This is a blog mostly about techie things, what I am doing to my apartment network on the cheap, IOT, 3D Printing, Raspberry Pis, Arduinos, ESP32, ESP8266, Home Automation, Personal Weather Stations, Things That Go Bump in the Night, and some side issues that need discussing. Remember, sometimes the journey to an end is as much fun as the goal achieved!
Saturday, December 31, 2016
holding off for a bit!
I have decided that I need to take a break from updating this blog. Will be back in the near future.
Thursday, December 29, 2016
IPSec VLAN #2 - Hardening Rules
After review of information in this SANS 2006 document, I am a little more confident that I can implement the Gateway into my house with a more controlled hardening. This document is a design using open source components for an Intrusion Detection/Prevention System. It applies to a small to medium network which is appropriate for my home environment. My thought is to have this implemented prior to the OpenVPN server in the IPSec VLAN setup that I am building. Additionally, I will be using SELinux to lock down the services running on my OpenVPN RPi server. So at this point the following would be needed:
- IDS/IPS in the flow between the internet connection and the OpenVPN server.
- SELinux used to lock down services in the RPi server.
- Checks to make sure that the OpenVPN stream is not broken/compromised, if so then stop all traffic incoming to the home network (meaning the IPSec streams would stop).
- Audit logs of activity and regular checking of the logs to ensure that nothing got by.
- No DHCP service on No Man's Land LAN.
- No ICMP ping responses from any device connected to No Man's Land LAN, this might include any detection of scanning in the network and/or detection of pen test tools.
IPSec VLAN #1 - Keeping VLANs Separate Using Encryption
I was reviewing some Capability Package (CP) documents from NSA the other day and it occurred to me that one of the ideas I could use was to keep VLANs separate from each other even across the internet. This has appeal since I have a couple of VLANs in my home network that are not connected to the outside world or each other, yet I want to be able to do something with them during lunch at work.
Without going into too much detail re: the CP from NSA, they describe a virtual private network using commercial products which keep security domains separate from each other. This is done through a double encryption linkage. The following illustrates what I am talking about:
In this diagram, an OpenVPN Gateway is used on both sides (with certificate based connection) to form a connection between two No Man's Land LANs. This is roughly equivalent to what we normally do on a day to day basis connecting a laptop using an OpenVPN client to our home networks through an OpenVPN server. That being said, the connection goes between two LANs that do nothing in this diagram except give a place to combine packets from multiple IPSec VPN Gateways. If we use a separate certificate to access each "VLAN", the information will not cross between them. In other words, I could have an IPSec VPN Gateway at work, with a certificate for LAN A, and I could only connect through IPSec VPN Gateways at home that used the same certificate. Those would be ones that are part of the same LAN A "VLAN". Notice that I don't have to have a switch/router that is VLAN aware; I could have everything on separate conventional networks.
My thought is to implement OpenVPN on a RPi which would serve as an OpenVPN Gateway into the No Man's Land LAN (after hardening the RPi to attack of course, using a certificate specific to the OpenVPN connection). I would then implement IPSec VPN Gateways on other RPis (also hardened to attack) with certificates specific to the LAN that they connect to. This speaks of having my own certificate authority (which is food for another post). The OpenVPN Gateway doesn't necessarily need to be on an RPi either; I just would like to see if I can get this working using commodity items. Note that the IPSec VPN Gateways could be implemented in VMs as well running on a server.
More Later.
Without going into too much detail re: the CP from NSA, they describe a virtual private network using commercial products which keep security domains separate from each other. This is done through a double encryption linkage. The following illustrates what I am talking about:
In this diagram, an OpenVPN Gateway is used on both sides (with certificate based connection) to form a connection between two No Man's Land LANs. This is roughly equivalent to what we normally do on a day to day basis connecting a laptop using an OpenVPN client to our home networks through an OpenVPN server. That being said, the connection goes between two LANs that do nothing in this diagram except give a place to combine packets from multiple IPSec VPN Gateways. If we use a separate certificate to access each "VLAN", the information will not cross between them. In other words, I could have an IPSec VPN Gateway at work, with a certificate for LAN A, and I could only connect through IPSec VPN Gateways at home that used the same certificate. Those would be ones that are part of the same LAN A "VLAN". Notice that I don't have to have a switch/router that is VLAN aware; I could have everything on separate conventional networks.
