- IDS/IPS in the flow between the internet connection and the OpenVPN server.
- SELinux used to lock down services in the RPi server.
- Checks to make sure that the OpenVPN stream is not broken/compromised, if so then stop all traffic incoming to the home network (meaning the IPSec streams would stop).
- Audit logs of activity and regular checking of the logs to ensure that nothing got by.
- No DHCP service on No Man's Land LAN.
- No ICMP ping responses from any device connected to No Man's Land LAN, this might include any detection of scanning in the network and/or detection of pen test tools.
This is a blog mostly about techie things, what I am doing to my apartment network on the cheap, IOT, 3D Printing, Raspberry Pis, Arduinos, ESP32, ESP8266, Home Automation, Personal Weather Stations, Things That Go Bump in the Night, and some side issues that need discussing. Remember, sometimes the journey to an end is as much fun as the goal achieved!
Thursday, December 29, 2016
IPSec VLAN #2 - Hardening Rules
After review of information in this SANS 2006 document, I am a little more confident that I can implement the Gateway into my house with a more controlled hardening. This document is a design using open source components for an Intrusion Detection/Prevention System. It applies to a small to medium network which is appropriate for my home environment. My thought is to have this implemented prior to the OpenVPN server in the IPSec VLAN setup that I am building. Additionally, I will be using SELinux to lock down the services running on my OpenVPN RPi server. So at this point the following would be needed:
