Securing a Home Network with PFSense (using a SG-2220)

mlevison

Computers:
2 x MacBooks (all macOS Sierra)
3 x Windows laptops (all on Windows 10 current)
2-3 Android Tablets
3 Android Phones
1 IPad (stuck at IOS9)
1 IPod (stuck even further back)
2 Brother Printers
Synology DSM 415 - is primarily a file server and used for house backups
Roku
Sonos

Networking Hardware:
Modem -> SG-2220 -> 8 port Network Switch -> House Wifi

Most of the portable devices spend time out of the house. One of the MacBooks and one of the Windows machines spend alot of their working life out of the house. Often connected to public wifi networks. Yes, I VPN when using a public wifi. Others in my family, not as much

I bought the PFSense after discussing with a friend what regular NAT style firewalls don’t defend against. In addition, my friend who has a lot of experience with network threats and defense against the dark arts - explained that even the most careful computer user can get infected when traveling. Along with all of the obvious things from a firewall, he suggested that a good firewall could be helpful, to detect compromised machines (presumably through Snort).

How would secure this network?

1. Reduce leaks from stuff inside our house (we don’t have an IoT devices yet), so we don’t participate in botnet attacks
2. Reduce risk of attacks like Wcrypt i.e.: https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/
3. So Netflix, the Sonos etc still work
1. Presumably, this is a game of knowing which ports need to remain open and which don’t
1. How can I even survey which ports are being used over a 2-3 week period?
4. So that I get warnings when computers do odd things
5. So that my family doesn’t get annoyed because the entire internet goes away when I start testing i.e. My first and only attempt to setup Snort

I read the PFSense documentation and it is technical very clear, it's just unclear what to enable/disable and what to leave in the default state.

Where do I start reading, about securing a case like mine which can’t be all that abnormal

NogBadTheBad

Everything inbound from the internet is blocked by default, don't touch the WAN rules unless you need to NAT.

You can set snort not to block also run snort on the LAN not the WAN interface.

Set your firewall rules to log.

Regarding logging traffic, your best bet IMO would be to forward your log entries to syslog on the Synology NAS, then after a couple of weeks export the data via CSV to a spreadsheet.

I'd class the Roku as an IOT device, I classify my TV, PVR, Apple TVs and Nest smoke alarms as IOT type devices.

You could also setup a road worrior VPN connection.

IMO if you have a smart switch thats VLAN aware set up your VLANS now.

mlevison

NogBadTheBad - you seem pretty good to me. I struggle with formatting here so please forgive as I misquote. You've given me several weeks of spare time work - Danke.

Firewall Log - sending to Synology - thanks. In two weeks I will see how badly I screwed this up.

Roku - agreed it is an IOT.

Not sure what a Road Warrior VPN is? I.E. VPN home? Not convinced that my ISP needs to have more information about what I do on the Internet, don't mind the expense of an annual PIA VPN subscription.

VLAN - Smart Switch - I vaguely understand what that means, I doubt the switch is capable of that. I will need to look into that.

Snort, Snort, Snort my friend - I'm certain it will help in the long run, I need to learn how to how figure it out to listen not block and on the LAN. That's my task in the next week or so. Watch me come back here and to the snort mailing list when I fail :-)

Cheers
Mark

NogBadTheBad

Use the pfSense router as the VPN server when your away from home.

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

Guest

Securing a Home Network with PFSense (using a SG-2220)

I would think about to install some things to get a better or higher security level for my entire network such as;

OpenLDAP Server for private cable sorted (wired) devices
FreeRadius Server with certificates and encryption for private wireless devices
Captive Portal with vouchers for WiFi Guests

Each of them get into his own VLAN and inside of the Guest WiFi VLANs I would enable "the client isolation" too!
Might be sounding odd, but serves more security as you might be expecting!
You need pfSense, a VLAN capable Switch, some WiFi APs!

Modem -> SG-2220 -> 8 port Network Switch -> House Wifi

Supports that switch VLANs?
Netgear GS105E ~$20
Netgear GS108E ~$40

Most of the portable devices spend time out of the house. One of the MacBooks and one of the Windows machines spend alot of their working life out of the house. Often connected to public wifi networks. Yes, I VPN when using a public wifi. Others in my family, not as much

Let them connect directly to your home network over WLAN APs, if to high in price you could set it up step-for-step
and time-after-time, with UBNT UniFi WiFi APs Pro and light, might be the best bet at this time and also the best
middle between the price and the quality and the WiFi controller software will be on top of that free of charge.

I bought the PFSense after discussing with a friend what regular NAT style firewalls don’t defend against. In addition, my friend who has a lot of experience with network threats and defense against the dark arts - explained that even the most careful computer user can get infected when traveling. Along with all of the obvious things from a firewall, he suggested that a good firewall could be helpful, to detect compromised machines (presumably through Snort).

Not only by traveling but like using often public WiFi networks to connect to the home network, but unsecured.

TV, PVR, Apple TVs and Nest smoke alarms as IOT type devices.

Put them inside of their own VLAN or place them inside of the DMZ zone if they are snitching to their vendors.

Other points that could matching well too:

A Proxy and logging:
To gain the level of security once more again you could try out to install Squid & SquidGuard & SARG and then you create
for each user and device (MAC - IP bindings) a profile and each user must be using then Squid for the most or configured
activities together with a user authentication. Not transparent, but effective and via SQRG you may be able to control the
entire squid logs then after something was occurring or not clear to you! But to be clear here at this point I don´t know
how much this would affect the entire throughput of the SG-2220 then and if it would not be more wise to insert a small
mSATA or M.2 SSD if capable of installing them.

IDS/IPS:
One step ahead you could be trying out installing snort or Suricata too, but this would then once more again perhaps
slowing down the entire throughput what can be normally expected from each installed packet in pfSense, so it might
be making more sense to know the Internet connection speed and the entire throughput after passing all installed and
running services on the pfSense appliance.

Geo IP blocking:
pfBlockerNG & DNSBL together with OpenDNS would be also another point to prevent your home network against
intruders, attackers or simple the many different things that are unwanted to connect to your home network.

Social engineering:
Last but pot least you should spend time and talk to your entire family why you are doing that and why you are afraid
of things that can be occurring. If all peoples are able to touch the mobile devices of your family members you don´t
have to wait a long time mostly to be able to recognize some unwanted activities in your network.

mlevison

@NogBadTheBad - thanks for the VPN I will have to give it some background thought.

In the meantime a simpler question. What to log? Currently I've got the following enabled:

System Events
Firewall Events
DNS Events (Resolver/unbound, Forwarder/dnsmasq, filterdns)
DHCP Events (DHCP Daemon, DHCP Relay, DHCP Client)
PPP Events (PPPoE WAN Client, L2TP WAN Client, PPTP WAN Client)
Captive Portal Events
VPN Events (IPsec, OpenVPN, L2TP, PPPoE Server)
Gateway Monitor Events
Routing Daemon Events (RADVD, UPnP, RIP, OSPF, BGP)

I suspect that's overkill.

Also is there a good place to learn about what these logs tell me?

@BlueKobold - this all made rough sense. I spending a few minutes digging.

Questions LDAP, Radius and Captive Portal - I mostly get all of this, however isn't this overkill? Wouldn't just setting up a separate VLAN accessible only via an Access Point be more than good enough?