Network monitoring and security

JohnnyJazz · August 15, 2015

I've a small home network as follow

- Standard True issued gateway router CISCO cpc 2235

- 16 ports unmanaged D Link gigabit switch

- 48 ports patch panel

- ASUS router in bridge mode used as AP

- 4 computers linked to the nework through cable

- 1 computer connected through WiFi

- 2 phones and 1 iPad using the WiFi

- 1 WD NAS

Near future : IP cameras + 8 ports managed POE switch.

The problem today is how to

1/ Monitor what's going on. Sometime the network gets very slow, it takes ages to download the most simple page, no idea why.

2/ As more and more personal information are shared within this network with soon security cameras to be added, how to make it more secure.

All suggestion are more welcomed. It's open debate so don't hesitate to post what you have in mind even if it's not directly related to this specific configuration.

NeverSure · August 15, 2015

"2/ As more and more personal information are shared within this network with soon security cameras to be added, how to make it more secure."

When you get to that complexity and have a real concern about personal information, it's time for Server with Active Directory. I don't know of another one-stop solution for permissions and file security with any granularity. All of the important files are on the server but are used by each client as if they were on the local machine. It also makes backups a snap.

You create Groups. Each group is given permissions and denied permissions. For instance in a doctors' office the doctors get permission to everything - medical records, personnel records, payroll, profit and loss statements, financial records etc. The Nurse get permissions only to the medical records and scheduling records which the bookkeeper doesn't get but rather has permission to the bookkeeping files. The receptionist gets none of that and only gets permission to the scheduling files. Etc. It really works.

"Sometime the network gets very slow, it takes ages to download the most simple page, no idea why."

I dunno. I'd take a laptop to just the modem/router and unhooking everything else, try using just the laptop and see if you are slow. That could eliminate your hardware or topology. The rule of CompTia A+ computer and/or network exams is to work from the wall out in both directions. In other words, start at the wall where the cable comes in and hook up and check everything one at time until you find the problem. If there is no problem go backwards from the wall out to the pole, etc.

Edited August 15, 2015 by NeverSure

thedemon · August 15, 2015

From the description of your network and assuming that your TRUE DOCSIS connection is ok, I would say that the weakest link is the ASUS router also operating as an AP.

A 48 port patch panel would indicate a fairly large house so if that is correct, a single AP won't give good enough coverage. It may be that you can connect WiFi from anywhere in the house but the connection speed is likely very low in some places.

I would switch off the AP function on the ASUS and leave it to handle routing and NAT alone. Depending on the internet connection speed and what you are doing online, it could be that the router is already at the limit of what it's CPU can handle. Then connect 3 or 4 AP's around the house which should be easy since presumably you already have plenty of LAN sockets.

To monitor bandwidth etc between your LAN and the internet you could flash DD-WRT (or another 3rd party firmware) on to the ASUS router. DD-WRT can show real time info in more detail than the stock ASUS firmware.

phazey · August 15, 2015

It depends how much you really want to know.

I hope you are clued in Linux or have someone who is, as this will be my focus.

You can use something like a small computer or a Raspberry Pi to sit inbetween your switch and last hop (DSL router). Hopefully your router supports SNMP, and from that you can monitor throughput with something like MRTG.

If you want a more controlling/monitoring method, you could block all outgoing HTTP/HTTPS connections and have them all route through something like SQUID - from here you can process the access_logs and gain an idea whos doing what. Obviously the Pi will also have iptables installed, so you can log incoming connections attempts and drop them. You could even restrict how much bandwidth one device uses, if you have an issue with the network being flooded and slow....

If you have a small PC lying around, you can install something like pfSense which will give you more control and visibility - your milage may vary.

IMHO · August 15, 2015

Security wise, the way I'd approach this is using VLAN's - i.e. virtually separate networks for IP cams & NAS, and then the rest. Set it up so that IP/NAS imply cannot get out to the internet via NAT, and sleep at night knowing the crappy P2P all IP Cam vendors seem to implement now isn't leaking your video to the world

e.g.

Source: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/VLANs.103.17.html

Edited August 16, 2015 by IMHO

JohnnyJazz · August 16, 2015

"Sometime the network gets very slow, it takes ages to download the most simple page, no idea why."

