How To Apply Security To An Entire Network?

I've been reading up for a while about security and potential threats recently, well I'm going to start to take extra precautions in terms of ensuring that my home network and all of the devices on the network are safe and clean to use. Now I have family members that aren't quite as literate in terms of using technology, I mean my father still needs my help when it comes to looking something up on ebay. I've come the the conclusion that my family just don't want to learn about technology, like at all, it's easier just to have me do it I guess, which is kidna fair enough, but also annoying for me.

I'm pretty good when it comes to security, I mean I'm not a security expert but I use common sense, download from reliable/trusted sources, install updates ASAP, do frequent scans and such. But my family don't even know how to run security scans or run updates, and due to their lack of knowledge and understanding when it comes to utilising technology, this has cost me the life of one of my previous laptops.

So I'll cut to the chase. Do any of you know of anything I can do the ensure that all of the devices on the network are safe to use and safe to interact with other devices? I mean I'm looking for a nice solution which means that I don't have to go and ensure that all devices are up to date and all the devices are frequently being scanned and so on and so forth.

Would you guys recommend a physical firewall? Or is that too overkill for a household network? I'll soon be installing something like Wireshark as I don't know of any other networking utilities, I'm no networking pro either, I'd consider myself to be a complete and utter beginner when it comes to networking and security. I know some basic concepts about networking like the different topologies and some fundamental networking principles and such, but I have 0 knowledge about more advanced stuff in terms of networking.

Then in terms of security, all I know is that it's good to shut ports when you don't need them open, and again, simple things like that. This is why I'm asking you guys for advice on how I can ensure that every device on my LAN is safe/clean, without me having to monitor everything on each individual device.

I'm still just a CS student, so yeah, I'm not an expert at anything to do with technology realistically speaking.

a pfsense router with integrated firewall on the router should be good enough. not quiet as good as having a physical firewall but it should be ok for your use case and cheap relatively. it'll probably take you a few hours of watching guides, but it should stop most threats.

Just close all ports above 1000 and have a whitelist + firewall. Takes 10 seconds.

If you need to do anything fancy you will need to have vlans.

Yeah, of course I don't need some top grade firewall from Cisco or anything, I mean I would've thought that a small/cheap as hell firewall would be 100% fine! I know that half of this issues occurs with me being a paranoid nut job, I mean I doubt anything terrible would happen, but who knows? - When I built my first computer I stuck 11 case fans in because I was so worried about temps, I'm just that paranoid.... XD .... Not to mention that I had a gentle Typhoon that would spin at 5,400RPM, but I had to take that out, it was basically as loud as a hoover, I s**t you not.

Sounds simple and effective tbf.

I can't imagine I'd need anything too fancy, as long as my solution(s) helps protect all devices on the network, it should be fine.

1 Like

At my work, the machines on the floor are allowed intranet access only with a very few outside sites -- on the whitelist specific to their vlan.

1 Like

For a company, I can totally see why that's necessary! :)

The only issue I have with applying that to my home network is that I can see my family freaking out and getting pretty pi**ed with me if I block their access to certain pages, regardless of how harmful they are. I mean all jokes aside, I live with people that have to ask me to install a HDMI cable, just to link a DVD player to a TV, it's kinda funny, but it's not at the same time.

I dread to think how they'll cope when I move out! :/ ... If I moved far away, I'd expect a lot of phone calls....

VLANs ;)

Put them on a less restrictive VLAN.

1 Like

Just VLAN alone sounds sexual.... Should I be aroused or not? .... Either way, I think it's a good thing to look into, never thought of it before, but I can imagine roughly how it works... To the YouTube tutorials it is!

For instace, you could have 4 VLANS.

One for servers
One for you
One for family
One for guests

Server
whitelist certain sites; where they pull updates from, etc. All only specific outside connections.

You
whatever you want

Family
less restrictive, but behind a good firewall. Intranet only access to the server vlan.

Guest
no whilelist. Behind a firewall. Block intranet access to other nodes and server vlan.

1 Like

I have a separate VLAN for all of my families devices that pretty much has no restrictions on it other than not being able to access my machines or the router/modem web pages. Works pretty well. They can't access/break my stuff because the firewall+VLANs prevents them from doing anything.

That's a pretty important feature to include:

1 Like

I inherently distrust any device that I don't have complete control over and I don't want some rouge computer on the network attacking my servers or main machine, this approach works pretty well because as far as anyone else on the network is concerned everything works as usual, i.e internet works so they don't care.

