I logged in to Wilder's to start my own thread after reading this one for the past day or so. Fortunately, MisterB went down the pipe I was going to address and I would like to expand on his inquiries. Many of us might not have expensive appliance budgets. Enter a second or third router. I have a few spares laying around and I am seriously considering using this approach after considering this thread. It appears very easy to setup a lan to wan dual router setup. In my case I do NOT need wireless on what I'll call lan2. I don't need bridging. I will run Cat6 to a specific device and that will be used ALONE on lan2. The rest of the network will be on the normal lan1. Love the idea! In essence this would be a poor man's pfsense approach. LOL! MisterB or others, have you noticed any speed degradations using dual LAN/routers in wired only configurations? Remember no wireless on lan2 and the raw ISP line is 100+ meg. I would suspect the reliability would be awesome since its all wired! Mayahana, I'll also look through ebay or similar for an old legacy enterprise device. I already have the second router sitting in the basement.
The selling price on eBay for a WRT54GL router flashed with DD-WRT is around $25 so I suppose I could sell one and buy a higher end router but I'm not in a hurry. Sooner or later this area is going to get a fiber optic network--it was supposed to be operating this year but nothing has happened as of yet. When I get some more bandwidth at a price I can afford I might upgrade the infrastructure but until then, a couple of linux routers is fine. Most of the consumer routers I've dealt with are pretty lame. The only thing that makes these good is the alternative firmware and the reliability--I've been using the same one daily for quite a few years. My ISP is really fussy about routers. They provide the routers already set up and I'm one of their few customers allowed to use and administer their own router. I'm not sure how I pulled this one off. I have an acquaintance who makes a living as a coder he complained to me about not being able to tweak his router.
Remember, unless you are using a Layer 7 or Layer 8 appliance, then you still don't have much security. vLAN's, and Segregation is only going to protect you from external threats to some extent. To gain protection from external blended threats, internal blended threats, and infected devices you must have Layer 7-8. What I was hit with in the opening post would not be stopped by your gear, and unless you lock down all outbound IP's to a specific IP table, it won't do much as you aren't dealing with L7+ appliances. You need ATP, DLP, IPS, Web, AV, WAF, and even application control and/or country filtration for true security. I am not so much worried about inbound as I am outbound. I want to control the data flowing OUT from my home as much as the data flowing in.
I agree about the outbound. I've been reading the logs of my routers and I'm not finding anything to worry me. I suspect my ISP has a fairly good firewall on their system and all of my windows clients have hosts files to block malicious domains and a firewall that will inform me of any apps that are trying to make an outbound connection. I also rigorously vet my software so I have a pretty small list of software that I use and find acceptable. I just rejected an app I could have found useful just because it had Facebook and Twitter buttons. I have a pretty subjective set of standards and one of them is absolutely no commercialism. The app was an encryption app and I found the social media buttons totally out of place for an app that is supposed to be used for privacy.
Remember, unless you pay for stuff, the thing you sacrifice is usually privacy. There are major exceptions to this of course, such as Sophos UTM itself, which is free for the home and has no strings attached. But recent stories seem to indicate if you elect free for some things you compromise security/privacy in the process. So I agree, we need to be careful. While having a UTM with strong policies and packet inspection allows me to be 'lazy' most of the time, as I can assume almost all nefarious activity will be stopped. I still need to consider what gets installed. Often it's out of my control. Smart TV's, Tivo's and a few other things install updates, and apps without your interaction. Securing those without a UTM is virtually impossible unless you want to break functionality. The key with me and this home is, I can't do anything that will break ANYTHING. That's sometimes a challenge.
Free software varies a lot in terms of what is offered and how it affects privacy. I use opensource gpl license software as much as possible. I'm willing to put up with software that might have a steeper learning curve or not be slick or convenient if it does its intended job and doesn't have restricted licensing. I check out a lot of daily giveaway software of paid apps and the vast majority of them don't make it past the first VM test run. In a sea of mediocrity I've found a few gems. Some companies are pretty cool in the way they deal with their free products. Paragon is one. I haven't gotten to the point of testing out the Sophos free products but they look really good from the outside. I might just set up UTM as much for the information it can give me as for what it can block. I find the best security products don't just prevent and block, they give feedback that points to weaknesses and problems.
