Critique my setup please

Deadringers

Hi all,

Just giving a brief run down on what I am running here at home - if you could please let me know if there are any other things that I should consider to make my home network more secure it would be appreciated.

So starting off with the Firewall rules:

WAN:
basic rules in place to block top spammers using pfblocker.  <–- I feel this works quite well as the logs show me it picks up quite a few hits!
Then various rules in place to allow traffic through to my exchange server, Teamspeak 3 server and ssh access to one of my centos devices.
Rule to allow Open VPN access through.
Rule to allow / respond to ICMP packets as I have a broadband monitor using: http://www.thinkbroadband.com/

LAN:
only 1 rule here which is to allow by default everything from the LAN to any destination.
I can't think of anything which I'd like to block from the LAN but if someone has an idea let me know!

OPT1:
just the open vpn interface which has a rule to allow all traffic to pass over it.

Packages:
I run Snort - I have disabled the "Alerts" for http_inspect as google and youtube were getting picked up by this all the time along with a billion other sites <-- fairly useless IMO.
but I run just about every other possible rule set under snort apart from the Emerging threats as these sometimes didn't play nice for some reason.
Snort is also running other pre-processors like port scan etc.

I WAS running HAVP antivirus but am I correct in saying that this hasn't been updated in years?  Looking at the website it seems to be last updated in 2010?
Not sure what protection this could offer me..

OpenVPN:
Currently I have 2 CAs setup each with their own server Cert and Client Cert.
One CA is for my laptop to connect into my domain and the other is for my Nexus 4.
They both use 4096 bit CA keys, Server keys, and Client Keys along with DH 4096 bit also.
The only difference is that my laptop uses 256 bit AES-CBC where as the phone uses 192 AES-CBC.
I feel this is secure and with my Firewall, laptop and phone all being on modern hardware I cannot see it being any slower than using lower encryption methods.

That's all my firewalling / remote access which is handled by my PFsense box.  Thoughts on this?

Deadringers

no opinions on this?

kejianshi

OK - Sure.

"OPT1:
just the open vpn interface which has a rule to allow all traffic to pass over it. "

Why do you need OP1?  Is there a separate hardware openvpn server plugged into it or a seperate hardware openvpn client?
You don't need to dedicate a physical port to openvpn server if its running inside openvpn.  Just allocate it an unused private subnet / 24.  (or so)

4096 bit CAs and certs might take more machine time to crack, but the overhead it will generate on your CPU and bandwidth is not trivial.
Unless you have a specific reason to doubt 2048 bit CAs and Certs, I would use 2048 for the speed.  Even if your server has the horsepower to chew up 4096 and you have bandwidth to spare, odds are your small devices you connect to it won't have either spare CPU or bandwidth.
(Some would even say go as low as 1024, but NIST doesn't like 1024 and I'm ify about how secure it is)

I would also go with blowfish over over AES even is its 128bit in your set up.  To my knowledge blowfish is unbroken and its faster.  (marginally)
Plus= when uncle sam puts a seal of approval on something (like AES), I immediately go looking for something else.

Eventually we will all need to move to elliptic curve cryptography to keep our heads above water if we expect to have secure tunnels without the tunnel being 90% overhead.

Deadringers

@kejianshi:

OK - Sure.

"OPT1:
just the open vpn interface which has a rule to allow all traffic to pass over it. "

Why do you need OP1?  Is there a separate hardware openvpn server plugged into it or a seperate hardware openvpn client?

Not sure what you mean mate…following this guide to get it working:
http://hardforum.com/showthread.php?t=1663797

It said that you need the OPT1 interface for the openvpn server to "bind" to?  this then bridges the LAN and the Open VPN server?
So once you are authenticated you can access the LAN as you were there.

kejianshi

You can access the LAN as if you are there simply by assigning an unused private domain/ip block to your openvpn server in its settings.  I assign a /24 just to keep it simple and neat.  Then go to your firewall rules for interface "openvpn" and insure that you add a rule to "pass" and from source openvpn > any and be sure its all protocol any.  Then that domain will pass traffic back and forth between the LAN as OPT1 would.

Now, unless you have a wins server and enable net bios over TCP  (I have a ubunu machine here running as wins server) the distant clients will not auto-discover things shared on your network, but they wouldn't if you bind to the OPT1 either since the static IP will be in a different domain than LAN.
Thing is, I don't even bother with that anymore.

I assign static IPs to all my machines running file or printer shares and those are easily found by just typing their IP.

Example:

If a distant client is using windows, instead of trying to access the file or printer shares using names like \mybigserver
I just type

\10.39.85.7    (which is the IP on the LAN of \mybigserver)    (I'm fabricating these names and IPs. But you get the idea)

Get into the habit of addressing printer shares the same way. 
It actually makes everything more reliable to do it this way even within the LAN.
Then you won't need a wins server and you won't need netbios over TCP.

Since I don't use my WINS server for VPN really any more, you may ask yourself why I bother keeping it running?
I have noticed that in an environment of mixed linux distros running SAMBA and mixed versions of windows sharing its good to have 1 box that says "I'm in charge - Do what I say" and thats what my WINS server does.  Seems to make SAMBA and Windows networking more reliable and predictable.

So, you have no need to tie up an OPT1 interface with openvpn.  You can reassign that IP to something like a fail-over WAN or more likely useful to you a visitor internet Wireless Access Point on OPT1 with firewall rules on OPT1 blocking access to the LAN subnet or pfsense web gui.

Deadringers

Thanks for the reply :)

I am afraid I don't understand what you are saying about OPT1…
From a security POV is there any issue with the way I am doing it now?
To gain access to my LAN from the WAN/VPN you need to have the right cert in any case so is there a problem with the way I am doing things?

And with regards to the 4096 bit certs and AES - I have found that I can transfer files to and from my LAN on my laptop with no noticeable slow down or performance issues at the full speed my WAN is capable of. pfSense box is running on an ESXI host with 2 cores assigned to it.  CPU usage goes up to about 10% @ 20mbps of data transfer.
And with the nexus 4 I also get good performance.

So thanks for that but unless there is a security risk with my certs I'll keep it as it is.

kejianshi

Sounds good.  I'd say its perfect then if thats just the way you want it.
Bigger certs certainly should never make your VPN less secure unless its a compromised algorithm..

Deadringers

@kejianshi:

Sounds good.  I'd say its perfect then if thats just the way you want it.
Bigger certs certainly should never make your VPN less secure unless its a compromised algorithm..

meh makes me feel safer having bigger numbers…perhaps I'm compensating for something else! :)

Thanks for taking the time to reply.