1 Like

Yep, that sounds perfect, that sounds like what I want to try and implement into my home network, I mean on my desk alone I have a little switch because of a NAS device I have, in addition to my PC and laptop, it's just some small and cheap 5 port switch. Not to mention that one of the ports are taken up by one of those power-line access points because I can't run a cable all the way through the house, I mean I could, I just don't have permission. In addition to a few other things. But because my download speeds are crappy anyway, the power-line connection is just as good as having a direct connection from my PC straight to the router.

This is currently how the network isolation is setup. They have web access to my server/ssh for gitlab and I block all access to every other interface on the router.

I also have floating rules to restrict access to router management/modem pages.

All this is done with a cheap 8 port Netgear management switch and pfSense.

2 Likes

Getting a firewall should be priority 1.
Other than that basically just limit the usage for the non admin users to a point where you dont constrict them, but you don't let stupid run rampantly loose on your network.
This could be fx. your network harddrive, instead of sharing the complete drive, just make a folder pr. user which they, and you can access.
Other then some simple things there,s not really a whole lot you can do to protect your network, except maybe make sure they have anti virus installed and so on, because stupid is, and stupid does, and not even the worlds best sys admin can hinder your sister or father from clicking that email from random guy he knows asking him to click this russian link to see cute kitties.

I love the way you worded this statement, but never the less, it's so true.

If you want a "one solution fits all"-system, have a look at Sophos UTM Home Edition, it's free for home use. Includes firewall, antivirus for clients incl. management, proxy/webfiltering and more. Another good, but not this integrated solution is pfsense.

install OPENWRT or DDWRT on your router and setup privoxy to create a blacklist for nasty sites and ads, then setup your VPN on it.
You can set firewall rules on the router for a network firewall, or you can do it locally per client for a client firewall. Additionally, it's smart to use sand boxing applications / VMS when browsing websites that are suspicious. A great program is 'portable apps,' which allows you to create a persistent sandbox environment for all your programs on a flash drive.

Typically you want to deny all outbound, unless explicitly enabled and required. NAT should handle inbound traffic.
Premium firewall software that you pay for, actually comes with this, to dynamically create rules based on your usage patterns. A worthy investment if you don't want to do it manually or be encumbered by learning firewall rules and ports.

Most malware / viruses are downloaded through outbound connections, not inbound. You accidentally download something that creates an attack vector to setup reverse shells, etc. Also make your SSID long, since the encryption algorithm is generated by it. Disable WPS on your router as well, because Reaver can crack that in 4-10 hours. If you have a common SSID name like netgear, linksys, home, etc, a hacker could use rainbow tables to decrypt your hash, and get your password.

Setting up a VPN on your home router is probably one of your best protection mechanisms because of tunneling protocol.

Additionally, you can setup canary tokens all throughout your system, that trigger an alert if the file gets modified or read in any way. It's the poor mans version of a honeypot.

Keeping your system up to date is the most important thing. A lot of software has vulnerabilities and exploits which also creates more attack vectors. Also drivers, iobit has a wonderful driver updating program. Also there's a program out there that auto updates your applications (can't remember) but it's super handy. I will have to find my notes and I will edit this later.

Local security is arguably more important than network security. You don't know who is going to be in your house, at what time in the future, and if you're going to be there. It's very easy to break into a system that doesn't have an encrypted drive, especially on windows. You can literally buy a $20 usb key to strip and clone admin rights, as well as getting access to the registry and shell prompts. Setting up a system / bios password and drive encryption with secure boot is a must.

3 Likes

+1 a prime principle to network security is isolation and compartmentalization. Using different subnets on your network is an easy solution. Just gotta keep communicable smart devices in the same subnet.

1 Like

Isolation is a very good practice to have if you are managing a network and have devices that need to be secure, I guess the point when this sort of fails is if a device on a subnet is compromised it could also affect other devices on the same subnet but at least the damage is limited, actually according to the DHCP leases my isolated network has 14 devices connected to it which is the most on the network with biggest pool of devices to compromise but the important thing to remember about this setup is that none of the devices on this subnet are mine. The subnet is firewalled from all of my devices, so in a sense this network is the wild west for my families devices. I do have pfBlockerNG running on the interface which should stop some of the malicious stuff but you can't protect stupid if a family member decides to download some questionable stuff, but at least I am somewhat safe from it.