My pitiful bandwidth is no good for any kind of speed test. At less than 10mbs, there is no noticeable loss of bandwidth in a daisy chained router for a raw connection. I get around a 10% decrease for each VPN tunnel hop whether in the router or in a client machine. I've started to use this to limit bandwidth on some clients. Not only do I get extra privacy, I'm keeping one device from sucking all of my bandwidth by applying a VPN client tunnel on top of the router tunnel. Tomato USB can do a two hop connection so I will automatically reserve 20% or so of the first router's bandwidth if I do 2 tunnels on the second.
Re legacy enterprise grade stuff: Is the firmware/software still updated? Are the updates reasonably frequent? Are the AV and IDS engines updated regularly to keep in line with the state of the art, or maintained at legacy versions? What about the rulesets? Re proprietary software: Proprietary solutions can be effective, but honestly I don't like them on principle when it comes to security stuff. End user security should not be a Big Honking Trade Secret.
I use redundancy as one of my guiding security principles and the licensing fees for proprietary software would get exorbitant really fast even if the per seat cost was low for every app and I use. GPL open source software is the way to go even in Windows. If there is an app with a GPL license that fulfills a need, I will use it.
If I was to install a hardware firewall with UTM/NGFW on my home (router>2 computers wired) how would it go? Router>FW>devices FW>router>devices Or can the FW replace the router?
Router>FW>devices if you use it in bridge/transparent mode. Or if you use it in router mode, it can replace your router. Some UTM don't give full feature in transparent mode.
The important thing is to be able to trust and control the router function (wherever that is executing) - after all, routers implement important firewall functions anyway. You do not want a vulnerable router (or one which you do not really control or trust) which can be hacked because they will be able to re-route your traffic to suit their model etc. In practice, my view is that you want to downgrade the ISP gear to bridge mode, and control your router/FW/UFW.
That's good point, and with a risk of gathering criticisms, I have some unease against ASUS router with AiProtection cuz ASUS' firm tend to be buggy and they have some questionable history e.g. their EeePC came with malware in the past and I'm not impressed about their measures taken. They didn't identiry the cause of the incident, instead they promised they'll scan PCs with multi-AVs (in that time, they used only Symantec) so my question is "what if malware is not caught with any AV?". They have to verify all files on PCs they're shipping otherwise they will be next Lenovo. Also they left serious vuln for months by not admitting reported vuln until a user was hacked and attacker left text file which says "your router is accessible all over the world" or such. I hope nobody misunderstand me, I'm seriously thinking about if purchasing ASUS RT-AC87U or 68U or other, but still gathering all kind of info. I will replace original firm with merlin's but it seems most vuln are common. As to vulnerability and control, maybe the best way is building the router by yourself with OpenBSD or Alpine and strictly control it but it requires certain skills, maybe not my way I can go now.
Have you ever attempted to use a DD-WRT vpn/tunnel router 24/7 as your Lan2 (no wireless on lan2), but pass it through a "normal" home/unencrypted router on lan1 connected to the ISP? I ask because I have one experimental laptop I use frequently on one vpn and tor. It might be neat to use lan2 as I just described (for vpn1) and then I would still be able to add vpn2 using my laptop host, before jumping on tor in virtual machines. How do you think that might work?
I don't have anything on 24/7. The routers get shut off at night and restarted in the morning. The current set up is router 1 has stock Tomato and connects to the ISP. I have one client laptop and one one client voip phone on it. These are the only devices I want to show my real IP. Router 2 has Tomato USB with OpenVPN and has one VPN tunnel on automatic connection and one on Manual. Everything else I have is connected to this router. I can put another VPN or Tor or both on top of the router tunnel. The most extreme I've tested is Tor on top of one OpenVPN client tunnel on top of a VPNgate Softether tunnel on top of both router tunnels. Slow and it used a lot of CPU cycles but it worked. I've got another router I want to flash with DD-WRT and play with. More just to see what it can do as far as domain blocking which is awkward in Tomato than for another VPNed LAN but I will set up a tunnel on it as well.
These are really good.. Dead-Man switch for your ethernet; http://www.amazon.com/PathLock-NETimer-Internet-Security-Device/dp/B000J34POK Also, BFG made TrafficCop, similar concept, but not automated timer. http://www.newegg.com/Product/Product.aspx?Item=N82E16833973001
Modem->UTM->Switches/Devices Or you could put it in Transparent and do Modem->UTM->Router->Switches/Devices or Modem->Router->UTM->Switches/Devices Untangle sets up transparent/bridge in about 10 minutes, no hassles, and gives you free AV+IPS with the no-charge package. Ideally, a good UTM should simply replace your router, then use a WAP, or set a wireless router into AP mode for wireless. So it all goes through the UTM.
