Network security in garage

xman111

One thing i was thinking about, how would i use deny unknown for my wifi segment where i would want that in the garage on that particular port but within my house, i want friends and family to be able to connect without being denied?

johnpoz

You can turn that on for specific vlans.. You wouldn't turn it on for guest networks..

Keep in mind again - none of this really needed since unless your would be hacker unplugs device knows what vlan tag to set.. How would they get anywhere? And then that gets them what on your iot network? Which per your firewalls can do what exactly?

I think your way over thinking this here ;)

Per basic security any of those ports on your switch that do not have devices connected to them should be OFF anyway ;)

Your camera's ports could have port security set on them so only the camera mac would work.. And or static arp on that vlan. And again what could they do even if they got on that network? Only one that might be of concern is if they knew or figured out the vlan ID for your "secure" wireless network and connected as that.. Which you could run static arp on as well.. But they would be on that L2 then.. What else is on that L2 that they could get to?

Since when is your garage a dod facility ;)

xman111

thanks again John, have too much time to think before the wife and kids get up and dictate my day :)

that makes sense. I just didn't want to have open doors to my network in the garage. I guess i would just trunk in the camera network and the main wifi network into a port in the garage switch, lock one port to the MAC of the UNIFI AP, and the other 2 ports to the specific camera MACs.

I saw the settings on my Cisco switch for port security, i will have a look to see if the Dlink or the Netgear have that, i didn't even know that existed :)

Haha, thanks, as always for your help! i think part of the problem is i know just enough about networking to make me dangerous and a security threat to myself :)

johnpoz

Port security is common in enterprise setups... Say a conference room or common area ports that say a printer connects to or something.

If you really want to get fancy start doing 802.1x where devices have to auth ;) You could do mac based vlans, lots of stuff you can do to keep unwanted devices off your network that have physical access to a port.

Take a look at packetfense for an opensource NAC you can run.. You can get it work with your sg300 I would think - but been a while since played with it.

All of said stuff is fun - but don't lock it down so hard you make it a pain the ass for you to connect new devices.. And these shitty iot devices sure and the hell do not support enterprise grade stuff.. It would be fantastic for starters if they would support wpa-enterprise for their wifi.. I would love to use eap-tls for their wifi network for example ;)

While you can do say static arp on pfsense.. That doesn't lock down that L2 they would be connecting too.. What you could do is private vlans if devices on that L2 do not need to talk to each other. Camera's for example should have no need to talk to each other - so even if they go on and connected to your network they wouldn't be able to see any other traffic on that vlan. And even if they used same mac they could only talk to pfsense and do whatever firewall rules for said camera allowed, etc.

xman111

ya i don't want to make it more complicated that it needs to be.

Since you are around, can i ask you a somewhat related question? do you have an opinion on running fibre? is it dangerous to run copper underground outside to the garage and is it worth the extra expense to run 1 fibre line? I can do 3 cat6's for about $75, while fibre, i need media converters, SFP's, and expensive cable, probably closer to $250.

Have been reading about lightning strikes and frying equipment. That being said, i live in Vancouver, and haven't seen lightning in years :)

stephenw10

Mmm, I think you have a higher class of burglar in Vancouver than we do in London if that's a real threat.

But a useful experiment in locking stuff down.

Steve

xman111

haha, i didn't know if it was a threat, we live in a pretty good neighborhood as well. Just didn't want to do anything stupid by leaving unsecured network ports out and about :)

tim.mcmanus

@xman111 said in Network security in garage:

ya i don't want to make it more complicated that it needs to be.

Since you are around, can i ask you a somewhat related question? do you have an opinion on running fibre? is it dangerous to run copper underground outside to the garage and is it worth the extra expense to run 1 fibre line? I can do 3 cat6's for about $75, while fibre, i need media converters, SFP's, and expensive cable, probably closer to $250.

