sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,847
What's your flavor?

Here's mine:

FortiGate 60E NGFW (if you're in the industry you can get these free from Fortinet at various events/etc. - watch for them and sign up - the common combo is an 8 port managed switch, this, and an AP) - pfSense is great if you're a roll your own guy/open source fan or don't have access to free gear.

Pi-Hole DNS Filtering - the best "upgrade" you can get for your network if you're semi-savvy. Tried deploying one on my bro's network (just shy of semi-savvy) on a Pi Zero W with a Chromecast power/Ethernet combo and I got a call blaming it for the Xbox having problems - ripped that thing out so quick, lol.

Cylance Smart Antivirus on endpoints - really high on this - I have been very happy with it and very little false positives except for some older gaming executables - otherwise Windows Defender is great for free.

Synology NAS for Storage, etc.

Always looking to try out new tricks if you guys have 'em.
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
What's your flavor?

Here's mine:

FortiGate 60E NGFW (if you're in the industry you can get these free from Fortinet at various events/etc. - watch for them and sign up - the common combo is an 8 port managed switch, this, and an AP) - pfSense is great if you're a roll your own guy/open source fan or don't have access to free gear.

Pi-Hole DNS Filtering - the best "upgrade" you can get for your network if you're semi-savvy. Tried deploying one on my bro's network (just shy of semi-savvy) on a Pi Zero W with a Chromecast power/Ethernet combo and I got a call blaming it for the Xbox having problems - ripped that thing out so quick, lol.

Cylance Smart Antivirus on endpoints - really high on this - I have been very happy with it and very little false positives except for some older gaming executables - otherwise Windows Defender is great for free.

Synology NAS for Storage, etc.

Always looking to try out new tricks if you guys have 'em.
Nice try NSA
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
pfsense, pfblockerng-devel (this already includes SO much more than the non-"devel" package with additional feeds, etc. Essentially pi-hole built-in to pfsense), appropriate VLANS on managed switch for guests, hardwired, IoT, etc.
Was messing around with packet inspection for a while. But, with so much going to SSL, I haven't found a solution I like yet.
Anti-virus on devices.
Educated users on the network. Unsafe/untrustworthy users get the guest network, which is blocked off from everything else via firewall rules.
For wifi, WPA2 with long passwords is another great way to protect. Don't forget WPA2 can be cracked too. The shorter the password, the quicker someone can gain access to your network after cracking the hash.
 

FNtastic

[H]ard|Gawd
Joined
Jul 6, 2013
Messages
1,419
That's actually my WiFi network name. :)
I've done "FBI Van in front of house" before, and stuff like that. Just wish I could have seen their faces when they scanned for networks and saw that one.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
729
If you're using a fortigate why bother with pi-hole? You can filter DNS directly on the Fortigate. For that matter why not use the forticlient vs cylance? Then you manage and, more to the point, monitor the local endpoint policy from the firewall?
 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,847
If you're using a fortigate why bother with pi-hole? You can filter DNS directly on the Fortigate. For that matter why not use the forticlient vs cylance? Then you manage and, more to the point, monitor the local endpoint policy from the firewall?

Fortinet isn't an endpoint company, so their product isn't nearly as capable. Defense in depth. Cylance is centrally managed as well, via their web console.

The DNS filtering on FortiGate is not as comprehensive. Pi-hole gives you a lot more options.
 

Eickst

[H]ard|Gawd
Joined
Aug 24, 2005
Messages
1,884
Everyone has their favorites, so I'd say the best home security cocktail is all the stuff you are comfortable and savvy enough with to configure properly.

There's also the WAF to consider. I'd love to lock down her PC to the bare minimum needed to function, but then I'd be locked down to the bare minimum as well. And I don't mean my PC
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
pfsense, pfblockerng-devel (this already includes SO much more than the non-"devel" package with additional feeds, etc. Essentially pi-hole built-in to pfsense), appropriate VLANS on managed switch for guests, hardwired, IoT, etc.
Was messing around with packet inspection for a while. But, with so much going to SSL, I haven't found a solution I like yet.
Anti-virus on devices.
Educated users on the network. Unsafe/untrustworthy users get the guest network, which is blocked off from everything else via firewall rules.
For wifi, WPA2 with long passwords is another great way to protect. Don't forget WPA2 can be cracked too. The shorter the password, the quicker someone can gain access to your network after cracking the hash.