I dunno. I'd take a laptop to just the modem/router and unhooking everything else, try using just the laptop and see if you are slow. That could eliminate your hardware or topology. The rule of CompTia A+ computer and/or network exams is to work from the wall out in both directions. In other words, start at the wall where the cable comes in and hook up and check everything one at time until you find the problem. If there is no problem go backwards from the wall out to the pole, etc.

I understand what you mean but that would work if the network is constantly slow because of a flaw in the design. But here the speed varies during the day with no change in the design, the only thing that changes is what every computer is doing so what I'm looking for is a software that will monitor in real time what's going on on the network. Probably also the problem lies partly with True but that something I can't do much about.

From the description of your network and assuming that your TRUE DOCSIS connection is ok, I would say that the weakest link is the ASUS router also operating as an AP.

A 48 port patch panel would indicate a fairly large house so if that is correct, a single AP won't give good enough coverage. It may be that you can connect WiFi from anywhere in the house but the connection speed is likely very low in some places.

I would switch off the AP function on the ASUS and leave it to handle routing and NAT alone. Depending on the internet connection speed and what you are doing online, it could be that the router is already at the limit of what it's CPU can handle. Then connect 3 or 4 AP's around the house which should be easy since presumably you already have plenty of LAN sockets.

To monitor bandwidth etc between your LAN and the internet you could flash DD-WRT (or another 3rd party firmware) on to the ASUS router. DD-WRT can show real time info in more detail than the stock ASUS firmware.

Actually the ASUS router is used only as an AP. The CISCO gateway is in the garage and the signal gets too weak in the upper floors. Before it was used as a switch as well but now with the new configuration (patch panel + ethernet sockets in every room) I just use it as an AP. Only one computer uses this AP and also my wife on her phone and iPad. She's a heavy facebook and youtube user but I'm not sure what influence it may have on the network if any.

Also I don't know what are the limits of the True Cisco router/gateway and what other models they can offer that would be more suitable for my configuration.

But I think the first thing is really to know what's going on on the network and to identify the bottle neck.

JohnnyJazz · August 16, 2015

It depends how much you really want to know.

I hope you are clued in Linux or have someone who is, as this will be my focus.

You can use something like a small computer or a Raspberry Pi to sit inbetween your switch and last hop (DSL router). Hopefully your router supports SNMP, and from that you can monitor throughput with something like MRTG.

If you want a more controlling/monitoring method, you could block all outgoing HTTP/HTTPS connections and have them all route through something like SQUID - from here you can process the access_logs and gain an idea whos doing what. Obviously the Pi will also have iptables installed, so you can log incoming connections attempts and drop them. You could even restrict how much bandwidth one device uses, if you have an issue with the network being flooded and slow....

If you have a small PC lying around, you can install something like pfSense which will give you more control and visibility - your milage may vary.

I've plenty of PC lying around. Unfortunately my knowledge of Linux is basic but I used to work with DOS, my first computer was a Sinclair ZX81, so everytime I had to use Linux I was able to get on without too much dammages. I will try your solution, thank you. Any further advises will be very much welcome as well.

JohnnyJazz · August 16, 2015

Security wise, the way I'd approach this is using VLAN's - i.e. virtually separate networks for IP cams & NAS, and then the rest. Set it up so that IP/NAS imply cannot get out to the internet via NAT, and sleep at night knowing the crappy P2P all IP Cam vendors seem to implement now isn't leaking your video to the world

e.g.

Source: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/VLANs.103.17.html

That will definitively be the next step, thank you.

NeverSure · August 16, 2015

"Sometime the network gets very slow, it takes ages to download the most simple page, no idea why."

I dunno. I'd take a laptop to just the modem/router and unhooking everything else, try using just the laptop and see if you are slow. That could eliminate your hardware or topology. The rule of CompTia A+ computer and/or network exams is to work from the wall out in both directions. In other words, start at the wall where the cable comes in and hook up and check everything one at time until you find the problem. If there is no problem go backwards from the wall out to the pole, etc.

I understand what you mean but that would work if the network is constantly slow because of a flaw in the design. But here the speed varies during the day with no change in the design, the only thing that changes is what every computer is doing so what I'm looking for is a software that will monitor in real time what's going on on the network. Probably also the problem lies partly with True but that something I can't do much about.

You say your network is slow which to me means something different than if your internet access is slow. I was talking about your LAN - your local network.

