Improving security on a home network

[vnangia]

I was one of those flagged by Twitter in their latest breach, which has triggered another round of paranoia. I concede that this may not have been my fault, nor is there's no single magic bullet. However, I would like to really improve the security of my home network, especially since I'm starting to experiment with home automation. Our network has a mixture of Windows, Macs and Linux machines, iOS, Android and other mobile devices, and game consoles, as well as some "gadgets", like Twine, SmartThings and Nest. I'd like to retain the ability to remotely access the network securely from iOS and Android devices. Other than that, open to hearing what I should do/not do and what I should invest in.

I guess, the question is whether there is any way to get mega-corp-like security without spending mega-corp-like bucks?

 

[stevech]

so long as you have WiFi encryption on and use a unique SSID, that's OK. Next, physical access to your wired LAN cabling... let's assume that's a non-issue.

So that leaves to areas: (1) what ports you have open on your router and if they're are open ones, do you have a proper arrangement for the server on that port; (2) your habits on-line- which has nothing to do with your network, e.g., what gets downloaded and used by who, etc.

 

[vnangia]

I probably expressed myself badly. Wifi encryption is on with WPA2-PSK, using a long random key, and my assumption is if someone could break into the place to attach a network logger, they could probably take any hardware they wanted too.

I suppose the more relevant question is, does it make sense to invest in a SOHO/SMB-class UTM appliance to replace my consumer router - is that the right tool to prevent myself from accidental stupidity and a potential light attack from the kinds of people who hacked Honan last year? (By which I mean script kiddies with preassembled tools rather than a nation-state with an army, more than the precise nature of the attack.) I suppose I'm aiming more for deterrence rather than anything else.

 

[CaptainSTX]

Home Automation

If all really want or need administer from the WAN is your home automation systems I would consider putting these devices on a separate network that does not permit sharing resources with your other networked devices.

 

[vnangia]

If all really want or need administer from the WAN is your home automation systems I would consider putting these devices on a separate network that does not permit sharing resources with your other networked devices.

I was actually hoping to be able to remotely access files when I'm traveling and to use my local IP address when I'm overseas. But segregating the network isn't a bad idea in general.

 

[thiggins]

I second the suggestion for VLANs to partition your network.

For remote access, I suggest backing up all the files you'd want to access to something like the WD MyBook Live, Pogoplug or other storage device that is accessed via a secure relay-type web portal. Put this on its own VLAN or true DMZ (its own subnet). If it is hacked, then damage is confined to it, not your entire LAN.

 

[vnangia]

For remote access, I suggest backing up all the files you'd want to access to something like the WD MyBook Live, Pogoplug or other storage device that is accessed via a secure relay-type web portal. Put this on its own VLAN or true DMZ (its own subnet). If it is hacked, then damage is confined to it, not your entire LAN.

Got it. Since there's no VLAN support on the current router, any suggestions for a hardened device to replace the router?

 

[thiggins]

You don't need to throw out the router. Just get a smart/managed switch and move all your devices to it. The NETGEAR GS108T is one example. There are others.

 

[stevech]

IMO: If you're joe homeowner, not a large-ish SOHO, I wouldn't be so concerned.

More likely is theft of your computers/disks- so I'd start there and make sure your personal/financial data is encrypted 100% of the time. I use SafeHouse for that, with the file stored on the NAS and 3 backups.

 

[vnangia]

Tim - thanks, looking into that today.

Steve - physically, our place is pretty secure: you'd need to go through a couple of doors and through a building before you get to us. We are quite careful about locking up as we have two hyper intelligent cats who can - and have - opened locked doors before. Our sensitive data is on a TrueCrypt volume, a copy of which is on two computers at home, a flash stick at a relative's place and a Glacier instance. Yes, we are making backups of photos and such to three volumes (Time Machine, a server that syncs that Time Capsule's files, and to an S3 instance). That said, my point was that if one gets physical access to the place, all the network security in the world won't help. I was looking more for some way of deterring the casual point-and-click hacker and preventing accidental stupidity from wrecking havoc, while retaining some ability to logon remotely when I travel out of country.

 

[stevech]

Your sensitive data on TruCrypt volumes.. If you're like me, those volumes are not open/mounted except when I'm doing work with the files. So the thief gets nada.

