+ Reply to Thread
Results 1 to 19 of 19
  1. Junior Member
    Join Date
    Mar 2015
    Posts
    17
    #1

    Default Best Home Network Setups with Defense in Depth / Layered Security

    Can anyone give me some ideas on some setting up layered security at your house?

    Cable Modem set in passthrough > IDS or IPS (Which brand? Hardware/Software) > Cisco/Juniper Firewall?

    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Passion For IT
    Join Date
    Mar 2008
    Posts
    595

    Certifications
    MCTS, MCITP, MCP, A+, Server+, Security+, Project+, CCENT, CCNA-Sec, CEH, CHFI
    #2
    I use a pfSense setup with Snort. Simple, but it is a pretty powerful device. I just use an old PC (i5 series) for it, which handles my 25/2 connection just fine (DSL... sucks).

    I would love to go with a Cisco ASA, but just like the pfSense setup.
    A few certs here and there and everywhere...
    AAS: Computer Security
    BS: Information Technology - Security (WGU)
    MS: Information Security & Assurance (WGU)
    Reply With Quote Quote  

  4. Senior Member Cert Poor's Avatar
    Join Date
    Jul 2010
    Posts
    224

    Certifications
    ITIL, CWTS, A/N/S/Serv+, ServiceNow x3
    #3
    • armed guards 24/7
    • a moat with sharks with frickin lasers
    • catapults
    • mantraps
    • every door physically locked requiring multi-factor authentication. Even the bathroom. Forgot your PIN? Pee in a bucket.
    • get rid of all copper cabling and replace with fiber optic
    • line entire house with TEMPEST/EMI/RFI material to create Faraday cage
    • dogs
    • tigers
    • Home Alone-esque honeypots

    (OK, so the only thing above I seriously dream about doing is wiring my entire house with fiber instead of copper. After I get rich.)

    As a home user, can you really afford the enterprise stuff for personal use? I mean, buying a $50-100K Palo Alto firewall (or two) would break the bank. So would a fleet of Cisco or Juniper equipment. And UTM appliances.

    Even SMB equipment like Barracuda or Sonicwall can be pricey for home use.

    For home use, stick with Free and Open Source. For IDS/IPS, look into Snort and Suricata. For firewalls, look into things like pfSense or Untangle. Follow best practices on ruleset creation and default deny and whitelisting. Tuning IDS/IPS is tough (at least for me).

    I found out Splunk offers a free tier. That'd be cool in a nerdy overkill way to run at home to aggregate and analyze data.

    Practice good security through isolation. Create good VLANs to segment your network. Segment your WLAN traffic on its own VLAN. Segment Guest WLAN on its own VLAN that's even more locked down. Captive portals with time-based vouchers for guests. If you have IoT devices, put them on their own VLAN. Switch all WLAN from WPA2-PSK to WPA2-Enterprise. I use EAP-TLS at home and love it. Certificates out the wazoo. Mutual authentication.

    I think I need to change my pants.



    Edited to Add: Also remember that availability is a key part of your security posture. Next phases in your home projects can be to add redundancy. Instead of one WAN connection, buy two and set up active-active or active-passive. Instead of one edge router/firewall, use two. UPSs everywhere. A home generator. Good backup and DR practices with off-site backups.
    Last edited by Cert Poor; 07-04-2017 at 04:29 AM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Dec 2015
    Location
    USA
    Posts
    543

    Certifications
    CISSP, B.S.-IT, A.A.S.-Computer Forensics & Security, CSA+, A+, Network+, Security+, Six-Sigma, Solarwinds SCP
    #4
    I use pfsense with Snort

    Cable modem > pfsense firewall > (wireless) Router > switch >
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Oct 2013
    Location
    Denver, CO
    Posts
    2,327

    Certifications
    MS: Information Security, CISSP, GCIH, CEH, CHFI, CCNA: S, CCNA: R&S, VCP6-DTM, Linux+, Project+, VCA6-DCV
    #5
    Quote Originally Posted by dhay13 View Post
    I use pfsense with Snort

    Cable modem > pfsense firewall > (wireless) Router > switch >
    I forgot that pfsense offers a snort add on to their product.

    What kind of hardware did you use?
    Reply With Quote Quote  

  7. Junior Member
    Join Date
    Mar 2015
    Posts
    17
    #6
    Thanks for all of that information! Very helpful. Now of course I am poor, but I was researching as well to see if there was something in particular that I needed to buy. It sounds like dealing with home network security, stick with free and open source.

