Help Securing my Network

[79wjd]

So I had an interview the other day and the server I built came up in conversation. Anyway so the guy asked what kind of security I had in place in order to protect it/my network. This got me thinking....what kind of security should I have in place? Is everything already secure enough as it is? 

 

My router (Asus RT-AC68u) has a built in firewall, which is enabled and I also have Trend Micro running on the router. I have VPN running on my router allowing me to remote into my network (and thus into my server), and I also have enabled Plex remote access on my server as well, so I can access my server just by logging into plex from anywhere in the world. 

[KraftDinner]

10 minutes ago, djdwosk97 said:

So I had an interview the other day and the server I built came up in conversation. Anyway so the guy asked what kind of security I had in place in order to protect it/my network. This got me thinking....what kind of security should I have in place? Is everything already secure enough as it is? 

 

My router (Asus RT-AC68u) has a built in firewall, which is enabled and I also have Trend Micro running on the router. I have VPN running on my router allowing me to remote into my network (and thus into my server), and I also have enabled Plex remote access on my server as well, so I can access my server just by logging into plex from anywhere in the world. 

I would say that is some pretty decent security for a smaller network. I mean you can always take it further and go with a standalone firewall and then have your router behind that but I think that's overkill unless you have a big company

[Omon_Ra]

IMO, the biggest failure of most home networks is a crappy wifi password and a crappy/default admin password for access to the router.

[VTF5252]

There's no sense protecting something no one wants to do anything malicious to. That's plenty already.

[79wjd]

24 minutes ago, KraftDinner said:

I would say that is some pretty decent security for a smaller network. I mean you can always take it further and go with a standalone firewall and then have your router behind that but I think that's overkill unless you have a big company

Is there anything else worth considering other than a standalone firewall? 

22 minutes ago, powderbanks said:

IMO, the biggest failure of most home networks is a crappy wifi password and a crappy/default admin password for access to the router.

neither should be an issue -- although I have a guest network running on the router which I use for guests with a more simplistic password -- I don't know how separate the two networks actually are in terms of someone being on one and wanting to get into the other. 

22 minutes ago, NTF5252 said:

There's no sense protecting something no one wants to do anything malicious to. That's plenty already.

By that logic there shouldn't be any need for firewalls/anti viruses for the general population. -- the problem is there are and will always be people who will try to exploit any hole to gain access to any/all networks. Ransomeware exists, non-technical people downloading things they shouldn't be and going on websites that they should't be on are all problems that are definitely prevalent. 

[leadeater]

1 hour ago, djdwosk97 said:

Is there anything else worth considering other than a standalone firewall? 

 

neither should be an issue -- although I have a guest network running on the router which I use for guests with a more simplistic password -- I don't know how separate the two networks actually are in terms of someone being on one and wanting to get into the other. 

 

Only extra thing not mentioned but I'm sure you have setup already is local firewall on the server is enabled and only the ports actually required are open and no open access shares, all security/ACL protected.

[Razor512]

The firewall and NAT from the main router is fine, other than that, each system behind the router should have its own software based firewall (luckily windows comes with one). The reason for this is in case a device on your LAN gets compromised, you can ensure that your other devices will be secure.

 

For important data on your server and really any system, it is good to have a set of cold backups. I use an eSATA dock and just copy all of my important data to a bare drive (6 in a fire/water resistant safe), and pick the oldest one each month, and overwrite it with new backups, thus I keep about 6 months worth of versioned backups. Best of all, if my home NAS/ server is ever killed or suffers massive data loss, I have cold backups that i can restore from. This is cheaper for me than paying for online cloud storage, as for less money, I can slowly expand my hard drive collection each year.

 

IOT devices when ever I end up testing them, are kept on a guest network

 

Devices such as security camera DVRs,have all WAN access restricted, and all remote access to them is done over a VPN connection.

[DimasRMDO]

I would say turn off Remote Management and yes turn on Firewall and use VPN. You can also disable WPS, it's more convenient to leave it on but it can be brute forced pretty easily. Use WPA2 encryption, and use complex password for the SSID and the router. Disabling UPnP really helps because some malware can utilize UPnP to bypass your router's firewall. MAC Filtering "can" help but MAC Address can be spoofed anyway meaning they can just bypass your MAC Filtering but for other who doesn't know how to spoof their MAC Address at least they can't use your internet.

[Sunshine1868]

11 hours ago, NTF5252 said:

There's no sense protecting something no one wants to do anything malicious to. That's plenty already.

This is a very bad attitude... if you do online shopping or share a network with anybody that does, or fill out any forms online, you can lose data very easily. Just because there is nothing more than music and games on your HDD doesn't mean you don't have valuable data...

