Help with new home network?

[Keljian]

think I could use my xenon e5-2683 v3? Planning on moving to TR4 anyways.

easily - it is overkill though

 

[Nicklebon]

And a five-grand investment up front, plus whatever licensing is necessary for updates? If I'm reading it right- I wouldn't hesitate to use them for enterprise, but their buy-in for 2Gbps+ IPS etc. is hefty.

Should be able to get in well below that. Also, there is no reason to do IPS on 100% of your traffic. Any IPS product of merit will have update costs. This is simply the way of things as these are in constant flux. I would also add that if you expect to receive any benefit of this of service you do need to be doing mitm on your TLS. If you are not going to do that don't waste your money on IPS.

 

[Keljian]

Any IPS product of merit will have update costs. This is simply the way of things as these are in constant flux.

I would also add that if you expect to receive any benefit of this of service you do need to be doing mitm on your TLS. If you are not going to do that don't waste your money on IPS.

Yep update costs for the signatures etc. ET pro and Oink pro are still costs

I agree with the TLS comment, but again it’s a fair amount of work for someone new to it.

 

[Nicklebon]

Yep update costs for the signatures etc. ET pro and Oink pro are still costs

I agree with the TLS comment, but again it’s a fair amount of work for someone new to it.

Honestly, staying on top of the mitm stuff is just a fair amount work .... new, seasoned professional or grizzled old curmudgeon. Does it need to be done? I think so but, others may argue. Make no mistake it is a giant PITA. FWIW at home I run a fortigate 201E with a fortiswitch 448D and a pair of AP I bought off craigslist to load balance a 1Gbps fiber connection and 400Mbps docis connection with pretty much every feature checked. The fw doesn't break a sweat ever. I double the throughput and it still would not an issue. One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW. The switch and AP I picked up for less than $500. They have no support and never will. The gate was bought used off of ebay while still under support. I also bought an extended support license off ebay at a major discount to maintain support. I just looked and I see several decent deals on similar hardware now. If you went that route you would want to make absolute certain the seller agrees to transfer the devices to you via forticare. Full disclosure ... Please note that none of ebay deals are mine or anyone that I know. That said, I will eventually get around to posting a fortigate 60E + switch, not big enough for you OP, on ebay. I also do not work for fortinet. I do work with their gear, and most every other major enterprise level firewall provider, at work.

 

[Nicklebon]

One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this and take that load under consideration when sizing a FW.

I felt the need to expand on this. Over the years I've taken a fair amount of heat on this forum for my generally disparaging remarks on consumer router/firewalls. The above statement is the one founding stones for my opinion on the matter. Every piece of consumer class gear I have ever touched bridges internal wireless with internal wired. That is to say that mobile devices are treated with the same security posture as fixed devices. This is considered normal in consumer network land and flat out fundamentally wrong. When you compound that with the fact that many of these mobile devices are in fact dual homed on the provider's LTE network while being attached to these internal wireless networks it gets ever worse. Wireless networks are inherently not as secure as wired networks and should be treated differently.

 

[iroc409]

Hmm... If you don't know if you need IPS/IDS I can virtually guarantee you don't need it. IDS/IPS is often used as a false sense of security for home users. It needs to be actively babysat with a real security team to be of any benefit whatsoever, and in most instances IDS with other security measures is going to be better. Who is going to manage your rulesets? Are the paid and/or free rules going to be sufficient for your environment, or are they totally going to miss the boat? At the very minimum if you want something pretty hands-off I would not use a free/open rule set, you'll need a paid maintained set. Make sure it's tuned for the gear that is on your network so you're not unnecessarily blocking real traffic but also detecting issues that are relevant.

I ran an IPS for years until I did some research into real network security, and after that pretty much decided all of it was a total waste of my time for home use--even work. If you're not doing the TLS/MITM connection in today's encrypted world like previously mentioned, you're just pissing in the wind (pardon the crude phrase but can't think of a better one at the moment).

Now, I'll 100% support anyone that wants to do that for fun and giggles, or learning. It can be very interesting. Sifting through 30k poorly-written free open source IDS rule warnings a day is not.

Sophos UTM is a really cool product, I love a lot of features it has (not even considering the IPS features), but don't like how it handles traffic through the firewall. As I understand it, as long as traffic is allowed through the other traffic filters, it pretty much ignores the firewall rules (with exception to the Geo-IP blocking stuff). Strange.

 

[Keljian]

I felt the need to expand on this. Over the years I've taken a fair amount of heat on this forum for my generally disparaging remarks on consumer router/firewalls.

Everyone is entitled to their own opinion and you certainty won’t cop flak from me

That said, saying or implying that solutions like ipfire/sophos/pfsense are not good enough in this space is plain wrong.

