SOHO firewall and network protection strategy
-
Good afternoon,
My question will appear to be pretty basic but I have not found a clear answer on the web. Recently my PC has been infected by a Trojan whereas I had not used it for any other activity than playing legit games and playing with lightroom. No dodgy browsing etc… It dawned on me that I had to start enforcing stricter rules at home. If this is the wrong part of the forum please tell me and I will move it where it should be.
My ISP is virgin fibre broadband and I do not want to use their router anymore. I understand I can have this work as a modem only and turn off the wifi and routing capabilities.
I am not looking for hardcore technical solutions and do not need remote access etc. All I would like to do is to add a firewall right after the virgin modem (wifi and routing off) and then create a number of independent networks at home. I have up to to IOT music streaming devices, a PC which will now be used for gaming and photo only but will not be connected to internet most of the time (except for ad hoc udpates), my wife's PC, our phones (which are used to control some IOT but maybe we should buy a tablet and use it as a remote at home to avoid connecting our phones to the network directly...?) and sometimes guests.
What would be the smartest way to go about protecting and segregating the networks so that if a device gets infected the rest of the network remains relatively protected?
At the moment it is clear that a pfsense type box from netgear would be great but I think I need advice as to the architecture of the whole thing. FYI I like geeking a bit but I don't have the time to play with DIY solutions and I want a "plug it and forget" type of solution (of course I will update it etc but I don't want another PC tower at home).
I thank you in advance for your help!
Cheers
Geoffroy
-
A general way to segregate is to setup separate (V)LAN's for LAN, Guest, Internet of Things, a dMZ if you need it.
Put most of your stuff on the LAN, put all things related to Internet of Things and any device with known security issues on the Iot net, only allow guests to your home on the Guest network.
Firewall rules can be as permissive or restrictive as you write them, that's up to you.
ClamAV can scan your entire network for viruses, but it's going to slow things down and can be a pain to implement.
Without a bunch of ass pain your best bet is pfBlockerNG. This won't stop viruses per say but can block access to known IP's that could contain or distribute viruses.
In general, pfSense won't prevent you from getting viruses. That being said it will absolutely help if implemented correctly. Best all around anti-virus is still going to be your decisions on the web and on your device.
-
Thank you very very much for this rather clear response!
Which device would allow me to setup this many networks? Also, how would it be possible to stream music from say a server to the streaming device which would be on the IOT network?
Regards
G
-
You'll need a pfSense router, a managed switch thats vlan aware and access-point that can have multiple SSIDs ( Ubiquity are flavour of the month here )
Work out what devices you want on what subnet, choose a vlan number and try to use that as your 3rd octet in the IPv4 & IPv6 subnet
I've set mine up like this :-
LAN 172.16.1.1 2a02:xxxx:yyyy:1::1 < VLAN 4093 untagged
USER 172.16.2.1 2a02:xxxx:yyyy:2::1 < VLAN 2 tagged
GUEST 172.16.3.1 2a02:xxxx:yyyy:3::1 < VLAN 3 tagged
IOT 172.16.4.1 2a02:xxxx:yyyy:4::1 < VLAN 4 tagged
DMZ 172.16.5.1 2a02:xxxx:yyyy:5::1 < VLAN 5 tagged
VOICE 172.16.6.1 2a02:xxxx:yyyy:6::1 < VLAN 6 taggedOne of the vlan's will more than likley need to be untagged, if your going to get a Ubiquity AP you'll need an untagged vlan for the AP & CloudKey.
I made the LAN interface my untagged network management subnet, switches & access-points sit here.
Creating vlans in pfSense is dead easy :-
-
Interfaces ->Interface Assignments
-
VLANS
-
+Add
-
Select the Parent Interface, add the vlan number & Description
-
Configure the IP info on the interface
I've also renamed my interfaces from OPTx to their function.