From the description of your network and assuming that your TRUE DOCSIS connection is ok, I would say that the weakest link is the ASUS router also operating as an AP.

A 48 port patch panel would indicate a fairly large house so if that is correct, a single AP won't give good enough coverage. It may be that you can connect WiFi from anywhere in the house but the connection speed is likely very low in some places.

I would switch off the AP function on the ASUS and leave it to handle routing and NAT alone. Depending on the internet connection speed and what you are doing online, it could be that the router is already at the limit of what it's CPU can handle. Then connect 3 or 4 AP's around the house which should be easy since presumably you already have plenty of LAN sockets.

To monitor bandwidth etc between your LAN and the internet you could flash DD-WRT (or another 3rd party firmware) on to the ASUS router. DD-WRT can show real time info in more detail than the stock ASUS firmware.

Actually the ASUS router is used only as an AP. The CISCO gateway is in the garage and the signal gets too weak in the upper floors. Before it was used as a switch as well but now with the new configuration (patch panel + ethernet sockets in every room) I just use it as an AP. Only one computer uses this AP and also my wife on her phone and iPad. She's a heavy facebook and youtube user but I'm not sure what influence it may have on the network if any.

Also I don't know what are the limits of the True Cisco router/gateway and what other models they can offer that would be more suitable for my configuration.

But I think the first thing is really to know what's going on on the network and to identify the bottle neck.

But I think the first thing is really to know what's going on on the network and to identify the bottle neck.

Again, is it your network or your internet access? Do you also lose speed internally between nodes? I'm taking you literally here when you

said your network is slow, LOL.

Also, in your OP you talked about "Shared within this network" and I also took you literally and told you how to lock down internal security with Server. Then you get advice about how to dodge external threats and I'm going... Whoooo, what's the topic here? !! LOL.

Edited August 16, 2015 by NeverSure

muratremix · August 16, 2015

Perhaps get a $200 usd mini atom pc with 4+1 ethernet ports and install pfsense or any linux firewall os for ultimate control over your network?

You can use asus in Wireless AP mode for wireless network and x86 pc firewall as firewall router in bridge mode.

NeverSure · August 16, 2015

Security wise, the way I'd approach this is using VLAN's - i.e. virtually separate networks for IP cams & NAS, and then the rest. Set it up so that IP/NAS imply cannot get out to the internet via NAT, and sleep at night knowing the crappy P2P all IP Cam vendors seem to implement now isn't leaking your video to the world

e.g.

Source: http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/VLANs.103.17.html

This is good for external security, is pretty cheap and can be wireless on the internal side. If he gets a web server it will need to be on the bad guy's' side of that vlan switch in what they call the DMZ - demilitarized zone.

Cheers.

NeverSure · August 16, 2015

Perhaps get a $200 usd mini atom pc with 4+1 ethernet ports and install pfsense or any linux firewall os for ultimate control over your network?

You can use asus in Wireless AP mode for wireless network and x86 pc firewall as firewall router in bridge mode.

It's easier to for the average guy to use a vlan switch which can be wireless - a lot of which he seems to use. An external proxy server is what we used to use but they took a lot of learning and configuring.

Cheers.

JohnnyJazz · August 16, 2015

But I think the first thing is really to know what's going on on the network and to identify the bottle neck.

But I think the first thing is really to know what's going on on the network and to identify the bottle neck.

Again, is it your network or your internet access? Do you also lose speed internally between nodes? I'm taking you literally here when you

said your network is slow, LOL.

Also, in your OP you talked about "Shared within this network" and I also took you literally and told you how to lock down internal security with Server. Then you get advice about how to dodge external threats and I'm going... Whoooo, what's the topic here? !! LOL.

Apologizes. You're absolutely correct, my OP was poorly written. The problem I'm focusing on today is slow internet access but I'm not sure if the problem lies with the ISP (True) or is internal. So the answer to your question "Do you also lose speed internally between nodes?" is : I don't know. That's what I'm trying to figure out.

Regarding security, both internal and external aspects need to be addressed. As I said "All suggestion are more welcomed. It's open debate so don't hesitate to post what you have in mind even if it's not directly related to this specific configuration." So far as fas as I'm concerned all the answers have been very intructive.