 

Be careful out there; the world is a scary place.

[79wjd]

10 hours ago, leadeater said:

Only extra thing not mentioned but I'm sure you have setup already is local firewall on the server is enabled and only the ports actually required are open and no open access shares, all security/ACL protected.

My server is running FreeNAS, which isn't designed to be exposed to the internet anyway. So there is no native support for a Firewall, although I'm sure there is a 'hack' to get one working. 

9 hours ago, Razor512 said:

The firewall and NAT from the main router is fine, other than that, each system behind the router should have its own software based firewall (luckily windows comes with one). The reason for this is in case a device on your LAN gets compromised, you can ensure that your other devices will be secure.

 

For important data on your server and really any system, it is good to have a set of cold backups. I use an eSATA dock and just copy all of my important data to a bare drive (6 in a fire/water resistant safe), and pick the oldest one each month, and overwrite it with new backups, thus I keep about 6 months worth of versioned backups. Best of all, if my home NAS/ server is ever killed or suffers massive data loss, I have cold backups that i can restore from. This is cheaper for me than paying for online cloud storage, as for less money, I can slowly expand my hard drive collection each year.

 

IOT devices when ever I end up testing them, are kept on a guest network

 

Devices such as security camera DVRs,have all WAN access restricted, and all remote access to them is done over a VPN connection.

I have all the miscellaneous junk (smoke detectors, guests) on a guest network, which is only given WAN access and not LAN access. But I question how effective that really is -- i.e. if someone can get on the guest network then connecting to the main network probably isn't that hard? 

3 hours ago, DimasRMDO said:

I would say turn off Remote Management and yes turn on Firewall and use VPN. You can also disable WPS, it's more convenient to leave it on but it can be brute forced pretty easily. Use WPA2 encryption, and use complex password for the SSID and the router. Disabling UPnP really helps because some malware can utilize UPnP to bypass your router's firewall. MAC Filtering "can" help but MAC Address can be spoofed anyway meaning they can just bypass your MAC Filtering but for other who doesn't know how to spoof their MAC Address at least they can't use your internet.

I do have remote management for my router enabled and I likely won't disable that due to the fact that I often need to access the router's GUI when I'm away from home, and even more unfortunatley is that the only way I could get that working was to forward a port to the IP of the router -- which I'm really not happy about. 

 

WPS is already disabled, but I think there was a reason why I had to enable UPnP for something (although I can't for the life of me remember why). Mac filtering doesn't really keep anyone out that I'd care about (i.e. anyone who gets stopped by Mac Filtering isn't much of a threat anyway) -- I did try it though in order to have better control over what's going on on the network in terms of traffic/making sure there weren't bullshit devices connected, but my router was being stupid and wouldn't let me disable MAC Filtering on the guest network even though there is an option for it. 

[Razor512]

Ideally the safest setup will be the 3 router Y config that Steve Gibson recommends (though you are under a double NAT at that point.

 

 

 

But the main purpose for why I have been doing it for a long time, is that i have some devices which serve a utilitarian purpose, thus I am not as inclined to replace them very often. The problem is that many companies stop releasing updates for their products fairly shortly after they are released.

 

While there is some risk of traffic making its way over from the guest network if there is any exploit available for it, it significantly increases the complexity of an attack, as they not only have to compromise the IOT device, but then have it it do some VLAN hopping, and then find some way to monitor traffic on the other VLAN, or circumvent the security of other networked devices.

 

Other than that, if you are wondering about what if someone gets on the guest network, then all bets are off. Assuming you are using a strong password for both networks, if they have the ability to effectively break WPA 2 and AES, then your internal network is also easily compromised.

 

The main risk of IOT is what happens when a company no longer feels a need to issue security updates for your thermostat or smoke detector, of fridge (that needs an internet connection for some reason). These are utilitarian devices, and you will not be replacing it as often as you replace a smartphone. Thus when the company decides that after a year or 2, they don't need to update it anymore, and exploits are discovered, how do you safeguard your internel network? What if the drop in support and the exploit happens before you get the news?

 

With devices with such short support cycles becoming more common, it is best to take preemptive safeguards.

[Gerr]

I would suggesting getting a higher security wired only router and either double-NAT to your existing router, or just change your existing router to an AP only and use the security on the wired router.

[Howlingwolf101]

On 2/10/2016 at 9:06 AM, djdwosk97 said:

 

I have all the miscellaneous junk (smoke detectors, guests) on a guest network, which is only given WAN access and not LAN access.

Wait, wait, wait. You have your smoke detector on your network?