    Get a box and install pfsense firewall, which will be a firewall that is inline with the whole network.
    Modem set in pass through hitting pfsense firewall box, then going to a router.
    (Problem is my modem is actually all in one router/wifi/modem) What is the best home router if i just disable routing and wifi on my all in one modem?

    Modem / Pfsense firewall / Router / Switch / Wireless Router
    If I wanted to setup 802.1x on that network using EAP-TLS, do I actually need another box? I have never setup authentication before especially mutual authentication where both the client and the server doing the authentication. Which leads to my next question, where can I find information about setting up a honeynet/honeypot? I do not have much experience with virtualization other than downloading VirtualBox and getting an image of Win2012 and Win7 setting it up for PXE Boot to do deployment.

    If I am going to do 802.1x, I will need a good switch correct, that is what is going to enable me to do some network segmentations/VLANs

    After the switch add in the Wireless router.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Dec 2015
    Location
    USA
    Posts
    543

    Certifications
    CISSP, B.S.-IT, A.A.S.-Computer Forensics & Security, CSA+, A+, Network+, Security+, Six-Sigma, Solarwinds SCP
    #7
    Quote Originally Posted by markulous View Post
    I forgot that pfsense offers a snort add on to their product.

    What kind of hardware did you use?
    I had an old Gateway FX6800 laying around that I installed it on. Way overkill for pfsense but it's what I had...lol. pfsense is very lightweight so not much needed. Just about any old PC would work
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Oct 2013
    Location
    Denver, CO
    Posts
    2,327

    Certifications
    MS: Information Security, CISSP, GCIH, CEH, CHFI, CCNA: S, CCNA: R&S, VCP6-DTM, Linux+, Project+, VCA6-DCV
    #8
    Quote Originally Posted by dhay13 View Post
    I had an old Gateway FX6800 laying around that I installed it on. Way overkill for pfsense but it's what I had...lol. pfsense is very lightweight so not much needed. Just about any old PC would work
    Right, especially for a home network. I think I may go this route too instead of what I proposed in my other thread. Seems easier to setup pfsense and snort on one box right at my modem rather than another stateless firewall, a switch, and a span port to setup security onion.
    Reply With Quote Quote  

  10. Completely Clueless TechGromit's Avatar
    Join Date
    Oct 2015
    Location
    Galloway, NJ
    Posts
    1,392

    Certifications
    A+, Network +, GSEC, GCIH, Lunatic+
    #9
    I keep my network air-gapped, best security defense layer you can get.
    Still searching for the corner in a round room.
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2015
    Posts
    717

    Certifications
    CCNA R&S, Security+, Network+, Linux Essentials
    #10
    If you use a wireless keyboard and/or mouse make sure it's not a model vulnerable to mouse/keyboard jacking.
    Reply With Quote Quote  

  12. Senior Member Cert Poor's Avatar
    Join Date
    Jul 2010
    Posts
    224

    Certifications
    ITIL, CWTS, A/N/S/Serv+, ServiceNow x3
    #11
    Quote Originally Posted by j86schroeder View Post
    Get a box and install pfsense firewall, which will be a firewall that is inline with the whole network.
    Modem set in pass through hitting pfsense firewall box, then going to a router.
    (Problem is my modem is actually all in one router/wifi/modem) What is the best home router if i just disable routing and wifi on my all in one modem?
    Just use pfSense as your edge router as well.

    Quote Originally Posted by j86schroeder View Post
    Modem / Pfsense firewall / Router / Switch / Wireless Router
    Use your current consumer wireless router as a wireless access point only. In other words, turn off all routing/NAT/DNS/DHCP functionality. Let pfSense handle all router functions, NAT, DNS, and DHCP.

    Quote Originally Posted by j86schroeder View Post
    If I wanted to setup 802.1x on that network using EAP-TLS, do I actually need another box? I have never setup authentication before especially mutual authentication where both the client and the server doing the authentication.
    There's a FreeRADIUS2 package for pfSense that will handle your 802.1x authentication for your WLAN. A FreeRADIUS3 package is in the works.

    Quote Originally Posted by j86schroeder View Post
    If I am going to do 802.1x, I will need a good switch correct, that is what is going to enable me to do some network segmentations/VLANs
    If you want physical port security with 802.1x, then yes, you'd probably need a managed switch. For WLAN 802.1x security, you wouldn't.

