Admin LAN Best Practices
-
Hello,
I have segmented my network so that the admin interfaces of all my network equipment is on one LAN / pfSense port (i.e. pfSense admin GUI, managed switch interfaces, Unifi Controller and Admin Laptop). The other LAN & VLAN subnets do not have access. No problems with the setup, all works well. I manage the network locally from a dedicated Laptop. However I find that I need WAN access on the admin network for firmware updates, Admin Laptop OS updates, time servers etc. It would seem that limiting or inhibiting WAN communications would be best for sensitive admin interfaces, but doesn't seem feasible. I could limit what the network talks to via allowed aliases however with changing destination servers or timeservers behind proxies I could spend allot of time administration my admin LAN. Is it wise to allow this admin LAN to talk to the WAN? What are best practices?
Just to clarify I am not talking about remote admin management, only local.
-
As you say you probably need some access for firmware updates but you can still restrict what can reach out and on what ports. Allow only what you need. As you also said though it's likely unrealistic to set a limited destination IP for firmware updates, they are probably hosted in a CDN with dynamic IPs.
Steve
-
@pinballwiz you could always just enable internet when your going to do a firmware upgrade, and then just disable it again when your done with your updates.
It would be a pita to figure configure all the places you might download firmware from for multiple devices, etc.
Time services shouldn't be an issue just pull time from pfsense. Pfsense can talk to as few or as many ntp servers you want, etc.
-
I approach this issue by allowing outbound-only WAN access from the admin net, but using different limited accounts on the admin computer for network admin vs. for general browsing. This approach makes it unlikely that anything will penetrate the admin browser (running under limited account a and used only to administer network devices) and also that anything that penetrates the general browsing browser (running under limited account b) will find it difficult to jump to the admin network.
I also firewall the admin browser account on the admin computer so that it doesn't have access to anything but the network devices' IPs. That prevents accidentally doing general browsing on the admin browser.
Finally, I never run browsers, email clients, or any other network-using software under administrator (root) accounts.
This is looser than it could be, but also more convenient.
-
Why so restrictive on browsers, devices, etc ?
If you want to remove 95 % of all possible issues, start by removing yourself from the equation.
That is, you still have to admin devices, so do what works best : learn to recognize the risks. All this "Internet" related stuff is very recent, and ..... guess what : the Internet was invented to document itself, and easy to access.About the dangers of devices, devices etc : use a PC portable without a (hard) disk. Make your own "USB-with-Open source OS + browser + SSH client etc." Boot from it, and do your work. Nothing will be kept on the device, as it is a read-only stored OS.
Btw : I probably have boatloads of risky devices behind my pfSense, as I'm using a captive portal for our clients. They can use our router (pfSense captive portal, and is by nature an untrusted 'LAN' network) but they can't access pfSense itself : traffic flows through it, without any effect on the router. This works fine for the last decade or so.
-
I administer a home network, so my safety/security tradeoffs are a bit different than they would be were I administering an enterprise network. In particular, I want to be able to use one machine for both network administration and general use.
Therefore, to keep the network safe, I have to keep the admin computer extra safe. That means going the extra mile to avoid malware by, e.g., running browsers for different purposes in different limited accounts, using the admin computer's firewall to prevent general browsing in the network admin browser, etc.
-
To me, the best LAN practice is all about the Firewall rules as well as using one browser specifically for admin work, in my case, Opera. I even use a Mikrotik LAN king (the new RB450x4) as guard and the only devices not allowed to go out are the indoor cameras, since we sometimes walk around in the house naked. pfSense is our main gatekeeper to the world.
-
@pinballwiz Appreciate the feedback. My take away from the post thus far seems to be the following: Allow the admin net outbound WAN access but use a dedicated OS/browser for admin work.
That was pretty much were I am, so it is good to get some validation:
In my current setup I'm allowing outbound WAN access to the admin LAN (during working hours) and using a Linux laptop dedicated only for admin work (non-root account of course). I keep it updated/patched and it also runs the Unifi controller software for management and firmware updates of Unifi equipment.
