Securing Your Home Network/Homelab... Yes, it's still relevant in the 2020s!

Presented at CactusCon 11 (2023), Jan. 28, 2023, 9 p.m. (60 minutes).

About Me: So, a bit about me... My name is Chris Kniffin. I am 44 years old, a network administrator (for about 12 years now), an avid gamer (16-bit was the golden era!!!), and have been interested in computers since the 80s when my family "inherited" a Tandy TRS80 with a cassette deck drive and monochrome b/w monitor. In 1994 I got my first "modern PC" -a swanky Gateway 2000 P5-90! Of course over the years I had several other computers, and then in the late 90s I learned to build my own machines. This in turn led to me learning about things like overclocking (let's face it, back then every single cpu cycle counted). As time went on, I wound up with more than one computer; and due to my love of gaming, I wanted them to "talk" to one another -and so began my love affair with networking. My very first network consisted of two machines, a parallel cable, and two installs of Quake 3. In addition, I set up my "network neighborhood" so I could share my super awesome AOL account between the two machines, with the second one connecting to the "modem" machine via that parallel cable. It was slow, but it was absolutely mind-blowing to me that I was able to get two machines talking to one another. Fast forward a few years and I had graduated to Ethernet, broadband internet, switches, and the network now had 4 computers. And so it stayed for a while. In the mid-2000s (2009 or 2010) I started using hard drives to store and share music and video on my home network; and it has only gotten "worse" from there. How did I get here??? As mentioned earlier; I absolutely love making computers "talk" to each other -as time went on, I became more and more interested in doing it securely. While your average user does not really give too, too much thought to how secure their home network is (most assume the OEMs have thought of it for them), I wanted more. This is in part due to my friend showing me how easy it is to crack wifi passwords, as well as my job as a network administrator. My job as a network administrator showed me how much better enterprise level hardware and software is than your average consumer level garbage. As a result I set up an active directory domain on my network, setup my own DHCP server, as well as DNS. The hardware was originally an IBM System X 3650 M1 running Windows Server 2012R2 and Hyper-V. It has long since been replaced with a custom built machine (Core I7 6900K, 128GB RAM, 1TB SSD storage for the OS, 2TB SSD storage for the VMs themselves, 80TB of storage for "media" and NAS, 1Gbps NIC x 2, several USB 3 controller cards, water cooling, and a case the size of a Buick). In addition, a lot of the Windows machines have been converted to *nix based alternatives. The domain controller remains Windows (now server 2019), and the hypervisor is still Hyper-V (again, server 2019), but the Media server and NAS were consolidated and are now run on a TrueNAS Core server, I also have a database server (Linux) running MySQL for my Kodi installations. All storage is mirrored in case of a drive failure -it is really hard to get back terabytes of data if you don't have a copy! All of this is housed in a 42u server rack. In addition to the core infrastructure mentioned above, I also run pfSense for my routing needs. This is connected to an HPE 1920 24-G enterprise switch (if it's not managed, are you even switching?). Wifi is handled by a Netgear WAX-204 enterprise wifi access point with 3 SSIDs (gotta keep those networks separate!). So, the origin of my current network configuration can be distilled down to a couple of things that happened over the years. The first was reading an article talking about how Actiontec routers had an un-closable port open on them and it was being exploited to make these routers parts of various DDoS botnets, etc... and that this also allowed the threat-actors take control of the devices. Allowing them to change DNS settings, etc... Having always been one to use strong passwords on my devices, I was not too worried about them "getting me" -but "what if", I thought. So, I began looking around for Linux based router software that I could install on one of my many old PCs. I looked at Sonicwall (I am used to them because of my job), but didn't want to spend a jillion dollars a year on licensing for all the "good stuff." I searched for a while, looking for an alternative that was enterprise level. This led me to pfSense. I installed it originally on an old HP DX2400 with an Intel 4 port server NIC. From the first power on, I was hooked. Not only was I given absolute control over what ports were open or not, I discovered things like GeoIP filtering, DNS block-lists, and IP block-lists. I have since set all of them up in fine fashion, blocking known malware domains, ransomware domains, ad servers, "naughty stuff" to keep the kids away from things they shouldn't be looking at, known C2 servers, tor addresses (in case nasty-ware wants to use it to get to a C2) -totaling roughly 655,000 blocked items. But wait -there's more!!! I have been known to download things here and there (80TB or storage... ya know...). I don't really think that it's my ISPs business (nor anyone else's) what I am doing online, so I got a VPN. Before setting up pfSense, I had to use the software provided by the VPN; blech. pfSense allows me to use its built-in OpenVPN client to connect. This allows me to choose which machines are using the VPN (in this case a dedicated "downloading" Linux VM) and which ones use the "normal" internet. But... it turns out that ISPs are nosy, and they like to look at your DNS requests. Well, that doesn't sit well with me, and pfSense allows me to configure DNS over TLS for my entire network instead of using a browser to do it (handy because of the 234982374239487 phones, tablets, and other non-PC things on my network these days). Speaking of which -in this day and age of bandwidth caps (pfffft -lame); pfSense supports traffic shaping which allows me to throttle the device my kids use (they kept installing 50GB+ games and costing me money in overages). Now, it takes them so long to download something, they think twice before doing it. (I promise, this is not a sales pitch for pfSense, I just really like it). I can also set up internet access for specific devices to be turned off on a schedule so the kids aren't up all night on school night mucking around on the internet, but my devices are unaffected (yay aliases!). Finally -pfSense has logs. Lots of them. I can keep track of which devices are going where, how much bandwidth they are using, etc... Another of the things that changed the way my network was set up was my friend showing me how easy it is to hack wifi passwords. We have been friends now for well over a