Edited August 16, 2015 by JohnnyJazz

muratremix · August 16, 2015

If your asus router is high end, install ipkg

install iperf utility in router

or, you can install iperf in your nas device if it does have ipkg

then, install iperf to your computer and test throughtput when you feel your network is slow.

True's transparent proxy sometimes can cause slowdowns. It's best to use it with singapore l2tp (openvpn uses too much cpu power, hence slower) at all times.

I can achieve 4000 kbyte/sec avg. download speed with my 30/3 true docsis connection almost at all times.

Of course, my vpn is private vpn installed by me at 5$/month digitalocean singapore vps node.

Chicog · August 16, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Edited August 16, 2015 by Chicog

IMHO · August 16, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

JohnnyJazz · August 17, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

Interesting thread IMHO, I should read ThaiVisa more often ;-)

Chicog · August 17, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

Expensive and you have to pay bt8500 per year for updates.

No thanks.

JohnnyJazz · August 20, 2015

Thanks for all the replies. I may give pfSense a try. Could someone recommend some kind of "pfSense for Dummies" site with basic information about hardware selection and software installation. Basically I've two option. Either I try first to read and learn everything about this software. Or I install it and learn on the job. As I don't have much time and it's only the first step of our home network, I think I'll go for the second option. Any advise about major mistakes to avoid will be very much appreciated.

NeverSure · August 20, 2015

Thanks for all the replies. I may give pfSense a try. Could someone recommend some kind of "pfSense for Dummies" site with basic information about hardware selection and software installation. Basically I've two option. Either I try first to read and learn everything about this software. Or I install it and learn on the job. As I don't have much time and it's only the first step of our home network, I think I'll go for the second option. Any advise about major mistakes to avoid will be very much appreciated.

You're getting on the edge of what we used to call a proxy server firewall. This was a proxy server out in front of the router guarding the gate. Sometimes it was the router, using two network cards and IP's. It took a lot of expertise to set one up and keep it set up. This is still done large enterprises where they have the people but it costs a tad in speed - one more process.

Out in front of that, on the bad guys side is where you'd have to put a web server because................

You can't have NAT translation in front of a web server. That server has to be available to anyone without you first sending a request. And this is what makes a router such a good firewall for the average user, but makes web servers so vulnerable - NAT.

NAT or Network Address Translation simply records who behind your router, inside your network, requested data and returns it only to them. It routes requested data to only the node (machine on the network) that requested it. Therefore if no machine requested incoming data the packets are simply destroyed - no where to go. Again, unrequested data is destroyed so the bad guys can't get in unless you do a common no-no which you've been told not to do which is:

Click on a link you know nothing about. That's requesting the data and the NAT translator, in most cases your router will let it in and forward it to you.

So, when your email client does a send/receive it is requesting new email from the email server and your incoming email is allowed in and routed only to you. Thus we call it a router - it's NAT is able to route it to the node that requested it as an outgoing request. This is why the router is an effective firewall - anything not requested is destroyed.

Don't make this too difficult unless your name is US Department of State, LOL. If you have a functioning router locked down with a good password to keep nearby people out of your wireless, and if you have good malware software, you aren't likely to get hit with anything that you don't request. If you request it no one can help you. Edit: The same with an email attachment you know nothing about - you've been warned. Hope your malware software catches it first.

Remember, most security breaches are done by insiders, or are done to web servers. It's not often that someone actually breaches a local network and gets data if good passwords are in place on the appliances that allow traffic in such as the router.

Cheers.

Edited August 20, 2015 by NeverSure

Chicog · August 20, 2015

Thanks for all the replies. I may give pfSense a try. Could someone recommend some kind of "pfSense for Dummies" site with basic information about hardware selection and software installation. Basically I've two option. Either I try first to read and learn everything about this software. Or I install it and learn on the job. As I don't have much time and it's only the first step of our home network, I think I'll go for the second option. Any advise about major mistakes to avoid will be very much appreciated.

You're getting on the edge of what we used to call a proxy server firewall. This was a proxy server out in front of the router guarding the gate. Sometimes it was the router, using two network cards and IP's. It took a lot of expertise to set one up and keep it set up. This is still done large enterprises where they have the people but it costs a tad in speed - one more process.

Out in front of that, on the bad guys side is where you'd have to put a web server because................

