Home Network Design

In thinking about my home network design, from an early stage my goal was to have an environment that compared to an enterprise environment. My near term goal with information security is to master the fundamentals, and I saw this project as a great way for me to do that. Not only would this seriously bolster digital security and safety, I could use it as a training ground for learning new technologies and good habits.

I’ve decided to use John Strand’s philosophy of implementing a multi-layered solution to protect my network. Defense-in-Depth using AV/EDR, SIEM, NSM, and UBEA to cover my endpoints. I have it nailed down that I’ll use Security Onion or Velociraptor for my SIEM, and Zeek/Rita for UEBA. All of these programs are great at what they do, and the Zeek/Rita duo were designed to be ran together to detect beacons from C2 traffic.

For the overall network design, I want to setup a DMZ with a web proxy and guest network, and then a more secure interior network with a content server and my various clients. For my first web facing firewall I’ll plan to use pfsense, port spoofing (the web proxy too), and run a rule to block any ip address that tries to connect to a specified unused port. I am not sure yet if I can create a rule that will forward a connection request to that port from port spoofer to trigger the blocking rule, but I’ll burn that bridge when I come to it (probably just a firewall rule but we’ll see). The guest network will give guests internet access without giving them rights to my intranet, just like at the office, and I can dial back the bandwidth if needed.

On my intranet I want to run a content server, a network printer, and all of the various clients. Thinking about it now, any of our IoT devices I want to connect to their own separate vlan where I can lock down all of the ports except what they absolutely need to run. I’ll be able to analyze the traffic going through their network easier than if it’s mixed in with all of the other packets coming from my other endpoints. I’ll have to setup a network sniffer before their traffic hits NAT to get good data.

For analyzing the traffic, Zeek and Rita are great tools for examining the metadata from the traffic (where packets are going and who is connected to whom), and I’ll use Wireshark as the go-to for packet sniffing. I plan to use the command line version of Wireshark (tshark) since it’s scriptable, and schedule some random samples to be taken for analysis. I’ll be taking samples from 3 different network sections, and send them over to 1 machine for analysis. My goal is to set up some reports that are either automatically or easily populated, and set a personal schedule for reviewing the reports. Having logging and detecting abilities is great, but without anybody reviewing them the information is useless and I could sure use the practice for sure.

This should go a long way toward my goal of knowing what is going in and coming out of my home network. It’s a good start anyway I think.

I drew up a network diagram. I am sure I’ll have to make some adjustments during implementation, but this is what I am going for: