Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
Member Login

Posted: 1/13/2021 12:31:22 PM EDT
My networking knowledge is basic and only enough to setup a standard home network.

I have a couple desktops, NAS boxes for my wife and I, and other stuff (TV, media streamer, etc.) connected to it.

The way things go, I am worried that we might see attacks on home and small businesses networks growing.


Therefore, I thought about having two networks, with one isolated from the other.  

One would be for the stuff that requires Internet and another for inside-only stuff, such as the NAS boxes.  However, that would fail at the desktops, since the NAS work as backups ands the desktops have Internet connection.

I currently use a Nighthawk router that also works as a cable modem.  I also have a VPN and run Glasswire in some of my PCs.

What are measures, both on hardware and software, that I can implement to help, at least improving, the network security?



Link Posted: 1/13/2021 3:59:55 PM EDT
This is not an exhaustive list, but this is something that I have been working on for my family and close friends that are not tech savvy

Full disclosure:  20+ years in Enterprise Data Centers for Big Telecom.

I can spell eye pee  

Make sure All admin passwords have been changed from defaults to something strong.  12+ characters (special characters if supported, numbers, CAPS)

Updating your passwords in general is a good idea.

The segmenting IOT devices that don't need internet access is a good thought but you need equipment that can support it and need a bit of subnetting/Vlan knowledge to configure properly.

If the IOT device does not need any access turn it off!   Your dryer and refridgerator don't need to surf Arfcom!  

Make sure your software is up to date.  Microsoft just released "Patch Tuesday"  (2nd Tue of each month)  Run windows update.

I'll add some later...
Link Posted: 1/13/2021 10:46:03 PM EDT
The obvious gaps I see based on what you've said are VLANs for segmenting your devices and offline/offsite backups of your data.
Link Posted: 1/13/2021 11:48:13 PM EDT
Short of setting up VLANs, what about using the guest network function of higher end consumer and prosumer routers? I realize they may also be set up slightly different, but most guest networks are configured to only let the client out to the internet and not see/access anything else on the LAN.

And Pi-hole still blocks all the outgoing Amazon telemetry.
Link Posted: 1/14/2021 10:34:23 AM EDT
Thanks!

Some remarks, and more questions.

I do not have anything amazon, apple, or similar running.  TV is a Samsung that accesses Netflix directly.

My media streamer is a Vero 4K+ that I use to watch the videos stored in the NAS.  Media streamer, NAS and TV are hardwired to switch.

Besides that, IOT stuff is a weather station box that allows me to access my home's WS form anywhere.

My router has a guest network but for Wi-Fi only.  I did not see anything for the wired network.

I changed all the cable modem/router's passwords (access-config and Wi-Fi), as well as the Wi-Fi default names already and keep the PCs updated.

Also run regular backups on the NAS boxes using USB external disks.


How does this VLAN you guys mentioned work?

My router is currently setup for DHCP.  Is it better to change to static IP and assign them?

If using static IP, is possible to limit and filter what device can access what or I need a high-end router/switch to do it?





Link Posted: 1/14/2021 1:36:50 PM EDT
Discussion ForumsJump to Quoted PostQuote History
Quoted:
Thanks!

Some remarks, and more questions.

I do not have anything amazon, apple, or similar running.  TV is a Samsung that accesses Netflix directly.

My media streamer is a Vero 4K+ that I use to watch the videos stored in the NAS.  Media streamer, NAS and TV are hardwired to switch.

Besides that, IOT stuff is a weather station box that allows me to access my home's WS form anywhere.

My router has a guest network but for Wi-Fi only.  I did not see anything for the wired network.

I changed all the cable modem/router's passwords (access-config and Wi-Fi), as well as the Wi-Fi default names already and keep the PCs updated.

Also run regular backups on the NAS boxes using USB external disks.


How does this VLAN you guys mentioned work?

My router is currently setup for DHCP.  Is it better to change to static IP and assign them?

If using static IP, is possible to limit and filter what device can access what or I need a high-end router/switch to do it?





View Quote

VLANs are set up and managed by your router.  Just like a Virtual Machine virtualizes a separate physical computer, a Virtual Local Area Network virtualizes a separate physical LAN.  This allows you to isolate clients on your network from each other, protecting your trusted devices (like your PC) from untrusted ones (like your weather station that got its last firmware update approximately never).  You can also manage inter-VLAN routing, controlling the direction of communication, and set bandwidth limitations or other rules like blackout periods.

Pretty much every consumer router/access point allows for only one, non-configurable VLAN called the Guest Network.  However, control is limited and you can't have multiple VLANs.  Many can be flashed with a custom firmware like DD-WRT or Tomato that can allow for more configuration.  You can also move to a commercial router and have your current Netgear just be an access point.  I use a Unifi Security Gateway, but they also have their Edgerouter line.  You can also purchase or build a pfSense box.
Top Top