| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 146550 | 2018-09-04 21:39:00 | Firewall Rules, Encryption and Securing home wi-fi network | chiefnz (545) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1453316 | 2018-09-04 21:39:00 | Ok, so in light of a recent article (www.stuff.co.nz) about the "Five Eyes" countries (which includes NZ) considering looking at ways they might "pursue technological, enforcement, legislative or other measures to achieve lawful access solutions" to encrypted communications, I took it upon myself to review the security of my wi-fi network at home, this has also come about from a newly found interest in Network and Cyber Security and a potential career path change to one of these fields. I woke up this morning to find that none of our wi-fi devices were able to connect to the wireless network for some reason on either 2.4 or 5GHz networks which was strange to say the least. I resolved this by rebooting the router (TP-Link TD-WD9980). Despite the logs being saved locally to the router once the reboot was completed I couldn't see any entries prior to the reboot I had performed. In hindsight I should have probably looked at the logs BEFORE rebooting the unit. I have since; Changed the admin password Enabled MAC address filtering Disabled the DHCP server function and used IP address reservations instead Guest wireless is not available - though I have never activated it I have the router's IPv4 firewall enabled but I have not added any rules. I use ESET Internet Security on my PC and this allows custom user created firewall rules as well as a having a predefined set of rules implemented by default. So I was wondering would there be any benefit if I created a copy of the ESET predefined rules on the router's firewall as well or would this be overkill? Is there any place I can find a "trusted" list of firewall rules that experts say are good to have in place on a firewall? Given there are no rules in place on the router's firewall is there any point in actually having the firewall enabled? I do understand that having it enabled adds an additional layer of security via the NAT Firewall, SPI Firewall and MAC / IP / URL Filtering features is has available but is there any REAL benefit in having it on if there are no rules in place. Also another question are there any "non-business" Internet service products available which allows you to connect to the internet via your ISP over an "always on" encrypted connection using an IPSec VPN tunnel or similar? I have used products such as PIA and NordVPN, which have worked well with little to no impact on connection speeds but was wondering if these encrypted IPSec VPN tunnel connections are available to Joe Bloggs out there? Thanks, |
chiefnz (545) | ||
| 1453317 | 2018-09-04 22:23:00 | if serious , and not just doing this as a learning experience honestly youre just kidding yourself doing all that on a ~home grade~ router . Home routers are pretty much abandoned not long after release, and wont be getting regular firmware updates to fix known/possible security holes. Buy a commercial grade hardware firewall instead . |
1101 (13337) | ||
| 1453318 | 2018-09-04 22:33:00 | Yes I am looking into that option at present and initial research shows that pricing is going to be a factor along with getting a unit that provides the right feature set. Any suggestions on potential firewall options? |
chiefnz (545) | ||
| 1453319 | 2018-09-04 22:49:00 | You could go DIY firewall using an old PC . May be the cheapest option ,some are free, but havnt tried any myself There are a few options pfsense, smoothwall etc , Sophos have a free offering last time I looked, using that would give experience in their products . Hardware firewalls have ongoing annual costs, you have to pay to get any support or any firmware updates . Some do very little without the expensive annual subscriptions . Either way, its a long learning curve . They arnt really user friendly from what Ive seen (Sophos & Sonicwall) |
1101 (13337) | ||
| 1453320 | 2018-09-05 01:39:00 | After a quick research session I've shortlisted a few options; D-Link DSR-250N Wireless Gigabit VPN Firewall Netgear ProSafe Dual WAN Gigabit SSL VPN Firewall (FVS336G-300) Ubiquiti UniFi Security Gateway USG, Enterprise Gateway Router, Advanced FireWall, VLAN, VPN, Radius Server |
chiefnz (545) | ||
| 1453321 | 2018-09-05 02:17:00 | My top 3 firewall distributions, in order of preference IPFire, ClearOS and IPCop. They are constantly being tinkered with to fix newer threats and require very little to resources to run. You'll also want a proxy for additional software filtering, zorp, squid, etc. If you're really interested in cyber security, then this would be the best route to take where you can actually learn more about the hardware, networking and the filtering, etc. An OS worth looking at for personal use, is Tails OS. Built for the paranoid or wise user. With so many features built with security in mind and protecting you it's an excellent OS to learn from. If you're into security penetration, then Kali OS would be the tool to test how vulnerable you are. Excellent for evaluating your own networks. |
Kame (312) | ||
| 1453322 | 2018-09-05 02:27:00 | With a cheap hardware Firewall : have a look at how many firmware upgrades they have released : to see just much much effort they are putting into ongoing support & patches also look at throughput speed , filtering throughput speed & VPN throughput speed (if you want to use it for that) . See if they do any advanced filtering , eg AV filtering , content filtering etc. eg the Dlink ( I wouldnt ) System Performance(6) • Firewall Throughput(5): 45 Mbps • VPN Throughput(7): 35 Mbps all that packet inspection slows things down when they dont have enough grunt. check if you need to pay extra to activate the onboard services that make it worth having . |
1101 (13337) | ||
| 1453323 | 2018-09-05 09:07:00 | As long as your router doesn't get co-opted, to re-route your traffic or provide bogus DNS lookups, it's not the likely point of entry - your{ wifes, kids} browser/OS is. The router firewall is largely irrelevant unless you are hosting some services and need port forwarding or want to restrict outbound traffic. Just get one that is properly supported with security updates from the vendor. If you want to learn the nuts and bolts (and piss off your family) go the 'old PC with distro of choice' route. 'Fighting tha man' is a bit more involved. :) |
fred_fish (15241) | ||
| 1453324 | 2018-09-05 10:16:00 | I'm with Fred, if its a home network then its not likely to be the router as weak point. You say you have ESET Internet Security, just set the firewall to interactive that will tell you and and stop all traffic in and out until you tell it to either go or stop. But be warned - it WILL bug the hell out of you till it settles down, and you create the rules, you "MAY" be surprised just how much wants "out" and "in". The settings is easy, open Nod - Setup - Firewall - Configure -- Filtering mode- Set to Interactive. This Pic will look a little different, I have not been using the consumer Nod32 for quite a while now (still use it on Customers Computers), changed over to Endpoint Security - still Eset - just business class :) 90309031 Using a hardware router even a old PC while it will work you will depend on how far you want to go. As for the Five Eyes ----- Its not looking into your network that you need to be concerned about, once data leaves your place its on the internet, easy for the right or wrong people ( ISP's etc) to collect it, what they do with it --Well who knows. |
wainuitech (129) | ||
| 1453325 | 2018-09-05 10:24:00 | the "Five Eyes" countries (which includes NZ) considering looking at ways they might "pursue technological, enforcement, legislative or other measures to achieve lawful access solutions" to encrypted communications, Means this (or fine / prison as required): 9032 |
fred_fish (15241) | ||
| 1 2 | |||||