I will have to try the -devel. Just got pfblocker going a few weeks ago and effing love it. With a few lists added to the feeds, I have blocked like 95% of all ads at the edge.

For packet inspection, your only choice will be to setup a reverse proxy with an SSL cert, and add that cert as trusted to your machine. There is no other way to break the SSL chain to inspec the traffic.

For wifi, you could setup a captive portal for wifi along with lan isolation. So even if they manage to crack your WPA2 key, they can't communicate with anything on your network or even pass web traffic.
 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,847
For packet inspection, your only choice will be to setup a reverse proxy with an SSL cert, and add that cert as trusted to your machine. There is no other way to break the SSL chain to inspec the traffic.

That’s why endpoint is key. Much cleaner than breaking SSL. Cylance is about the best that you can get for the home market.

EDR (CrowdStrike, SentinelOne, etc.), Deception (illusive networks, etc.)...all great for lateral movement.
 
Last edited:

vxspiritxv

[H]ard|Gawd
Joined
Feb 10, 2001
Messages
1,551
ATT gigapower 1gig fiber
Asa5515x firewall
4948e switch (10gbit fiber)
8 port hp poe+ switch
2 x ubnt access points (4k sqft coverage)
6238058463.png

Isc bind
Kaspersky
Ms exchange
 

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,847

vxspiritxv

[H]ard|Gawd
Joined
Feb 10, 2001
Messages
1,551
LOL gubberment said it, so must be true.

I've tested cloud strike, cylance, and a few others. Kaspersky was the only AV in our tests that didn’t fail to viruses. Not to say any AV is 100%, but the failures weren't new virus nor hard to get.

Tho from performance perspective Cylance was the best. Cloudstrike had one of the best interfaces at least as it pertains to following what the virus did. Both the failed to (different) crypto viruses that reboot the system before such data could make it to their respective clouds.

Edit: Now that I'm at a computer and can cleanup the crap post my phone made... Testing was done at company I work for, I'm the Sr. Network Admin, but the above setup is my home, family & friends usage only. Few years back I used to sell web creation / hosting services, but I just got tired of dealing with people :ROFLMAO:.
 
Last edited:

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Rural telco 12mb DSL - lucky to get that.
their basic bridge mode modem
Juniper SSG5 w/default block everything rules.
dumb switch copper gig network
Wifi is on its own zone with limited access to primary network. SSG5 provides the DHCP.
Dlink 2 drive NAS for backup.
Malwarebytes premium on primary PC. (got in on the lifetime subscription deal)
Test/secondary PCs get just the basic Windows included security.
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,426
Unchecky on all the PCs to help bolster up all the fleshy bits using them.
 

Mr. Baz

2[H]4U
Joined
Aug 17, 2001
Messages
2,815
AT&T symmetric Gig FTTH
Supermicro SYS-5018A-FTN4 running pfsense & pfblocker & SNORT
AeroHive AP250 for WiFi
Ubiquiti EdgeSwitch 24 port POE
Testing a Dell N3048P currently (it is crazy loud)
Cylance at the moment for antimalware. I might be switching over to BD Ultra and giving that a spin.

7753905198.png
 
Last edited:

sk3tch

[H]ard|Gawd
Joined
Sep 5, 2008
Messages
1,847
AT&T symmetric Gig FTTH
Supermicro SYS-5018A-FTN4 running pfsense & pfblocker & SNORT
AeroHive AP250 for WiFi
Abiquiti EdgeSwitch 24 port POE
Cylance at the moment for antimalware. I might be switching over to BD Ultra and giving that a spin.

View attachment 115425

BD = BitDefender?

They're my new choice for pure AV (with Kaspersky's demise). Very good software and the BitDefender Box is a really cool way to do IoT security.
 

Mr. Baz

2[H]4U
Joined
Aug 17, 2001
Messages
2,815
BD = BitDefender?

They're my new choice for pure AV (with Kaspersky's demise). Very good software and the BitDefender Box is a really cool way to do IoT security.

Yeah, BitDefender. Their new Ultra package is pretty interesting. I'm contemplating using their GravityZone appliance at work.
 
Top