Most home Internet users have a DSL or cable modem and a Wi-Fi firewall/router. Power users may run thirdparty router firmware or a dedicated PC firewall/router alongside dynamic DNS registration and port forwarding for a few services. Many power users want to be able to securely connect to services on their home network from the outside. This may be the age of cloud computing, yet it's also the age of increased home automation. There are turnkey home automation systems that use cloud servers for control via mobile apps and browsers, there are DIY automation systems, and there probably won't be standards for home control, monitoring, and security via the Internet for years to come. Secure outside connection to one's home network is pretty much the hallmark of the power user.
I'm currently on a two year Comcast Business Class contract. This gives me five public static IP addresses, not including the Comcast gateway box itself. Mo' IPs, mo' problems. Having these separate external IPs gives me dreams of putting my outgoing home traffic on one, my VoIP PBX on another, a wireless guest network on a third, incoming services on a fourth, and admin/automation on a fifth. It's not like I need all these addresses, but I sure like the idea of them...
Then there's the issue of VLANs. All my network switches are "smart(ish)" and support VLANs:
- 8 port GigE PoE switch
- 8 port GigE smart switch
- 24 port GigE smart switch #1
- 24 port GigE smart switch #2
None of this really gets me to a network architecture yet, but I'm starting to converge on a set of rules or guiding principles:
- Expose as few boxes as possible on the public Internet and secure the hell out of those boxes. I'll probably end up with a single firewall/router handling all my public IPs. Providing multiple external points of intrusion to internal networks seems like a bad idea.
- Secure administrative access to all your equipment. Imagine the following scenario: An attacker gains access to a DMZ server, scans every possible IP in the local network, identifies switch hardware by MAC address, connects to admin interface of said hardware via default user/password or reconfigures local interface to same network as default admin IP and connects. Security by VLAN: gone.
- Use 1:1 NAT and/or PAT and private addressing for everything behind the Internet point of entry. This seems more flexible than a transparent/bridging firewall and could accommodate an external transition to IPv6 while continuing to support legacy IPv4 devices internally.
- Prefer VLAN separation to a single DMZ network to prevent one server acting as a point of intrusion from which to launch attacks on other servers. Some switch vendors have features that can provide this isolation without the hassle of VLANs; sadly, I'm not paying for Cisco.
- Don't NAT between internal networks. This destroys the audit trail and security of knowing exactly which internal client is connecting to your internal services.
- Keep internal and external equipment separate. Let's say your external firewall/router fails. Internal networking and VoIP calls should continue to function. Let's say an internal network switch fails. Guest Wi-Fi access to the Internet should continue to function.
- Carefully identify single points of failure and their importance. Have a plan for manual network reconfiguration in degraded mode and/or spare equipment or virtual machine instances to swap in.
- Prefer enterprise equipment at reliability choke points. A consumer Wi-Fi router might not be your best choice for your core or sole external firewall/router. Don't let your wired network go down when your Wi-Fi overheats and power cycles.
As always, I welcome criticism and suggestions from real experts. I'm kind of trying to have a dialog with myself about how to build out my own network, but a dialog with others is even better!
No comments:
Post a Comment