What's new

Multi-subject: Securing the whole setup

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Gys Wuyts

New Around Here
Hello,
newbie to this forum, not so much to networking, on a practical level.
I'm asked to sort out some problems in a small local gym and improve some things:
- sorted out:
- looped network, daisychaining 4-8 port FE switches
- operator modem wifi underperforming/unavailable
- upgrade network throughput

- installed:
- new operator modem, upgraded DSL to 100mb
- 2 16 port switches netgear GS716T (1 per floor)
- 2 ASUS RT-AC5300 (1 per floor)
- new structured cabling CAT6E to wire the building

Because of a deadline I installed the cabling, switches and wifi-routers and connected it all up.

Layout:

operator modem hands out 192.168.0.x addresses (class C) on one of it's 4 LAN ports, or on it's own Wifi, which is limited for use by the staff

each switch is uplinked to the modem, itself has an ip address assigned for management

some gym equipment is connected to the switches, as is the WAN interface of the wifi-routers.
all is on fixed IP except the wifi clients (gym customers)

The Wifi routers issue different SSIDs and issue different IP addresses, 192.168.1.11-254/C and 192.168.10.11-254

All Wifi signals are locked with WPA2 Personal with AES (the best I can do I think without corp. solutions), guest networks are disabled.

Improvements TBD:
- secure remote access from outside to the local pc (windows 10), the wifi routers and the switches (web interface)
- basic monitoring - availability - performance - and alarming when smg is wrong

My basic idea: set up a raspberry PI inside on a sort of DMZ to end a VPN on. Then onward to the different internal "clients".
That same Pi will run a Nagios server to keep an eye on things. And it will also serve as log server for the routers and switches, since there's quite some suspicious traffic.

My questions:
- the routers have a ssh-enable option, would that allow me to create an ssh vpn tunnel into the network in stead of on the Pi?
- if not, suggestions on which software to use or avoid, caveats ?
- some of the gym software suppliers use Teamviewer, which I'm pretty sure will not be affected unless I would block 80/443 outgoing (which obviously I won't do)
- any other comments/hints are welcome of course!

Thanks

g
 
My basic idea: set up a raspberry PI inside on a sort of DMZ to end a VPN on. Then onward to the different internal "clients".
That same Pi will run a Nagios server to keep an eye on things. And it will also serve as log server for the routers and switches, since there's quite some suspicious traffic.

Pi as a Jumpbox is handy - and keep it like this - ssh with certs, no password interactivity... As the jumpbox, don't run anything else on it - e.g. your Nagios comment above - buy another Pi perhaps...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top