    Quote Originally Posted by j86schroeder View Post
    After the switch add in the Wireless router.
    Reminder to use it as a WAP only and not a router.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Dec 2007
    Location
    Grand Rapids, Michigan
    Posts
    1,872

    Certifications
    Network+ : A+ : Security+ : eJPT : Life+
    #12
    I'm looking actually buying an appliance though pfsense. Untangled is a little more expensive.
    Booya!!
    ------------------------------------------------------------------------------------------
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
    Reply With Quote Quote  

  14. Junior Member
    Join Date
    Mar 2015
    Posts
    17
    #13
    Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

    Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
    I am already using at least a 20key special character along with WPA2-AES/CCMP

    I dont see Virtual Box....

    https://doc.pfsense.org/index.php/In...rtual_Machines
    Reply With Quote Quote  

  15. Senior Member Danielh22185's Avatar
    Join Date
    Apr 2012
    Location
    DFW Area
    Posts
    1,172

    Certifications
    CCNP R&S, CCNA, CCENT
    #14
    Well now I found a use for my old PC my wife keeps nagging me to find a use for or get rid of


    Edit:

    Just found a Udemy course on this too:

    https://www.udemy.com/pfsense-turn-o...wall-for-free/
    Last edited by Danielh22185; 07-10-2017 at 03:57 PM.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Oct 2013
    Location
    Denver, CO
    Posts
    2,327

    Certifications
    MS: Information Security, CISSP, GCIH, CEH, CHFI, CCNA: S, CCNA: R&S, VCP6-DTM, Linux+, Project+, VCA6-DCV
    #15
    Quote Originally Posted by j86schroeder View Post
    Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

    Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
    I am already using at least a 20key special character along with WPA2-AES/CCMP

    I dont see Virtual Box....

    https://doc.pfsense.org/index.php/In...rtual_Machines
    It may not be officially supported, but you can definitely try. Just need to give it it's own IP on your network and have two NICs and you'd want to put it before your Router. Not sure how well it'd work for your main rig like that connected directly to a WAN. That seems a bit problematic, but doesn't hurt to try either.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Dec 2007
    Location
    Grand Rapids, Michigan
    Posts
    1,872

    Certifications
    Network+ : A+ : Security+ : eJPT : Life+
    #16
    Shoot, I've tried to use Untangle in a vm for a firewall/ids and it didn't go well lol. I did find a guide to do it but I do believe that people have gotten it to work. I kept losing the internet connection.
    Booya!!
    ------------------------------------------------------------------------------------------
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
    Reply With Quote Quote  

  18. I drink and I know things Ertaz's Avatar
    Join Date
    Jan 2006
    Posts
    673

    Certifications
    CISSP, CASP, CSA+, GPEN, CCNA Cyber Ops, Security+, MCP
    #17
    I use the little Zotac box. Runs like a champ for 50/5. https://www.zotac.com/us/product/min...box-ci325-nano
    Reply With Quote Quote  

  19. Senior Member Cert Poor's Avatar
    Join Date
    Jul 2010
    Posts
    224

    Certifications
    ITIL, CWTS, A/N/S/Serv+, ServiceNow x3
    #18
    Quote Originally Posted by j86schroeder View Post
    Since I am really strapped for money as I do not have a job right now, is it possible to just install some kind of virtual machine on my primary machine I am using right now? Using Virtual Box since it is free, and then load the pfSense firewall onto that virtual machine? That way at least I got some kind of firewall, although I would still be using my all in one wifi/router/cable modem.

    Cable Modem > Router/Wifi/All in One > Primary PC running a virtual machine VirtualBox with pfSense installed.
    I am already using at least a 20key special character along with WPA2-AES/CCMP

    I dont see Virtual Box....

    https://doc.pfsense.org/index.php/In...rtual_Machines
    You really need a dedicated machine for best results. You can use a machine with only one NIC, but you'd then have to use a managed switch and set up VLANs so that individual ports on the managed switch become your WAN and LAN (bare minimum) and other interfaces.

    There's some dirt cheap options online by Chinese makers that are pfSense capable. You won't be able to do hardcore gigabit routing and packet filtering over OpenVPN (especially) and definitely can't do IDS/IPS using Snort/Suricata over most Atoms and Celerons, especially on a decent sized WAN. But those cheap units do well for basic firewalling and routing and are great for learning and tinkering.

    I think some of the cheaper ones are $100-200.

    Edited to add: Those come without RAM or mSATA storage, which would add to your cost.

    By all means, you can play around with the pfSense image in VirtualBox, but it may be difficult to bridge and force route all your traffic through the VM. But it may be possible.
    Last edited by Cert Poor; 07-15-2017 at 02:16 PM.
    Reply With Quote Quote  

  20. Pancakes and Lasagna kurosaki00's Avatar
    Join Date
    Nov 2008
    Location
    Indianapolis
    Posts
    943

    Certifications
    CCENT, A+, Network+
    #19
    German shepherd and a .45?
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks