Discussion:
[pfSense] Rebuilding confidence
Richard A. Relph
2018-05-13 19:44:08 UTC
Permalink
Hi,
I’ve been using a SG-2440 for a couple of years now, but only as a well-maintained basic NAT router. I know I’m not using all the capabilities the box offers.
I’m increasingly concerned about ‘infected’ IoT devices inside my firewall. I don’t have any specific concerns. But confidence is continuously declining that everything I implicitly trust is really worthy of that trust. I’m looking for a tool that will provide me some evidence that my network is behaving well, and identify devices that might be betraying my trust.

I’ve been tempted by the McAfee Secure Home Platform built in to certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
I’d be interested in this groups thoughts on that product… but I’m even more interested in thoughts on what pfSense offers that could detect “unusual” traffic.

Thanks in advance,
Richard
PS. Also looking for recommendations to replace my aging Access Point… An Apple TimeMachine (in Bridge mode).
Eero Volotinen
2018-05-13 19:48:12 UTC
Permalink
Well. You should use VLANs to segment IoT devices into different network.
Anyway... some commercial vendor might provide a bit better protection ;)

You can replace you apple timemachine with unifi aps.
https://www.ubnt.com/unifi/unifi-ap/

Eero
Post by Richard A. Relph
Hi,
I’ve been using a SG-2440 for a couple of years now, but only as a
well-maintained basic NAT router. I know I’m not using all the capabilities
the box offers.
I’m increasingly concerned about ‘infected’ IoT devices inside my
firewall. I don’t have any specific concerns. But confidence is
continuously declining that everything I implicitly trust is really worthy
of that trust. I’m looking for a tool that will provide me some evidence
that my network is behaving well, and identify devices that might be
betraying my trust.
I’ve been tempted by the McAfee Secure Home Platform built in to
certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
I’d be interested in this groups thoughts on that product… but I’m
even more interested in thoughts on what pfSense offers that could detect
“unusual” traffic.
Thanks in advance,
Richard
PS. Also looking for recommendations to replace my aging Access Point… An
Apple TimeMachine (in Bridge mode).
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
ED Fochler
2018-05-13 22:43:38 UTC
Permalink
Richard,
I agree with Eero, VLANs are real security. It will require time and effort and maybe some additional equipment. If it helps you sleep at night, it's worth it. You might start with just IP groupings and rules though.

I have an admin network that only has a couple of computers wired into it. admin has access to my home and the internet. My home network (mostly wireless, satellite box, etc) does not have access to admin, but does have access to the internet.
That's VLANs.

I also recommend floating address dhcp for addresses .100-.199 and dhcp reservations for .200+ devices that should not have access to the internet, like a printer. And addresses below .100 for devices you know and wish to identify regularly. Then you can try limiting access to the internet to none for .200+, only to ports 80, 443 for .100-.199, and full internet (but not admin) access for your iphone, xbox, whatever. It's not as strong a separation between trusted and untrusted networks as VLANs are, but it does inhibit some multi-stage infection vectors. I do both.

I can still use my iphone as a remote for my satellite box with this config. I don't fear having my set top box infect my computer that I use for web-banking because they do not talk.

D-Link has some low cost vlan-smart switches available that seem to work pretty well at a totally acceptable cost.

Ethernet over powerline is an easy way to get more private devices off of your wireless network without running cat-6 through your walls or punching your own RJ-45 connectors.

PFSense should be able to provide you with separated networks with additional ports or by send multiple tagged VLANs to a smart/managed switched where you can break them out as needed. And statically assigning addresses, blocking communication by address range, it's all in there.

Good luck,

ED.
Post by Eero Volotinen
Well. You should use VLANs to segment IoT devices into different network.
Anyway... some commercial vendor might provide a bit better protection ;)
You can replace you apple timemachine with unifi aps.
https://www.ubnt.com/unifi/unifi-ap/
Eero
Post by Richard A. Relph
Hi,
I’ve been using a SG-2440 for a couple of years now, but only as a
well-maintained basic NAT router. I know I’m not using all the capabilities
the box offers.
I’m increasingly concerned about ‘infected’ IoT devices inside my
firewall. I don’t have any specific concerns. But confidence is
continuously declining that everything I implicitly trust is really worthy
of that trust. I’m looking for a tool that will provide me some evidence
that my network is behaving well, and identify devices that might be
betraying my trust.
I’ve been tempted by the McAfee Secure Home Platform built in to
certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
I’d be interested in this groups thoughts on that product… but I’m
even more interested in thoughts on what pfSense offers that could detect
“unusual” traffic.
Thanks in advance,
Richard
PS. Also looking for recommendations to replace my aging Access Point… An
Apple TimeMachine (in Bridge mode).
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
C. R. Oldham
2018-05-14 01:01:13 UTC
Permalink
Post by Eero Volotinen
You can replace you apple timemachine with unifi aps.
https://www.ubnt.com/unifi/unifi-ap/
I second the recommendation of the UniFi access points. They are
excellent.

While I advocate strongly for pfSense, Ubiquiti also offers a "security
gateway" product that might be worth looking into for your IoT needs.

--cro
Geoff Wolf
2018-05-14 02:48:01 UTC
Permalink
Have you looked at the capabilities of Suricata? It’s an open source IDS/IPS available in the pfSense package manager. It takes some setting up and rule adjustment to suppress false positives, but it’s fairly straightforward. There’s plenty of documentation available for it. I think this might add some peace of mind. Also take a look at Quad9. It’s a public recursive DNS service that blocks queries for known malicious destinations aggregated from a bunch of public block lists. https://www.quad9.net

In the end I think pfSense is going to offer you the most in terms of security capabilities compared to the commercial home network solutions out there. It just depends upon how much time you’re willing to put into configuring and tuning the various tools.

--
Geoffrey Wolf
AB3LS
Post by Richard A. Relph
Hi,
I’ve been using a SG-2440 for a couple of years now, but only as a well-maintained basic NAT router. I know I’m not using all the capabilities the box offers.
I’m increasingly concerned about ‘infected’ IoT devices inside my firewall. I don’t have any specific concerns. But confidence is continuously declining that everything I implicitly trust is really worthy of that trust. I’m looking for a tool that will provide me some evidence that my network is behaving well, and identify devices that might be betraying my trust.
I’ve been tempted by the McAfee Secure Home Platform built in to certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
I’d be interested in this groups thoughts on that product… but I’m even more interested in thoughts on what pfSense offers that could detect “unusual” traffic.
Thanks in advance,
Richard
PS. Also looking for recommendations to replace my aging Access Point… An Apple TimeMachine (in Bridge mode).
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Loading...