You can't have NAT translation in front of a web server. That server has to be available to anyone without you first sending a request. And this is what makes a router such a good firewall for the average user, but makes web servers so vulnerable - NAT.

NAT or Network Address Translation simply records who behind your router, inside your network, requested data and returns it only to them. It routes requested data to only the node (machine on the network) that requested it. Therefore if no machine requested incoming data the packets are simply destroyed - no where to go. Again, unrequested data is destroyed so the bad guys can't get in unless you do a common no-no which you've been told not to do which is:

Click on a link you know nothing about. That's requesting the data and the NAT translator, in most cases your router will let it in and forward it to you.

So, when your email client does a send/receive it is requesting new email from the email server and your incoming email is allowed in and routed only to you. Thus we call it a router - it's NAT is able to route it to the node that requested it as an outgoing request. This is why the router is an effective firewall - anything not requested is destroyed.

Don't make this too difficult unless your name is US Department of State, LOL. If you have a functioning router locked down with a good password to keep nearby people out of your wireless, and if you have good malware software, you aren't likely to get hit with anything that you don't request. If you request it no one can help you. Edit: The same with an email attachment you know nothing about - you've been warned. Hope your malware software catches it first.

Remember, most security breaches are done by insiders, or are done to web servers. It's not often that someone actually breaches a local network and gets data if good passwords are in place on the appliances that allow traffic in such as the router.

Cheers.

Unless you have one of the millions of unpatched routers vulnerable to a specially crafted URL, as described in both of the threads I've posted in the past.

IMHO · August 20, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

Expensive and you have to pay bt8500 per year for updates.

No thanks.

1-year update refills are cheaper on eBay - but yes, it's enterprise grade gear, and priced that way. Still excellent value, once you actually understand what you're getting / see just how many vulnerabilities it actually protects your devices from - and devices it protects your network from - it's not just inbound vulnerabilities it analyzes, but also local ones...

IMHO, if you're going to be running IP Cameras, which ALL have dodgy P2P now, You either need something of this grade, or a very well configured and tested VLAN setup. Of course, IP Cams are not the only devices you'll connect to your network that want to leak data / phone home - it'll ID and let you stop them all.

Edited August 20, 2015 by IMHO

JohnnyJazz · August 21, 2015

Thanks for all the replies. I may give pfSense a try. Could someone recommend some kind of "pfSense for Dummies" site with basic information about hardware selection and software installation. Basically I've two option. Either I try first to read and learn everything about this software. Or I install it and learn on the job. As I don't have much time and it's only the first step of our home network, I think I'll go for the second option. Any advise about major mistakes to avoid will be very much appreciated.

You're getting on the edge of what we used to call a proxy server firewall. This was a proxy server out in front of the router guarding the gate. Sometimes it was the router, using two network cards and IP's. It took a lot of expertise to set one up and keep it set up. This is still done large enterprises where they have the people but it costs a tad in speed - one more process.

Out in front of that, on the bad guys side is where you'd have to put a web server because................

You can't have NAT translation in front of a web server. That server has to be available to anyone without you first sending a request. And this is what makes a router such a good firewall for the average user, but makes web servers so vulnerable - NAT.

NAT or Network Address Translation simply records who behind your router, inside your network, requested data and returns it only to them. It routes requested data to only the node (machine on the network) that requested it. Therefore if no machine requested incoming data the packets are simply destroyed - no where to go. Again, unrequested data is destroyed so the bad guys can't get in unless you do a common no-no which you've been told not to do which is:

Click on a link you know nothing about. That's requesting the data and the NAT translator, in most cases your router will let it in and forward it to you.

So, when your email client does a send/receive it is requesting new email from the email server and your incoming email is allowed in and routed only to you. Thus we call it a router - it's NAT is able to route it to the node that requested it as an outgoing request. This is why the router is an effective firewall - anything not requested is destroyed.

Don't make this too difficult unless your name is US Department of State, LOL. If you have a functioning router locked down with a good password to keep nearby people out of your wireless, and if you have good malware software, you aren't likely to get hit with anything that you don't request. If you request it no one can help you. Edit: The same with an email attachment you know nothing about - you've been warned. Hope your malware software catches it first.

Remember, most security breaches are done by insiders, or are done to web servers. It's not often that someone actually breaches a local network and gets data if good passwords are in place on the appliances that allow traffic in such as the router.

