Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help on securing a personal home network
New Posts  All Forums:Forum Nav:

Help on securing a personal home network

post #1 of 18
Thread Starter 
Hi

I'm somewhat new to networking. Here's my current setup.

Modem -> Wireless Router (everyone else connects to this directly) -> Switch -> My desktops

My sister has some important financial documents on her rig and I my concern is the integrity of these files. She's not very bright when it comes to computers, and her rig isn't that powerful so I'm a bit weary about throwing an entire encryption. What I'd like to do is add another layer of security, possibly through a hardware firewall. Do I need another? My router is running tomato (updated) and is pretty good (for home networking).

So where do I start?
Bye Bye 775
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.5GHz ASUS P8P67 PRO MSI GTX 660 Ti Power Edition  2x4gb Ripjaws@1866MHz 
Hard DriveOptical DriveOSMonitor
840Pro 128 | 3xWD Vraptor | 1.5TB Green LG 6X Blu-ray /HD-DVD combo Win7 Ultimate 64bit 2 x U2311H 1920x1080 
KeyboardPowerCaseMouse
Logitech G710+ Corsair HX620 Corsair 600t Logitech G500 
  hide details  
Reply
Bye Bye 775
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.5GHz ASUS P8P67 PRO MSI GTX 660 Ti Power Edition  2x4gb Ripjaws@1866MHz 
Hard DriveOptical DriveOSMonitor
840Pro 128 | 3xWD Vraptor | 1.5TB Green LG 6X Blu-ray /HD-DVD combo Win7 Ultimate 64bit 2 x U2311H 1920x1080 
KeyboardPowerCaseMouse
Logitech G710+ Corsair HX620 Corsair 600t Logitech G500 
  hide details  
Reply
post #2 of 18
I used to run Coyote Linux on an old 233Mhz Cyrix based system and found it excellent, I'm not much of a networking/security guru I just know it utilizes hardware implemented packet filtering & dynamic network address translation (which your wireless router does anyway) and booted off 1.44" disk (later revisions moved to USB/HDD/CD), oh and it's free
Edited by ()ut[@st - 6/7/11 at 12:58am
Leviathan
(13 items)
 
  
CPUMotherboardGraphicsRAM
San Diego 3700+ MSI K8N Neo2 Platinum Gigabyte Radeon 9600XT 128Mb 2Gb Geil Ultra-X DDR400 
Hard DriveOptical DriveOSMonitor
Seagate Barracuda 80Gb SATA Asus DRW20B1LT SATA Dual boot XPpro/Fedora Core 14 19" Acer AL1916W (recapped) 
KeyboardPowerCaseMouse
CompaQ KB-0133 Antec TrueBlue480 (recapped) CoolerMaster Centurion CAC-T01 Logitech M-S34 
  hide details  
Reply
Leviathan
(13 items)
 
  
CPUMotherboardGraphicsRAM
San Diego 3700+ MSI K8N Neo2 Platinum Gigabyte Radeon 9600XT 128Mb 2Gb Geil Ultra-X DDR400 
Hard DriveOptical DriveOSMonitor
Seagate Barracuda 80Gb SATA Asus DRW20B1LT SATA Dual boot XPpro/Fedora Core 14 19" Acer AL1916W (recapped) 
KeyboardPowerCaseMouse
CompaQ KB-0133 Antec TrueBlue480 (recapped) CoolerMaster Centurion CAC-T01 Logitech M-S34 
  hide details  
Reply
post #3 of 18
Go here
http://www.wilderssecurity.com/showthread.php?t=239750

And here
http://www.wilderssecurity.com/showthread.php?t=24415

You need to understand a firewall to make it sucessfull those two are the best guides you get.
post #4 of 18
Your Tomato router has both NAT and a SPI firewall on the WAN facing interface.

Therefore, the main concern would be both attacks from wireless, attacks from LAN, and malware.

1) Use WPA2 with a long passphrase
2) Depending on paranoia level you may segregate any 'important' devices into a separate VLAN with restricted access (such as the only outbound port allowed is to a proxy server).
3) Common sense and some type of AV.

A hardware firewall would also end up segregating your network if you need it to work as planned. Everything lumped into the same subnet and your firewall cannot effectively implement rules if you are not traversing subnets, software firewalls are set by default to allow traffic on your LAN subnet.
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
Das Rig, Ja?
(12 items)
 
  
CPUMotherboardGraphicsRAM
AMD Ryzen 1700 Asus Crosshair VI EVGA 1080Ti SC2 2x16G GSkill RGB 3200 
Hard DriveCoolingOSMonitor
500 GB 960 EVO Enermax T50A-BVT Windows 10 Pro 27" Asus 
KeyboardPowerCaseMouse
Logitech K350 EVGA 1600G2 Fractal Define C Rosewill M55 RGB 
  hide details  
Reply
post #5 of 18
Quote:
Originally Posted by Spooony View Post
Go here
http://www.wilderssecurity.com/showthread.php?t=239750

And here
http://www.wilderssecurity.com/showthread.php?t=24415

You need to understand a firewall to make it sucessfull those two are the best guides you get.
Windows Firewall (or any software based Firewall for that matter) is absolute garbage for what OP is needing.

OP I would start with reading the guide in my link, tho it may be a little out of your knowledge at first this is one of the primary reasons I wrote it. Yes for your specific case I would recommend segregating your sis's system into a more protected area of the network, especially given the fact she is performing and retaining financial information on the system. A hardware firewall, specifically UTM may be advisable if it's within your budget (figure about $600-1k). The reason I suggest a UTM is not just for the firewall but also the IPS already built in as many are anomaly-based rather than rule-based IPS. Translation between the 2 based IPS's an anomaly-based IPS will learn what is normal activity and will automatically implement deny's or kill traffic if it is out of normal operation, rule-based is just as it sounds it is based on the rules you implement and requires tons more overhead and administration.