 

[vnangia]

Your sensitive data on TruCrypt volumes.. If you're like me, those volumes are not open/mounted except when I'm doing work with the files. So the thief gets nada.

Fair point... but I think there's multiple categories of data - confidential, private, who-cares; I mean, even the family photos could go on to a TrueCrypt volume, but it would be at ridiculous computational cost. Seems to me that a better strategy would be to make it more difficult to break in, no?

And none of that still address my stupidity - for example, accidentally triggering the installation of the Flashback Trojan on my Mac, because I need to have Java installed for certain work applications.

To wit, I've already taken your excellent suggestion on rechecking the ports both inbound and out on the router and I'm putting together a network map to figure out how machines need to and do not need to talk to each other with the view of splitting up the network with VLANs, as recommended by STX and Tim in the discussion above. I'm still not sure whether that addresses my concerns about accidentally bringing a plague of locusts, but we are basically following all of the steps recommended by Krebs here, with the exception of NoScript which makes life nigh impossible on the modern web - try selecting the charts on SNB, for instance

 

[stevech]

Viruses, spyware, accidental deletion...
I store data on the NAS, not the PCs.
I image the PC disks every week or so, to the NAS.

The one time I got a bad virus/malware I couldn't eliminate, I just roll in the last image or partition backup. I now have these two backups automated on PCs, using Acronis (I've tried most all, and such as it is, Acronis is the best, IMO).

My main PC - has an SSD boot disk (120GB) and a 160GB mechanical disk. Again, I store no data on these, only the OS and programs.
I use Acronis to clone the 120GB to the 160GB quite often. I don't use the 160GB. Worst happens, I just clone the 160 back to the 120. This has saved my rear more than once. Cloning is better than partition imaging, by far, at the cost of a dedicated drive.

 

[rquared]

I suppose the more relevant question is, does it make sense to invest in a SOHO/SMB-class UTM appliance to replace my consumer router - is that the right tool to prevent myself from accidental stupidity and a potential light attack from the kinds of people who hacked Honan last year? (By which I mean script kiddies with preassembled tools rather than a nation-state with an army, more than the precise nature of the attack.) I suppose I'm aiming more for deterrence rather than anything else.

Sophos has a free UTM for home use that is awesome. Astaro UTM Home User version has everything (well almost that corp america has and is fairly straight forward. Untangle also has a product I've used for over a year, but just recently switched to Astaro due to the completeness of the offering. I can't recommend it enough for doing exactly what your talking about! You will need a system with two NICs, but they are cheap. Personally I use an Atom Supermicro server with ESXi installed and Astaro as a VM. Works flawlessly!

Wanna dig deeper and get real geeky, check out Security Onion.

Hope that helps.

 

[vnangia]

Forgive me for resurrecting an old thread, but I'd have to post what would be a pretty much identical thread name.

I'm in the market for a new (wired) router, as it turns out my existing E4200 is vulnerable to (and because of some unusual internet behaviour perhaps WAS breached by) the infamous Linksys TheMoon malware. As a stopgap, I'm moving to DD-WRT but I'd really appreciate any advice now on a replacement router / UTM device.

My requirements are relatively modest - we have about 45-50 networked devices, including full-fledged computers and servers, phones, tablets and networked gadgets (examples would be IP cameras, the Nest thermostat, Fitbit Aria). Our primary internet connection is through Verizon's 75/35 FiOS service but I'd also like to have a second WAN port, as we have a backup network connection for when the FiOS headend goes down as it is wont to in the summer. I'd also like to have the capability to segregate devices using VLANs and ideally retire the RasPi that's been acting as a VPN endpoint for when I'm on the road. I've been looking at the following devices, as a consequence, with some of my thoughts:

-Linksys RV042G (unsure about performance, brand name ownership worries)
-Mikrotik Routerboard RB2011UiAS-IN (unbelievable price/performance ratio, impossible to buy in the US)
-Ubiquiti EdgeRouter PoE (difficult to setup, hard to buy in the US)
-Zyxel Zywall USG20 (dislike paying for an ongoing subscription)

I'm leaning towards the Mikrotik if I can ever find it for sale, but I'd like to wrap up and buy something in the next couple of days. Any advice appreciated.