Cheers.

Clear. Thank you.

JohnnyJazz · August 21, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

Do both of you mind to explain what are the differences between your products and a pfSense solution, and their respective advantages ?

IMHO · August 21, 2015

I have a couple of these on order for the office and home.

https://itusnetworks.com/shield/

You router should have functions to tell you which devices are using the link and what for, although if you are using DHCP that will vary, so you may want to use Fixed IPs.

Cool boxes, but if you were going to start over with with a new router, you'd probably be better off buying a Fortigate to begin with: http://www.thaivisa.com/forum/topic/832961-creating-a-safe-home-network-question/page-3

Do both of you mind to explain what are the differences between your products and a pfSense solution, and their respective advantages ?

The Fortigate is an all-in-one UTM (unified threat management), with dedicated/specialized security hardware. In one box, you get: firewall, VPN, IPS/IDS, App control, Web filtering, Anti malware/virus/spam, plus it's a gigabit router and wifi access point - and it comes with full phone and email support.

http://www.fortinet.com/sites/default/files/solutionbrief/UTMSolutionBrief.pdf

NeverSure · August 21, 2015

You didn't ask me but... LOL. Either of those might be more trouble that you want. For sure the Fortigate is an enterprise level firewall which might keep you busy. It's one thing to lock down your files so people can't access them, and another to mask your traffic so that people can't read it. The latter requires something like a VPN and some kind of scrambling. I've never felt like I needed that except it was required when I was in IT.

The chances of anyone breaking into your network without you requesting or clicking on something dumb are so remote that any data loss is going to come from lack of good practices rather than poor security. A great setup won't save you from human error or bad practices or even nefarious operators in your own network. Remember also not to share out files on your own network that aren't essential for sharing. Keep critical files unshared.

Your router is a computer, absolutely. It just isn't a MAC or Windows computer. Bad guys on the internet try to hack your network and hit that router/computer and think they found your computer. That's if they know your IP address. What they don't know is that it's a router and contains nothing they are interested in. Let them hack away. Let them do that for a week until they get tired of it. None of your internal nodes (inside the router) have internet routable IP addresses and they aren't talking to the bad guys. They can't.

If you're bent on setting up a dedicated firewall in addition to your router firewall please look into which is most user friendly because by default they don't work well until you set them up. I'm here to tell you that you don't need one if you use best practices and have the router and good malware software. It ain't gonna happen unless you screw up and even then the firewall probably won't help you with external attacks because you asked for the data.

Cheers.

IMHO · August 21, 2015

You didn't ask me but... LOL. Either of those might be more trouble that you want. For sure the Fortigate is an enterprise level firewall which might keep you busy. It's one thing to lock down your files so people can't access them, and another to mask your traffic so that people can't read it. The latter requires something like a VPN and some kind of scrambling. I've never felt like I needed that except it was required when I was in IT.

The chances of anyone breaking into your network without you requesting or clicking on something dumb are so remote that any data loss is going to come from lack of good practices rather than poor security. A great setup won't save you from human error or bad practices or even nefarious operators in your own network. Remember also not to share out files on your own network that aren't essential for sharing. Keep critical files unshared.

Your router is a computer, absolutely. It just isn't a MAC or Windows computer. Bad guys on the internet try to hack your network and hit that router/computer and think they found your computer. That's if they know your IP address. What they don't know is that it's a router and contains nothing they are interested in. Let them hack away. Let them do that for a week until they get tired of it. None of your internal nodes (inside the router) have internet routable IP addresses and they aren't talking to the bad guys. They can't.

If you're bent on setting up a dedicated firewall in addition to your router firewall please look into which is most user friendly because by default they don't work well until you set them up. I'm here to tell you that you don't need one if you use best practices and have the router and good malware software. It ain't gonna happen unless you screw up and even then the firewall probably won't help you with external attacks because you asked for the data.

Cheers.

I think you're missing one big point here... The OP has devices on his own network that can't be trusted. The threat is from within, as well as from outside.

JohnnyJazz · August 21, 2015

You didn't ask me but... LOL. Either of those might be more trouble that you want. For sure the Fortigate is an enterprise level firewall which might keep you busy. It's one thing to lock down your files so people can't access them, and another to mask your traffic so that people can't read it. The latter requires something like a VPN and some kind of scrambling. I've never felt like I needed that except it was required when I was in IT.