@Mayahana - really need some unbiased advice - I am trying to setup my UTM 9 Home (in sig) but keep reading about avoiding Double-NAT. What I want to do is: ISP GW router > Switch > Low Security Subnet 1 > UTM > Switch > High Security Subnet 2 > WAP I do not have full admin access to ISP router to change mode but in any case I want it to NAT things in zone 1 such as STB & PS3. If I put the UTM in as Bridge will it still protect zone 2 from zone 1 and have AV/IPS/etc? What is the real reason to avoid double NAT, is it just performance? My internal network is anyway faster than my ADSL connection. Thanks!
My question is, are you using an L3 switch to create a high security subnet? Assuming you can disable DHCP on the GW? If not - it's much more difficult.. The best way IMO would be; 1) Your ISP gateway should handle NAT, but not DHCP, allow the Sophos to handle DHCP but disable NAT. 2) Your SOPHOS UTM should have 3 NIC's. Interface 1: WAN, Interface 2:Green Zone Subnet (higher security), Interface 3: Blue Zone Subnet (WiFi security) Then your switches going off of those NIC's as needed. Each interface will have an isolated subnet, with strongest LAN restriction placed on the Blue-Zone. 3) You only want ONE NAT device, in this case, your ISP GW, NAT everywhere else needs to be disabled. If you cannot turn off DHCP on the ISP GW you have your work cut out for you.. Sophos is difficult to configure in transparent/bridge. I would actually use Untangle and setup zones within Untangle, and Untangle in Transparent mode with multiple zones unless you are up to the task to troubleshoot Sophos in this capacity. Worse case, replace ISP GW with an SB6141, and than handle NAT+DHCP, and interface security with the Sophos UTM.
Here is an example of why a UTM is important.. I put my Untangle Box back up in Transparent, and within a few hours - 41,000 background advertising/datamining was blocked.. Turns out, it was from a KINDLE in the home, and some apps installed on the Kindle. So without a UTM, it's really difficult to secure individual devices, and a network as a whole.
Simple mind here. Wouldn't placing the Kindle on its own unique and isolated LAN prevent crossover into e.g. a laptop for surfing and hobby stuff? My approach although I don't profess to have your skillset, is to isolate my hobby machine from all other devices on the network via private LAN and then iptables locking to tun0 only on the hobby machine. I could care less about the remaining "home network" other than reasonable homeowner security measures. Is that inadequate for what I am attempting? Feel free to "sink my battleship" if I go through this security theater and I am not really where I think I am. I want to learn here so don't spare my "feelings".
Subnet segregation is the base for security, sure. But it's still not going to prevent the actual 'device' from sending telemetry for THAT device, but would prevent local subnet intrusion between devices by a blended threat.
I though I would add a few points here. I have been looking into this company https://itusnetworks.com/product/shield They make an outbound deep packet inspection technology appliance for a very reasonable price. For me personally the device currently is limited to 50M connections which is a problem for me. Very promising device if you want to block outgoing connections. In terms of router hardware I currently use Ubiquiti products. There Edgerouter allows for multiple WANs with a starting price of around $100. They are incredibly powerful routers and can handle very heavy traffic. They also offer a security gateway (https://www.ubnt.com/unifi-switching-routing/usg/) that I believe can handle many of the things people looking at here.
www.asus.com/us/Motherboards/Z97DELUXENFC_WLC/specifications/ (scroll down and note the "Special Features" RemoteGo, cloud, etc) www.asus.com/us/Motherboards/RAMPAGE_V_EXTREMEU31/specifications/ (scroll down to: Manageability: WfM2.0, DMI2.7, WOL by PME, PXE) The above serve as a couple quick examples of the "features" provided by many modern BIOS. I don't have a better link handy at the moment, but one of these features is described (as providing a benefit) "Even while your PC is off, periodically call out and retrieve your tweets/feeds, so that they are immediately available when you next boot the PC". So, the OFF button nowadays isn't /doesn't. Instead, unless you care to wade through BIOS settings and de-fang those inbuilt "features... ...OFF button just initiates "C1 state" or somesuch. Wake-on-LAN and PXE and other inbuilt goodness you didn't ask for (and most users won't realize is there).
