What's new

Home Network Security

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

NetworkHound

Occasional Visitor
I talk about network security a lot to friends, family, and pretty much anyone who will listen. Yet I’m really bad about actually making my own network secure. So I decided to finally “practice what I preach” and get serious about my home network security.

I’m starting by segregating my network so my IoT devices, our computers/tablets/phones, and guests are on separate VLANs with firewall rules restricting internal and external traffic. I’ll likely be using Ubiquiti equipment for that, I haven’t gotten it yet.

My next question is: should I also be using some kind of Intrusion Detection/Prevention system? I know companies have started doing this at the consumer level (CUJO, Dojo, Ratrap) and then you can also build your own using pfsense or Security Onion. Is that overkill for a home network or should I be looking into it? Is it more important than basic network segregation or should I go ahead with my VLAN plan first?
 
i would get the lan set up first. Then consider if you have the time to invest in supporting an IDS or have the cash to subscribe to an appliance service. Unless you are running Internet facing servers, you may not need it very much.
 
Question #1 - Are you going to take the time to look at the logs from the security systems on a daily basis?

The answer to that question there will tell you if it is overkill or not. If you aren't going to take the time to review your logs on a daily basis, then there is no real point in yet another monitoring system at home. I enabled snort on my pfSense box and have looked at the alerts once in the past year...I need to disable it since it provides zero value other than burning CPU cycles at this point. IDS is not a set it and forget it type thing. It requires regular care and feeding otherwise it just bitches at you constantly and you start to ignore it.

1.) Good firewall with restrictive egress rules
2.) Limit ingress rules to an isolated subnet (DMZ)
3.) Limit ingress/egress to/from the isolated subnet (DMZ)
4.) Consider a web proxy that provides logging and basic filtering
5.) Consider a centralized syslog server (or better yet, Splunk)
- Splunk allows for a quick way to see trends in logs without digging into details
- ex, some reason firewall logs grew by 40% daily 3 days ago...go dig into log details to find out what changed
6.) Keep your systems patched/updated
7.) Follow good password processes
- don't use the same one across multiple systems
- change them from time to time
- store passwords in a proper secure location (like a password vault)

As for isolating the IoT devices....I haven't put a lot of thought or effort into that yet at home. Most of my IoT things are on my main network for a reason....I think....that is if I am classifying IoT devices correctly. My webcams...local subnet, otherwise the management app doesn't work. My Sonos...local subnet, otherwise the app doesn't work. I don't actually know that I have anything else that is IoT like. This is something I probably should put some thought into....but it requires more administrative overhead since it will pretty much require me to setup a RADIUS server and provision unique accounts per device...yeah, I am waaaaay too lazy to manage that.
 
5.) Consider a centralized syslog server (or better yet, Splunk)
- Splunk allows for a quick way to see trends in logs without digging into details
- ex, some reason firewall logs grew by 40% daily 3 days ago...go dig into log details to find out what changed

Splunk's cool - but has a cost - one can set up an ELK stack on a linux box (or VMWare instance) and get the same effect on a small LAN - Splunk scales better, and of course, one does get a voice on the other end of a phone call to tech support.
 
Quite a few NAS like QNAP and Asustor also offers a Syslog application.
 
Splunk's cool - but has a cost - one can set up an ELK stack on a linux box (or VMWare instance) and get the same effect on a small LAN - Splunk scales better, and of course, one does get a voice on the other end of a phone call to tech support.
Splunk has a free license as well. Limits you to a certain amount of logs ingested daily and disables some of the Enterprise features. Don't remember the limit but I have yet to get that limit.

ELK or Splunk....really doesn't matter. Find a parser that you like or know how to use and go from there. I happen to use Splunk at work so already familiar with it.

Sent from some device using Tapatalk
 
Question #1 - Are you going to take the time to look at the logs from the security systems on a daily basis?

The answer to that question there will tell you if it is overkill or not. If you aren't going to take the time to review your logs on a daily basis, then there is no real point in yet another monitoring system at home. I enabled snort on my pfSense box and have looked at the alerts once in the past year...I need to disable it since it provides zero value other than burning CPU cycles at this point. IDS is not a set it and forget it type thing. It requires regular care and feeding otherwise it just bitches at you constantly and you start to ignore it.

1.) Good firewall with restrictive egress rules
2.) Limit ingress rules to an isolated subnet (DMZ)
3.) Limit ingress/egress to/from the isolated subnet (DMZ)
4.) Consider a web proxy that provides logging and basic filtering
5.) Consider a centralized syslog server (or better yet, Splunk)
- Splunk allows for a quick way to see trends in logs without digging into details
- ex, some reason firewall logs grew by 40% daily 3 days ago...go dig into log details to find out what changed
6.) Keep your systems patched/updated
7.) Follow good password processes
- don't use the same one across multiple systems
- change them from time to time
- store passwords in a proper secure location (like a password vault)

As for isolating the IoT devices....I haven't put a lot of thought or effort into that yet at home. Most of my IoT things are on my main network for a reason....I think....that is if I am classifying IoT devices correctly. My webcams...local subnet, otherwise the management app doesn't work. My Sonos...local subnet, otherwise the app doesn't work. I don't actually know that I have anything else that is IoT like. This is something I probably should put some thought into....but it requires more administrative overhead since it will pretty much require me to setup a RADIUS server and provision unique accounts per device...yeah, I am waaaaay too lazy to manage that.

Yeah... it is very unlikely I'll be checking daily logs. So perhaps a true intrusion detection system is not what I want. Is there an in-between solution, something that will let me know if my IoT devices are suddenly contacting malicious servers or being used in a botnet? Maybe I should just try a basic solution like CUJO, Ratrap, or DOJO.

I'm definitely going with network isolation as a start. I have almost a dozen smart devices (light switches, thermostat, etc) controlling various things, so if they are ever compromised I don't want them on the main network. I can open up specific ports between VLANs if I need specific cross-VLAN communication, but at least I'll have control over it.
 
i would get the lan set up first. Then consider if you have the time to invest in supporting an IDS or have the cash to subscribe to an appliance service. Unless you are running Internet facing servers, you may not need it very much.

If I didn't want to setup a full IDS solution, what kind of monitoring as a service is out there? I've seen CUJO, which seems okay, but doesn't seem to play well with VLANs (it always gets stuck on VLAN1). I can't find any reviews on DOJO or Rattrap. I was hoping to see some reviews on this site for those two after the extensive CUJO review.
 
Splunk has a free license as well. Limits you to a certain amount of logs ingested daily and disables some of the Enterprise features. Don't remember the limit but I have yet to get that limit.

ELK or Splunk....really doesn't matter. Find a parser that you like or know how to use and go from there. I happen to use Splunk at work so already familiar with it.

Splunk is very cool - we used it at my previous job - once the time is taken to set up the indexes for dashboarding, it's pretty awesome.

Something else to consider - this is a customized ELK setup from SANS Institute that can be run in VMWare...

https://github.com/philhagen/sof-elk

https://github.com/philhagen/sof-elk/blob/master/VM_README.md

Enjoy!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top