decade (actually coming up on 20 years), and we LOVE retro games (Super Metroid!!!!). We get together and have "Game nights" during which we have some drinks, play old games, and just chill. On one particular game night, he brought over his super huge wifi antenna and his MacBook (complete with a Kali VM) and asked if I wanted to see something cool. Of course I said "yes", because who doesn't want to see something cool? He fired up the Kali machine, connected the antenna, and airmon-ng was launched. A few "deauths" later, and there were some handshakes sitting in a file. Off they went to an online hashing service... Well, this turned out to be another one of those mind-blowing moments for me -I thought my network was rock solid at this point! So this led me to make a huge change in how my wifi was set up. I changed from PSK to 802.1x authentication via certificate. I installed the CA role on my domain controller, issued certs, installed them, and was off to the races. There were no longer and "keys" to be shared, and everything was authenticated using 4096bit certificates (2048bit... pfffft). As a result of this, I learned to set up a RADIUS server as well as NPAS in Windows. Unfortunately I had to go back to "keys" because there got to be too many things on the network that did not support enterprise level wifi authentication (lame). So, I now use keys that are about 30 characters long in hopes that it would just take too long to crack. I also now use multiple SSIDs to keep my important devices and computers safe from whatever nonsense my kids might be doing. The access point I use support SSID isolation (another reason enterprise is better). Those two things are what really got me interested in network security -I now only allow SMBv3 (128bit AES!!!), and wherever possible shunt everything I can into an SSH tunnel (not just gonna have my Linux VNC session out in the open!). I believe I can say that if you connect your device to my network, it is as safe as any corporate network would be, if not safer. So, what has this done for me, my career, and how might it help you in your career to spend time securing your home network/homelab? In addition to allowing me to reach and maintain a level of privacy that I am comfortable with, all of the above has helped my become a better network administrator as well. It actually turned out to be a "two way street" with the things I was doing at home to secure my network helping me secure the network at the office, and working with enterprise level devices at the office teaching me how to do things better at home. I have done things such as setting up GeoIP and botnet filtering at our office. This cuts down our attack surface greatly -keeping us safe(r) when things like Exchange zero days show up. My "obsessive" firewall configuring at home has allowed me to greatly lock down our network security appliance at work -keeping our more vulnerable servers safe (RDP, anyone...?). All of this has led to me developing a huge interest in infosec, hacking, malware analysis, ransomware, etc... and also has taught me to keep my personal information safe online (well, as safe as it can be these days). Because I have spent so much time building out my home network to be secure, I have a much better understanding of how the "red team" works, allowing me to be a better "blue team" member at work. I have now reached a point in my career where I am the one asked about security issues, how we should best prepare for possible attacks, what we should do in case of an incident, etc... I am now also the one who plans out or internal network security; which devices are allowed to be used, which network(s) which devices are allowed to connect to, ensuring software and operating system based vulnerabilities are addressed and remediated. And I can tell you -it is all because of my home network. ------------------------------------------------------------------------------------------------------------------ Who is in the audience? My intended audience for a talk like this would be people that are looking to start learning network security as well as those who are familiar with it, but are looking to perhaps expand their level of experience with setting up more complicated, enterprise level devices. I think that in an industry where experience is pretty much the most valuable asset one can have, a talk like this could help people find a place to get started and being getting that experience. It may also offer those with some experience a way to "sharpen" their skills, try out things they may not otherwise be able to, etc... basically an opportunity to learn something new. ------------------------------------------------------------------------------------------------------------------ High level agenda Introduction - Who am I? My background, experience, etc... Overview - What are we going to talk about? Why should you care about home network security? How can it help you grow as a professional? General overview of my network (hardware, configuration, etc...) Actual content of the talk - Detailed walk-through of my network components, what each one does, why I chose to use that component, how it applies to things "out there" in the world (work, school, etc...). Discuss using virtual machines to make the most of the components you may have available (they are a huge part of how I set things up). Discuss network security appliances (pfSense in particular, but the overall setup and use applies to pretty much any enterprise level NSA). Things like block-lists (DNS and IP), GeoIP filtering, IPS/IDS, traffic shaping... Discuss wifi and keeping it safe/secure (network key length vs jtr or hashcat) - using 802.1x auth when possible. *Talk about setting up ipsec tunnels between your machines at home for those sensitive connections. (I did this just to learn how to set them up -as a result we now use them at my office for certain server to server connections where TLS was not an option). Talk about how using an internal CA can make your home network safer. Call back to the discussed items and relate them to things like your job, your education (if you are in school for security, etc...) Wrap up.

Presenters:

  • Maddoghoek77 - Network Administrator/Infrastructure Engineer with Valley of the Sun United Way
    Currently a network administrator at Valley of the Sun United Way. I have been involved in the "computer industry" since about 2000 -having done phone based technical support for advanced DNS hosting, DSL, as well as technical help-desk support. I was also a technical trainer for roughly 6 years before starting my current position. If I had to list "favorites" I would say networking is my biggest passion; with particular emphasis on doing it securely. Second would be encryption -I can hardly think of a better way to maintain your privacy.

Links:

Similar Presentations: