John's Musings

Yeah, Me Neither

Home Network Progress

I've given great consideration to network security lately and have taken some measures to harden my network a bit. One glance at the news today and it is all about emails, hacking groups, and information being disclosed. Seems like that if you spark someone's interest they'll get at your private life by way of your computers or devices.

For years I just hooked my router to my cable modem without much of a thought to it. I generally ran routers with custom firmware such as DD-WRT or Tomato and always fancied myself one step ahead of the average user and I probably was. I just don't think fancy router firmwares are enough these days. Maybe I'm wrong and maybe I'm even dead wrong but I figured a firewall appliance was the place to start.

Make no mistake. You can make a firewall appliance for practically free. In fact you probably have an old computer in a box in the attic that would make an excellent firewall. Combine that with an OS called pfSense and that's all there is to it. Also it needs two Network Interface Cards (NIC) also known as ethernet ports. pfSense likes Intel NIC's best. One NIC is for WAN (internet) and the other NIC is for LAN (your inside network). The downside is the old computer is well, big, and makes a lot of noise with all the fans as well. And because this will likely be on 24/7 you have to factor in total cost to operate. It could be better to build a new appliance based on a fan-less ITX or mini ITX motherboard kit or even better to buy a prebuilt appliance like I did here. I know what you're thinking. That costs $300 and it sure does. But we're talking about the security of your files, and your bank account data, and everything that matters to you. What if somebody deleted 10 years worth of your photos? Wouldn't kill you but you can't get that back.

Again, you can build this firewall for nothing if you have an old computer laying around. Or you can go on eBay and find an old rack mount server for about $60, or a really good one for $100. Of you can connect a 5 year old router to the internet that hasn't been updated in, oh, say........never. Or lets say its a brand new router and you do update it, but get a load of this. This fine gentleman posts of known, brand new security exploits on routers. If you want a really good education go to his router security site here and take some time to educate yourself on router security. Your router manufacturer wants you to connect EASILY to the internet so you don't have to call their expensive tech support people so security is not the important thing. It has to work for the dumbest person that is going to buy and use it. That should make you feel good.

You don't have to be a computer genius to use pfSense but you do need to take some time to read some on line tutorials and copy from them. I suggest running pfSense for a week, getting the feel of it and then adding a threat detection package called Snort. Read online to learn how to configure it, and run it for a week or two. You'll have to learn how to weed out some false positives because you'll find that you're blocking things you don't want blocked. But that's better than being wide open.

Or you could pay someone to do this for you. I hear that guy who set up Hillary's server is looking for a job...........bad idea.

After a couple weeks of Snort then install something called pfBlockerNG which allows you to add lists of known spammers, bad guys, etc. Once again you'll have to dabble with it because you'll probably block things you don't want blocked. Now are you safe from the NSA or some super God hacker? Probably not, but not every super hacker is out there running around looking to break into everyone's computer. Those people work for Nation States and Law Enforcement or they make their living stealing on the internet. Your pictures of Niagra Falls are not what they are looking for. But there are thousands, check that, maybe hundreds of thousands of lesser skilled people running up and down IP ranges looking for a soft target. Hopefully if you aren't a soft target they'll move right past you to the person with the next IP address while they are doing their nmap sweeps.

So here's my setup. The white box is the cable modem. The black box on the left partially out of frame is the SG-2220 pfSense firewall appliance. That is connected to a TP-Link 16 port Easy Smart Switch which has ports 15 and 16 configured by me to provide Virtual LANS which are segregated from my network. Attached to the port on the right is another wifi router which can only connect to the internet. All my Internet of Things appliances are connected to that wifi network.

Those items are:

Nest Thermostat

Raspberry Pi Music servers


Apple TV

etc. etc. etc.

The blue router in the photo serves up my trusted network. It also has a firewall and the installed firmware is DD-WRT.

You get the idea. If I have a device that hooks to the internet and I have no control over it's configuration and I can't trust it then it goes on the guest network. Someone sees that device and if they exploit it, it ican't reach the trusted network. A "guest" network means internet access only. No access to other computers on the same or any other network.

So again I think the days of hooking a router up directly to your modem are rapidly coming to a close. Everyone has data they need to protect even if it is just your favorite selfies. Firewalls, baby.