Sunday, May 19, 2013

Overthinking Your Network

[In this installment, I discuss the overwhelming tyranny of choice faced by the home networking power user who is starting to consider enterprise approaches (VLANs, routing protocols, multi-WAN, redundancy, and failure bypass options) for what is fundamentally a home network.]

Most home Internet users have a DSL or cable modem and a Wi-Fi firewall/router. Power users may run thirdparty router firmware or a dedicated PC firewall/router alongside dynamic DNS registration and port forwarding for a few services. Many power users want to be able to securely connect to services on their home network from the outside. This may be the age of cloud computing, yet it's also the age of increased home automation. There are turnkey home automation systems that use cloud servers for control via mobile apps and browsers, there are DIY automation systems, and there probably won't be standards for home control, monitoring, and security via the Internet for years to come. Secure outside connection to one's home network is pretty much the hallmark of the power user.

I'm currently on a two year Comcast Business Class contract. This gives me five public static IP addresses, not including the Comcast gateway box itself. Mo' IPs, mo' problems. Having these separate external IPs gives me dreams of putting my outgoing home traffic on one, my VoIP PBX on another, a wireless guest network on a third, incoming services on a fourth, and admin/automation on a fifth. It's not like I need all these addresses, but I sure like the idea of them...

Then there's the issue of VLANs. All my network switches are "smart(ish)" and support VLANs:

  • 8 port GigE PoE switch
  • 8 port GigE smart switch
  • 24 port GigE smart switch #1
  • 24 port GigE smart switch #2
VoIP phone jacks will obviously be patched to the PoE switch. These ports will default to the "home networking" VLAN and can recognize phones to put them on a separate VoIP VLAN. I want secure Wi-Fi access to my home networking VLAN and separate unprotected guest Wi-Fi with captive portal. Guests would have to VPN in to the secure home network if necessary. I want some Internet services to be provided from server(s) in a DMZ, which could end up as one or more VLANs.

None of this really gets me to a network architecture yet, but I'm starting to converge on a set of rules or guiding principles:

  1. Expose as few boxes as possible on the public Internet and secure the hell out of those boxes. I'll probably end up with a single firewall/router handling all my public IPs. Providing multiple external points of intrusion to internal networks seems like a bad idea.
  2. Secure administrative access to all your equipment. Imagine the following scenario: An attacker gains access to a DMZ server, scans every possible IP in the local network, identifies switch hardware by MAC address, connects to admin interface of said hardware via default user/password or reconfigures local interface to same network as default admin IP and connects. Security by VLAN: gone.
  3. Use 1:1 NAT and/or PAT and private addressing for everything behind the Internet point of entry. This seems more flexible than a transparent/bridging firewall and could accommodate an external transition to IPv6 while continuing to support legacy IPv4 devices internally.
  4. Prefer VLAN separation to a single DMZ network to prevent one server acting as a point of intrusion from which to launch attacks on other servers. Some switch vendors have features that can provide this isolation without the hassle of VLANs; sadly, I'm not paying for Cisco.
  5. Don't NAT between internal networks. This destroys the audit trail and security of knowing exactly which internal client is connecting to your internal services.
  6. Keep internal and external equipment separate. Let's say your external firewall/router fails. Internal networking and VoIP calls should continue to function. Let's say an internal network switch fails. Guest Wi-Fi access to the Internet should continue to function.
  7. Carefully identify single points of failure and their importance. Have a plan for manual network reconfiguration in degraded mode and/or spare equipment or virtual machine instances to swap in.
  8. Prefer enterprise equipment at reliability choke points. A consumer Wi-Fi router might not be your best choice for your core or sole external firewall/router. Don't let your wired network go down when your Wi-Fi overheats and power cycles.
A home network usually doesn't have the same luxuries as an enterprise network. We're not generally going to keep spare equipment lying around and we don't have rapid response service contracts. Still, there are approaches to ease the pain. Consider buying two smaller switches over a single large one; how many ports do you really need at one time? Consider building virtual machine instances for critical services and be able to spin up and patch networking into VMs when hardware fails.

As always, I welcome criticism and suggestions from real experts. I'm kind of trying to have a dialog with myself about how to build out my own network, but a dialog with others is even better!