My thought is to implement OpenVPN on a RPi which would serve as an OpenVPN Gateway into the No Man's Land LAN (after hardening the RPi to attack of course, using a certificate specific to the OpenVPN connection). I would then implement IPSec VPN Gateways on other RPis (also hardened to attack) with certificates specific to the LAN that they connect to. This speaks of having my own certificate authority (which is food for another post). The OpenVPN Gateway doesn't necessarily need to be on an RPi either; I just would like to see if I can get this working using commodity items. Note that the IPSec VPN Gateways could be implemented in VMs as well running on a server.
More Later.
Monday, December 26, 2016
Project #12 - Explore and Add a VPN Capability into the Network
I have been wanting to get a simple connection into my network for a long time now. I have tried some experiments with the Mac Mini using IPSec and have had minimal success. This is a project to be able to get into my network from the outside anytime I am remote from home.
Thursday, December 22, 2016
Change made to network due to Media streaming overload
As luck would have it, the new router that I received from Verizon has a number of issues. One, there is one port on the router that I cannot close because that is used by Verizon to manage their network. As a result, Verizon is able to get inside of the perimeter of the network and is the main reason that I have a second router. Secondly, the Verizon Quantum router does not have vlan capability - at all, nada. This causes some issues with what I want to do in that I need to isolate things to their own broadcast LAN. It doesn't do well to have an Ethernet based media setup which cannot be isolated from other devices that need to share the bandwidth. Also, interestingly enough, I have discovered that pushing a lot of media (and Bonjour messages for that matter) tend to bog this router down.
Verizon likes to be able to check on their cable card which is mounted in a TiVo Bolt on my network. I can understand why they want to do this. They want to be able to control what channels the cable card is able to receive. I have no problem with this in that I am paying for specific parts of their service, they have that right. The reason for the Ethernet traffic is that the TiVo Bolt transmits streams to the two TiVo Minis that I also have in the network. SHMBO occasionally doesn't turn the Minis off when she is done with them and this causes the traffic to continue to stream. She is getting better at it since she has started recording as many as three channels at the same time. Since the Bolt only has 4 tuners, the Mini needs to be stopped after use so that it frees up the tuner that it has captured, but that is another story.
To accommodate the possibility that the connection between the Bolt and a Mini is still active and streaming I have moved the media streaming (Bolt and 2 Minis) to a separate set of Ethernet connections outside of my home network. I am doing this by connecting all of these devices on their own separate Ethernet cables and unmanaged switches, finally ending up coming into a separate unmanaged switch connected to the Quantum router. If the Minis are streaming from the Bolt, the traffic is isolated to the switch and does not affect the Quantum bandwidth. I have also connected the weather station feed through this same set of switches. Normally, only the weather station feed uses the Quantum until we are using either Netflix or Amazon Prime Videos. Meanwhile, if I need to connect to the internet I am free to do so. Best way I know how to accomplish the goals.
Now if I bork something in the home network and it goes down, it doesn't affect the media which makes living with SHMBO much easier. Just a tip to the weary husband that only wants peace in the house.
Verizon likes to be able to check on their cable card which is mounted in a TiVo Bolt on my network. I can understand why they want to do this. They want to be able to control what channels the cable card is able to receive. I have no problem with this in that I am paying for specific parts of their service, they have that right. The reason for the Ethernet traffic is that the TiVo Bolt transmits streams to the two TiVo Minis that I also have in the network. SHMBO occasionally doesn't turn the Minis off when she is done with them and this causes the traffic to continue to stream. She is getting better at it since she has started recording as many as three channels at the same time. Since the Bolt only has 4 tuners, the Mini needs to be stopped after use so that it frees up the tuner that it has captured, but that is another story.
To accommodate the possibility that the connection between the Bolt and a Mini is still active and streaming I have moved the media streaming (Bolt and 2 Minis) to a separate set of Ethernet connections outside of my home network. I am doing this by connecting all of these devices on their own separate Ethernet cables and unmanaged switches, finally ending up coming into a separate unmanaged switch connected to the Quantum router. If the Minis are streaming from the Bolt, the traffic is isolated to the switch and does not affect the Quantum bandwidth. I have also connected the weather station feed through this same set of switches. Normally, only the weather station feed uses the Quantum until we are using either Netflix or Amazon Prime Videos. Meanwhile, if I need to connect to the internet I am free to do so. Best way I know how to accomplish the goals.
Now if I bork something in the home network and it goes down, it doesn't affect the media which makes living with SHMBO much easier. Just a tip to the weary husband that only wants peace in the house.
Subscribe to:
Posts (Atom)