The chances of anyone breaking into your network without you requesting or clicking on something dumb are so remote that any data loss is going to come from lack of good practices rather than poor security. A great setup won't save you from human error or bad practices or even nefarious operators in your own network. Remember also not to share out files on your own network that aren't essential for sharing. Keep critical files unshared.

Your router is a computer, absolutely. It just isn't a MAC or Windows computer. Bad guys on the internet try to hack your network and hit that router/computer and think they found your computer. That's if they know your IP address. What they don't know is that it's a router and contains nothing they are interested in. Let them hack away. Let them do that for a week until they get tired of it. None of your internal nodes (inside the router) have internet routable IP addresses and they aren't talking to the bad guys. They can't.

If you're bent on setting up a dedicated firewall in addition to your router firewall please look into which is most user friendly because by default they don't work well until you set them up. I'm here to tell you that you don't need one if you use best practices and have the router and good malware software. It ain't gonna happen unless you screw up and even then the firewall probably won't help you with external attacks because you asked for the data.

Cheers.

I think you're missing one big point here... The OP has devices on his own network that can't be trusted. The threat is from within, as well as from outside.

You have a point here ....

NeverSure · August 21, 2015

You didn't ask me but... LOL. Either of those might be more trouble that you want. For sure the Fortigate is an enterprise level firewall which might keep you busy. It's one thing to lock down your files so people can't access them, and another to mask your traffic so that people can't read it. The latter requires something like a VPN and some kind of scrambling. I've never felt like I needed that except it was required when I was in IT.

The chances of anyone breaking into your network without you requesting or clicking on something dumb are so remote that any data loss is going to come from lack of good practices rather than poor security. A great setup won't save you from human error or bad practices or even nefarious operators in your own network. Remember also not to share out files on your own network that aren't essential for sharing. Keep critical files unshared.

Your router is a computer, absolutely. It just isn't a MAC or Windows computer. Bad guys on the internet try to hack your network and hit that router/computer and think they found your computer. That's if they know your IP address. What they don't know is that it's a router and contains nothing they are interested in. Let them hack away. Let them do that for a week until they get tired of it. None of your internal nodes (inside the router) have internet routable IP addresses and they aren't talking to the bad guys. They can't.

If you're bent on setting up a dedicated firewall in addition to your router firewall please look into which is most user friendly because by default they don't work well until you set them up. I'm here to tell you that you don't need one if you use best practices and have the router and good malware software. It ain't gonna happen unless you screw up and even then the firewall probably won't help you with external attacks because you asked for the data.

Cheers.

I think you're missing one big point here... The OP has devices on his own network that can't be trusted. The threat is from within, as well as from outside.

Then put them on different subnets, especially cameras. Why do they have to be on the same subnet if they aren't trusted? This is a home system he said. In a home I would think that physical access to resources would be the problem if something "isn't trusted". About all you can do is lock things down with permissions and passwords and hope someone isn't smart enough to get past that. Once someone has physical access to your network there's not a lot more you can do.

If he doesn't have enough home control and/or trust to deny others admin rights and permissions then I don't know what he'll do. Once someone is inside and has access to the appliances there's not much stopping them.

I don't get the impression that he wants to spend the big bucks on this. Maybe I read him wrong but he started out - home network and I ran with that. If permissions, file sharing routines, a router and different subnets aren't adequate then I don't know what is. What good is an internal firewall if I can just walk off with the HDD from your computer 555?

Cheers.

Chicog · August 21, 2015

1-year update refills are cheaper on eBay - but yes, it's enterprise grade gear, and priced that way. Still excellent value, once you actually understand what you're getting / see just how many vulnerabilities it actually protects your devices from - and devices it protects your network from - it's not just inbound vulnerabilities it analyzes, but also local ones...

I've got several hundred thousand dollars worth of Fortinet kit in the office, I kinda know how it works.

But it's too much for the house.

The ITUS Shield is enough for most people.

Fortinet isn't even an IPS.

If you want to check for vulnerabilities, use Nessus (which is free).

If you want a free IPS, use SNORT or Suricata (which is what's built into the ITUS Shield).

Sign In

Network monitoring and security

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Announcements

Topics

Popular Now