Reasonable Home Network Security Setup for 2018

in #technology7 years ago (edited)

With years of work in field of security, a non-it person would think I saw it all. That’s not the case, actually quiet opposite. The amount of treats and lucrative attack vectors become that wide, I am really struggle staying in the boxing ring. I guess, thanks goes to availability of informations and number of people engaging in hack-alike activities. Don’t get me wrong:

A hammer can be useful tool to fix a car, but could also be used to break someone’s head. The same applies to information availability.

In order to stay in the ring, in corporate environment I do use totally different approach. No Cloud. Period. You can open destination ports 80 and 443 (80 considered to get rid off) and that’s it. I even do care of BGP peering. WiFi? Nope. A good old cable. But that’s a bit hardcore, this article is about what I am using to secure home network.

Kids want to play video games, wife want Netflix, right? You can’t just drop everything as in corporate environment described above.

Let me share what I am using


Untitled Diagram.png

(Disclaimer, there’s no paid promotion for the products. These are my personal choices. )

First things first, here is my topology simplified. Actually it’s a lot more components due to nature of my job, but this will get you an idea.

Most Important Security Components:

  • UNTANGLE is the entry point, separating WAN and LAN. It performs HTTPS Inspection, Virus Scanning, Ads Blocking, and many other tasks.

It looks like this:
untangle.png
untangle2.png


And for the purpose having a bit of fun, this is the page that throws in case you try to open Malware Distribution Point and gets blocked :)

FunnyBrandingLogo.png

Price: About 50$/yr for Home Use, way more expensive for business use, but the features are the same

  • Firewall and Router, CloudCore, 16GB Ram goes afterwards. It’s a bit overkill, but it’s the center of the network. It takes care of the devices on LAN and WiFi, as well as fast storage server connected with LCAP (802.3ad) so Movies are served fast :). This is also the place where most of things gets dropped.

  • STORAGE Server is connected to Router directly, with RAID setup and enough space for music, movies, backups etc.

  • BIND9 DNS Server behind the firewall, recursive from local network only. If you are going to perform DNS queries, this is the server you are about to ask. Everything else, gets dropped by the firewall, unless it’s from internal DNS to Corporate One.

-Two Apple Time Capsules are taking care of wireless connectivity / Roaming mode so the signal is great, but also make an incremental backup of Macs within “Home Sweet Home” zone. If one fails, backups and connectivity is safe.

Device Protection:

  • Little Snitch, as a matter of caution on each mac.

little snitch 1.png

little snitch 2 - good.png

You can also set a lot of different rules, but essentially, It block everything unless explicitely allowed. Once you block or allow, it remembers. Think of it like IPTables on nix*ex, with a nice graphical interface. Imagine that iptables has a window to pop up and ask you, this PID want’s to connect to this host, Allow, Temporarily Allow, Deny for good.

Price, about $50

  • For antivirus, I do use BitDefender. Why? As it’s capable of detecting malwares on linux / os x based binaries. So far, I got very good results. It also protects Android devices.

Price: Aroun $100/yr for 5 devices.

  • Micro Snitch, a small software that saves you from making a tape of camera :) If Video or Audio device becomes active, it informs you.

MicroSnitch.png

Cost: Free with the little snitch bundle.

Total Costs of software for protecting home network: About $200/yr.

Extra hints:

  • I still keep all my cryptocurrencies keys on paper.
  • I do use Authenticator App and Secure Keys for all cloud services.

This is how I am doing it. Do you have your own setup? Opinions? Good tools to share? Feel free to drop them in a comments. I am always looking to evaluate interesting setups and good utilities.

Interested in field of security? Checkout this post to get you started with what's happening in the Crazy Planet called Earth :) https://steemit.com/technology/@crt/this-is-how-you-are-getting-hacked-institutional

Want to vote in support for my Witness work?

You can do it with unlocked cli_wallet by executing:

vote_for_witness "yourusername" "crt" true true
or by casting a Vote by entering crt at the bottom of the page here https://steemit.com/~witnesses

Remember: "The safe computer is the one burried 20 meters under ground, without network cables and power supplies. Although, I can't guarantee and be 100% sure." - Unknown Author.

Stay Safe,
S.




Sort:  

Thanks for the great read!
Although for the gridcoin tag maybe you could present a (in your opinion) safe solution for incoming Gridcoin Wallet connections

Thanks for Idea @theissen ! I'll try to make another one with possible threats on hosting a GRC node and how to migrate them, with few different approaches, and try to make some Layer7 based rules for GRC Network. That would be cool thing to have, as I did not found something similar in BTC derivates around.

As for the tag itself. I put it as a experiment thinking if the post goes trending in any other category, it would be nice to have GRC tag as well. Someone will click and discover, as most of my topics are GRC based. Anyhow, i'll try a slightly different approach, making a signature leading to some 'Get Started with GRC' links.

Coin Marketplace

STEEM 0.25
TRX 0.25
JST 0.040
BTC 94194.88
ETH 3392.03
USDT 1.00
SBD 3.50