Have been reading about lightning strikes and frying equipment. That being said, i live in Vancouver, and haven't seen lightning in years :)

Copper is always going to be cheaper and easier to work with. The only advantage glass has over copper is link length. You can go much further with fibre than copper.

If you are going to run fibre, do two runs. Use one for the connection and keep the other one dark in the (unlikely) event you need it. It's cheaper to do it at the same time than in the future. And in the event you have issues with the first fibre run, you can swap over to the second easily to verify/validate issues.

If it only costs you $250 to get the gear for an exterior fibre run, definitely do two. $250 is a steal, it usually starts at $1K for outdoor fibre.

xman111

what about risk of lightning strike? thanks for the reply Tim.

tim.mcmanus

@xman111 said in Network security in garage:

what about risk of lightning strike? thanks for the reply Tim.

IMHO the probability is low that you'll attract a strike.

Also, there are varying degrees to lightning strikes. If it's not a direct hit, somethings may survive. But if your telco gets hit by a direct lightning strike, that has a higher probability of frying everything. Not even your retail surge protectors can protect against a direct lightning strike.

The worst thing about a lightning strike is static electricity. It electrifies the air and everything around it to certain degrees. So you could theoretically have a tree outside your window get hit, and the static electricity can be strong enough to damage (not destroy) electronics.

So I rarely if ever take lightning into consideration when designing a home network. I have a client with a detached garage, similar probably to your situation. He's on top of a mountain in PA that is prone to lightning storms. Never had an issue, and we ran 250' of copper to his garage from the main house.

I don't worry about lightning.

JKnott

@xman111 said in Network security in garage:

Have been reading about lightning strikes and frying equipment. That being said, i live in Vancouver, and haven't seen lightning in years :)

Well, there has been a lot of installed copper for decades before fibre was available. If you're worried you can get surge arresters for Ethernet. How far is the run? Is the garage electrical system fed from the house? Also, there is no electrical connection between Ethernet cables and interfaces, PoE excepted. However, there is supposed to be isolation between the PoE part of the equipment and the rest. The signal passes through a transformer, which can withstand a significant voltage. The original 10baseT Ethernet (StarLAN) was designed to work over cables shared with telephones. An analog phone line can have typically 90V 20 Hz AC on it when ringing. The NICs were designed to tolerate being mis-connected to a phone line. So, what's the risk in an area where lightning is rare?

.

Mmm, I think you have a higher class of burglar in Vancouver than we do in London if that's a real threat.

Only high class burglars can afford to live in Vancouver.

xman111

thanks for the advice guys.. you know on the internet you read and think too much. Most stuff I read people are saying that you should never run copper between buildings. It is only about a 30 foot run, buried about 12 inches underground in pvc conduit. I am not too worried about it, just wanted to check with the pros :) The garage is powered by a run from the house and can't remember the last time we had lightning.

Vancouver is crazy, our brand new 1/2 duplex is worth over $1 mil. :)

JKnott

@xman111 said in Network security in garage:

The garage is powered by a run from the house

That means there will be a heavy ground wire between the house and garage, which will limit any voltage differential between them. As I mentioned, there's no electrical connection over Ethernet cables.

xman111

still deciding about POE, either run from the house or POE switch in the garage.. thanks for your help, appreciate it..

tim.mcmanus

@xman111 said in Network security in garage:

still deciding about POE, either run from the house or POE switch in the garage.. thanks for your help, appreciate it..

Get power as close to the device as possible. Run it from the garage. Get a POE injector if you don’t want to buy a POE switch.

Also, to those internet folks who tell you not to run copper between buildings, how do you get power? Copper is unavoidable

johnpoz

@xman111 said in Network security in garage:

Most stuff I read people are saying that you should never run copper between buildings.

This is old school info that won't die.. Do you have elect in the garage now? If so how do you think it got there - freaking copper ;)

stephenw10

@jknott said in Network security in garage:

Only high class burglars can afford to live in Vancouver.

Ha. It probably does mean you have a higher class of bored teenager which is a far more legitimate threat!

Steve