Edit
Beers I would not trust the long passphrase
In this instance I also would not recommend this system ever go across wireless.

This should also help determine why you would not want to rely on wireless security, http://www.zdnet.com/blog/hardware/c...-useless/13125
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
post #6 of 18
Quote:
Originally Posted by justarealguy View Post
Hi

I'm somewhat new to networking. Here's my current setup.

Modem -> Wireless Router (everyone else connects to this directly) -> Switch -> My desktops

My sister has some important financial documents on her rig and I my concern is the integrity of these files. She's not very bright when it comes to computers, and her rig isn't that powerful so I'm a bit weary about throwing an entire encryption. What I'd like to do is add another layer of security, possibly through a hardware firewall. Do I need another? My router is running tomato (updated) and is pretty good (for home networking).

So where do I start?

Network Security? Defense in depth? How deep do you want to go down this rabbit hole?

I leave my important files on a small external unattached hard-drive. Nothing you are concerned about loosing should ever be on a machine that has a gateway IP address to an outside autonomous network. Layering networks with share permission, ACL,VLAN's, Firewalls, etc get complex in nature very quickly. If she's not the sharpest pencil in the drawer just leave them on a thumb drive with the USB port disabled and a shortcut/batch file to disable/enable the usb-port on the desktop.. Double-click for the chick..
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #7 of 18
Thread Starter 
Yeah it's not me though. I have all my personal files secured. It's my not-very-sharp sister and you can't fix a stupid user but you can try to secure it better.

Not having wireless isn't an option . I just need to figure something out so that her files aren't as "open". An external drive is a decent idea, but I'd like a networked drive instead...which puts us back to square 1.
Bye Bye 775
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.5GHz ASUS P8P67 PRO MSI GTX 660 Ti Power Edition  2x4gb Ripjaws@1866MHz 
Hard DriveOptical DriveOSMonitor
840Pro 128 | 3xWD Vraptor | 1.5TB Green LG 6X Blu-ray /HD-DVD combo Win7 Ultimate 64bit 2 x U2311H 1920x1080 
KeyboardPowerCaseMouse
Logitech G710+ Corsair HX620 Corsair 600t Logitech G500 
  hide details  
Reply
Bye Bye 775
(13 items)
 
  
CPUMotherboardGraphicsRAM
i5 2500k @ 4.5GHz ASUS P8P67 PRO MSI GTX 660 Ti Power Edition  2x4gb Ripjaws@1866MHz 
Hard DriveOptical DriveOSMonitor
840Pro 128 | 3xWD Vraptor | 1.5TB Green LG 6X Blu-ray /HD-DVD combo Win7 Ultimate 64bit 2 x U2311H 1920x1080 
KeyboardPowerCaseMouse
Logitech G710+ Corsair HX620 Corsair 600t Logitech G500 
  hide details  
Reply
post #8 of 18
just password encrypt a folder with the important files... it not like your sis has terabytes of valuable data
yunojelly
(17 items)
 
  
CPUMotherboardGraphicsGraphics
2600K P8P67 EVO GTX Titan 560 Ti GE 
RAMHard DriveHard DriveHard Drive
16GB 1600/CL8 64GB C300 RAID0 128GB M4 256GB M4 
CoolingOSMonitorPower
NH-D14 Windows 8 Pro VP2770-LED 850AX 
Case
PCV1020B 
  hide details  
Reply
yunojelly
(17 items)
 
  
CPUMotherboardGraphicsGraphics
2600K P8P67 EVO GTX Titan 560 Ti GE 
RAMHard DriveHard DriveHard Drive
16GB 1600/CL8 64GB C300 RAID0 128GB M4 256GB M4 
CoolingOSMonitorPower
NH-D14 Windows 8 Pro VP2770-LED 850AX 
Case
PCV1020B 
  hide details  
Reply
post #9 of 18
I really don't know how to answer your question in a way that will provide you with answers. Wireless Shared media is inherently the hardest to secure. The correct way to deploy Wireless - Shared media is with Radius/802.1x EAPOL but you've got to have a switch/AP that can support the Authenticator/Authentication method.

Can you employ Wifi - Shared media network that dosen't connect to your external ISP?
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
My System
(13 items)
 
  
CPUMotherboardGraphicsRAM
Cisco Cisco Cisco Cisco 
  hide details  
Reply
post #10 of 18
hate to say it, but your just done which ever route you go. Either you have that short circuit between the keyboard and the floor or you put this into a secure type of environment. It's going to be hard to fix the short circuit as 1 it's a not so bright user ignorant to the fact of what nasties are out there... Don't get me wrong my wife is the same way, have this battle every other week.
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
The Raven
(16 items)
 
  
CPUMotherboardGraphicsGraphics
i7-2600K Gigabyte GA-P67A-UD5-B3 EVGA GTX 570 SC EVGA GTX 570 SC 
RAMHard DriveOptical DriveCooling
16GB G.SKILL Ripjaws X 1866 Samsung 840 Pro  iHAS324 - Lite-On DVD-RW Noctua NH-D14 
OSMonitorMonitorKeyboard
Windows 10 ASUS VN248 ASUS VN248 Logitech G510 
PowerCaseMouse
XFX 850W BE SILVERSTONE RV02B-EW Logitech MX518 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Help on securing a personal home network