Remember you need to carry all the vlans required on the edge switch across the interlink
I couldn't get my music streamer to work correctly in the IOT VLAN so it sits in my USER vlan, but my Philips Hue & Nest smoke alarms work if I access them from my mobile devices in the USER vlan
-
-
Any device with even one NIC will work when used in conjunction with a switch supporting 802.11q VLANs will work, however two NICs are strongly suggested.
I would recommend getting something with 2-4 quality (intel) ports on your pfSense box + a decent smart switch that supports 802.11q VLANs with however many ports you will need for your network.
Transferring traffic between networks is as simple as writing firewall rules for it. You can make those rules as permissive or as restrictive as necessary.
So in your example you want to be able to access music on your LAN that is served from a device on IoT you would write a rule on LAN. An example of a fairly restrictive rule to do this would be
IPv4 / TCP / ALIAS_for_LAN_Music_Clients / * / 192.168.music.server / Port(s)_Server_Uses / *This allows your specified music clients on LAN to access your music server via IPv4 TCP on the port(s) it uses to serve music. The server is not allowed to initiate a connection outside of its LAN unless a rule on the IoT interface allows it. You can obviously make this rule much more permissive if you like.
-
Honestly - the whole approach to the problem is wrong IMHO.
First of all, if you are behind a router and don't have any routed ports, you PC in a DMZ or IPV6 without firewall, it's impossible that any kind of trojan or virus can infect your PC from alone.
Even IF your PC was connected to the internet directly, the Windows Firewall - EVEN IN DEFAULT MODE - has blocked everything important. And without any additional services on the PC like a webserver, there's also hardly any kind of intrusion way. Windows with a default install doesn't has any real attack points that can be exploited from the internet.So the first question is - HOW did the trojan infect the system? Virus scanner not up to date? Adobe Flash not updated (looking at a side is enough to get an virus over a security hole… flash is bad)? Opened a link / zip in a Mail like "invoice" with a .doc in it? Or any other kind of mail with a bad extension? Windows Update up to date?
pfSense can't protect you against that and even with squidguard and https check, most viruses and stuff might no be found.
Separate networks might help a bit, but in reality, it's way too much work and investment in a private home, if you are not an enthusiast. Those networks can get quite complicated and if you use some IoT decives, you will have some fun finding errors.
Secure you Windows, work with care, get a more expensive router - those usually have seperate guest networks etc. build in - and be done with it. Dunno if you can get it in the US, but the AVM Fritz Box is awesome for any home user. Easy to use, a fuckload on functions, years of updates and support etc. pp.
pfSense is awesome, but if you are not a enthuisiast user that has no problem spending hours to find problems and just want the network to function, do yourself a favor and go the easy way.
Just because you can do a shitload of stuff with pfsense, doesn't mean it's the right tool for you :) -
Honestly - the whole approach to the problem is wrong IMHO…
...Secure you Windows, work with care, get a more expensive router...
...if you are not a enthusiast user that has no problem spending hours to find problems and just want the network to function, do yourself a favor and go the easy way.
In general, pfSense won't prevent you from getting viruses. That being said it will absolutely help if implemented correctly. Best all around anti-virus is still going to be your decisions on the web and on your device.
Separate networks might help a bit, but in reality, it's way too much work and investment in a private home
Eh, seriously? Separate networks take a few minutes to setup and the cost of getting a web managed switch that supports 802.11q over a "dumb" switch is pretty negligible for a home use switch.
The firewall rules are not complex at all. Just write a rule on the interface you want access from to allow access to the network that contains the device you want to access…
Buy a more expensive router that has a Guest network? One of the big draws of pfSense is the ability to run it on the old computer you have sitting in the closet from 8 years ago, or a $50 eBay/craigslist special. Out of the box, pfSense works. Any complexity is user implemented.
The $50 T420 from 2011 I have sitting on my desk with a single NIC paired with a $30 switch will easily outclass a high end SOHO router...
