. Every VLAN on the LAN-side of the EC-V, 5 of them, will have VRRP protecting it.

[XGS_Is_On]

Aside from all that stuff various connections that aren't to known-good sites on the Internets will be going via Axis SSE.

Just for starters. Tons more to do, design and then build.

[XGS_Is_On]

Resiliency in place and complete. Zero single point of failure on the network apart from the switch and cable going to the device.

Storage upgraded to TrueNAS, encrypted ZFS file system, loads of solid state caching, logging read ahead and write behind alongside handling dedupe for spinning rust.

Mail server currently running on QNAP NAS moving into new VLAN. Sensitive data to be removed from QNAP NAS: living only in TrueNAS and encrypted cloud backup. Copies of data as encrypted archives only left on the QNAP for DR, removal of 50% of disks from it. Boring, non-sensitive stuff only to remain on it. Mail service will be moved from it in time.

Native VLAN is where the internal traffic from us lives. It is in the SOHO security zone and is protected from the other zones inbound. It can talk to them, they may not to it.

102, the IoT network, goes out to the Internet via intrusion detection and prevention system. It's an a different VRF from everything else so from its point of view the rest of the LAN doesn't exist.

105, Guest, also own VRF. The traffic goes via both local intrusion detection and then a cloud-based Secure Web Gateway. DNS is snooped to assist with identification.

106 will be a management network. Security policy to be confirmed.

107 is a lab network. Only thing on it right now is a router that sits in between the interface and a 'dirty' network sinkholed. I don't want the stuff behind that router trying to chat to devices in the 107 network so they can't.