These are hardened distributions that have many security researchers working on them, and not there for your average consumer.

 

[///AMG]

I'm a little overloaded reading all these posts. I never knew about a lot of this stuff and TLS/MITM are new acronyms to me. I did however go ahead and order the netgate xg-7100 1U since its in my price range and seems to be good enough for me. Also had 10gb SFP+ ports so I can get a 10Gb switch. I got it with the 256gb SSD and 24gb RAM as Keljain suggested.

 

[Keljian]

I'm a little overloaded reading all these posts. I never knew about a lot of this stuff and TLS/MITM are new acronyms to me. I did however go ahead and order the netgate xg-7100 1U since its in my price range and seems to be good enough for me. Also had 10gb SFP+ ports so I can get a 10Gb switch. I got it with the 256gb SSD and 24gb RAM as Keljain suggested.

TLS - Transport Layer Security - used on every site that you have a "lock on" in your browser, effectively an encrypted tunnel between the computer/device and that site

MITM- Man in the middle - In the context of this thread means allowing the UTM device to be the computer that has the secure tunnel as opposed to your computer, it does the decryption, which means that it can inspect the packets that are in the secure tunnel. This requires setting up certificate authority/certificates in each of the clients as well as the UTM, and other things.

 

[IdiotInCharge]

I'm not even sure if TLS/MITM can be done transparently to the point that it doesn't wind up breaking other stuff.

I think, other than cost, that was my main stopping point with IPS.

One thing to note is that I treat internal wireless traffic as hostile. It too is thoroughly inspected before entering my internal trusted network. I would suggest everyone do this

Honestly this is a basic assumption of network security. WPA2 isn't secure, therefore, traffic traversing wireless networks requires more security.

Beyond phones that are dual-homed by nature (if not run that way purposefully), the potential vectors that IoT devices expose pretty much necessitate more lower-level segregation and inspection. An untapped market for home users, in my opinion.

 

[Keljian]

I'm not even sure if TLS/MITM can be done transparently to the point that it doesn't wind up breaking other stuff.

Honestly this is a basic assumption of network security. WPA2 isn't secure, therefore, traffic traversing wireless networks requires more security.

Beyond phones that are dual-homed by nature (if not run that way purposefully), the potential vectors that IoT devices expose pretty much necessitate more lower-level segregation and inspection. An untapped market for home users, in my opinion.

I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that

Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.

 

[Mac2]

I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that

Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.

all that is needed is intuitive GUI.

 

[Nicklebon]

I think TLS/MITM can be done transparently to the user, but I am open to being corrected on that

Untapped market for sure, but how to get it to be easy enough for home users is a challenge in and of itself.

It can certainly be done transparently assuming the correct certs are installed on the machine. One of the bigger issues that come up are applications by certain vendors that don't want anyone to know what they are doing, f**king microsoft chief among them, that use embedded certs and break when the server cert is replaced by the proxied connection. This means exceptions have to created and maintained. Frankly, CIOs and CSOs need to put a stop to this kind crap with a very simple mantra to the effect of all traffic on our networks will be inspected or it will be off our network.

 

[///AMG]

A little update the netgate is going to be installed by a local company just for my work machines and my company is going to pay for it so I am not going to bother messing with that. I also got the UDM-Pro and its going to be just my personal home network. UDM-Pro came yesterday so I spent a bit last night setting it up, I went to microcenter to grab 4 nanohd aps, and a raspberry pi 4b to use for pihole. So far I can see why a lot of people like ubiquiti stuff.

Also waiting to get the POE Managed switch.

 

[///AMG]

Also came home and saw a long list of queries from my NAS to a russian ip address? I never knew it was doing that but its consistent. I paid for eero secure which was supposed to do things like that but never caught it. Its nice to be able to see more detailed stuff like this and then be able to block it.

 

[IdiotInCharge]

piHole is a 'hole' unto itself- worth taking a bit of time to get familiar with,as you've already seen.

 

[///AMG]

piHole is a 'hole' unto itself- worth taking a bit of time to get familiar with,as you've already seen.

Yea, it took me a while but I created a vlan for it and then created an ssid on the nanohds for that vlan specifically for my wife's devices and streaming devices so its plug and play for those on that ssid. Has been very solid, blocks a lot of stupid popup ads too. Waiting on the PoE switch so I can power the PiHole through the switch instead of an adapter. Also have to print out a case for it.

For almost all of my life I just bought the best consumer router I could afford, but I think I am starting to like all of the features and the flexibility of these prosumer+ stuff. I am not in IT or networking at all so its going to take me a long time to figure things out.