VLAN config & firewall recommendation for home network

[jtherkel]

I would like to move more of our data off our laptops and onto a NAS. This data might include PDF copies of utility bills and other data I would like to keep private. Right now, we just have MP3s online, but I'm concerned about putting "important" data onto an always-on device.

This concern brought me to SNB, which has been a fantastic resource. My questions are:

1) What VLANs should I create to segment traffic appropriately? I created a diagram with three VLANs. (See attached.)

Network - General access for laptops and tablets.
Video - Just for Roku. Don't know if a separate VLAN is needed, but this might help performance?
Data - The NAS with more important data. I would restrict access to this VLAN to certain MAC addresses.

2) What are some example IP addresses I could use? I'm assuming 192.168.1.1 for the cable modem gateway, 192.168.2.1 for the firewall, etc. I'm sure I'm missing something here.

3) What SOHO firewall product would you recommend for this scenario? I like the free anomaly detection from the ZyXEL USG20, but I would never sign up for services with renewal fees of hundreds of dollars. Perhaps I could combine ZyXEL's USG20 and add OpenDNS Home VIP for web filtering ($20/year).

TIA,
John

 

[theonlyski]

Well, if you're trying to keep the NAS out of reach of the internet, simply not giving it a default gateway would accomplish this. I don't see much reason for having to VLAN the network and do the MAC restrictions.

If a computer got compromised with a back door, the person could then access your NAS via that computer... however that's no different than if it had a VLAN with an access list only allowing access from certain MAC addresses.

I have a DNS-323 and used it for quite a while (was great on deployments because it was pretty small and not too shabby performance wise). You can get pretty granular with access (username and passwords) if you're extra paranoid about the device getting compromised. The trick with that is that then becomes not saving any passwords on the computers used to access them.

By far the best security tool I've ever seen is: http://tinyurl.com/a1qo

As far as IP addresses go, you can use anything in the 10.0.0.1-10.255.255.254 range, as well as the 172.16.0.1-172.31.255.254 and 192.168.0.1-192.168.255.254 ranges without external conflict. Best bet is to ask someone experienced with subnetting to confirm your settings will work.

 

[jtherkel]

Removing default gateway for security

Thank you for the thoughtful response. That's an interesting idea about removing the default gateway. A little searching brought me here.

http://www.azacamis.com/2008/11/modifying-default-gateway-as-added.html

Even if the operating system if fooled into thinking that a packet is coming from a trusted host when it is actually not, it will still try to communicate back with the trusted host and not the unauthorised host.

I would feel more comfortable with additional layers of defense, and I got interested in VLANs due to the advice on this website. Do you think adding something like a ZyXEL USG20 would increase security? Or am I just adding complexity?

Maybe a consumer grade router, plus the no-gateway trick would be enough. I'm looking for advice.

 

[theonlyski]

There's no such thing as 100% security. You're always going to have a weak link. If the data is sensitive enough to need so much security, it's probably better off on an external drive that gets locked in a safe after you're done using it.

Anything that is plugged into the internet is subject to attack. Removing the gateway will make it only really subject to attacks using a locally connected device. If you have an old unpatched and non-a/v protected workstation would pose a significant risk, especially if it has access to the NAS.

 

[thiggins]

I wouldn't go too wild with VLANs. Just one VLAN for internet access, another for local only.

You don't need to have separate subnets for each VLAN unless you want to. VLAN How To: Segmenting a small LAN
walks you through some practical examples.


UTM appliances are focused on scanning traffic for malware and viruses. They can help by removing obvious exploits before they hit users' devices. But they aren't 100% effective.


Even a basic router will bounce unsolicited inbound traffic. You don't need a sophisticated firewall.


You should definitely keep sensitive files on a separate NAS that is on its own VLAN with no internet access. Media and other things you want to access remotely go on another NAS on its own VLAN with internet access.

 

[stevech]

My Cradlepoint router has a black-list of IP address ranges. I've had to block most IP addresses coming from China. Too many PCs over there have viruses that are nuisances if not malicious.

My sensitive files are on my NAS which is public accessible, w/password. But the sensitive data is in a virtual disk managed by SecureHouse software, which encrypts that virtual disk drive. For me, much better UI than TruCrypt. Just two mouse clicks and the PIN #

 

[Busto963]

By far the best security tool I've ever seen is: http://tinyurl.com/a1qo

You're killing me!

But true...

 

[PrivateJoker]

Just brainstorming here, and I'm probably on the less educated side of the demographic but....

1. How much "outsmarting" of bad guys can be done by trying to obfuscate things with different subnet, gateway, and IP range settings? Even on my iPhone, once I'm on a network I can scan every IP & port on that network in minutes if not seconds (not scan and enter but scan and check for life or lot)?

2. I've run a couple different DDNS solutions to get into my home NAS/network and noticed that when I was using a no-ip.org derived address I was getting *tons* of login attempts from Eastern Europe & Asia. Luckily the firewall on my NAS blocked them with every 2nd failed attempt.

2a. It would be nice if there was an easier way to blacklist domains and share that info with others (like a circle of trust type thing) that updated itself.

2b. It would be nice if there was a way to geographically blacklist IPs. That would be awesome.

2c. I'm curious as to how much networking equipment you could permanently change the default login and disallow any attempts from: guest; root; and admin.

2d. I don't know if it is the popularity of no-ip.org or the simplicity of the domain name I chose (a 5 letter English language common brand name), but I've gotten almost no attempt to login to the NAS using other DDNS services.

3. (I plead total naïveté on this) Does running IPV6 make my network or devices more susceptible to attack, ie more identifiable and targetable? Even though I'm running a DHCP assigned address from my ISP, will they ever need to change it?

 

[coxhaus]

Creating separate networks causes issues where you need to run a WINS server or DNS server to work properly. When you have routed networks machines do not see other machines or devices on other networks. This may or may not be a problem. If you have a home network and a guest network it would not be a problem. If you have 2 home networks and want to share files, devices or shares, it is a problem across 2 routed networks. Using a routed network is doable just be prepared to adapt to using 2 networks. It is done in the business world all the time.