VPN termination, router mgmt, and HTPC in guest network - OK?

[burntoc]

So a long time ago I was a network security guy, but I'm afraid some rust may have me thinking crazy. Admittedly, I've also realized that sometime in the tradeoff between highest security and easiest to deal with, I tend to slide a bit more towards the easy side than I used to. Anyway, I was wondering if some folks could weigh in on this and offer a suitable alternative if this is indeed crazy.

My network:

• cable modem->EdgeRouter ER-X->managed switches*->UniFi APS and wired/wireless devices
• VLANs and Class C networks assigned to "Home"(trusted),"Guest", and IOT
• Home is where my current wired NAS/media box live
• IOT has devices like Nest, Ooma, etc and AP isolation turned on for the wifi devices
• Guest is where my family and friends laptops/tablets/phones and Chromecasts, FireTVs, printers, etc tend to live
• Firewall rules drop all non-established/related traffic from the non-Home networks except for DHCP and DNS

My philosophy is that our mobile devices are "in the wild" all the time and so pretty much and device that isn't wired and in my network all the time should never really be in the home network if possible. Actually when I think about it, probably all I really need the "most secure" is the NAS, as I intend to get a second one to make more accessible (for media) and then use the current one as a backup in case one of them fails or the accessible one is hacked/ransomware.

Most of my admin work is done from my laptop, often when it is docked and that's currently in my Home network, but I realized that really probably needs to live in Guest for the reasons above. If I need to admin NAS, I could switch to the Home network then.

More frequently, what I (or my wife) need to be able to do though is VPN into my network (just to encrypt traffic when I'm at the airport or coffee shop), and we also need to be able to toggle wifi access for my kids devices via the Unifi controller GUI or SSH.

I'm thinking about moving my laptop dock and my NAS/media box into the guest network and just keeping that second NAS in home and somehow figuring out how to safely synchronize between them. My mitigation would be:

• Add static IPs for my and my wife's laptops and phones
• Add firewall rules to allow those source devices, and the VPN client IPS (as that is just set up for those devices as well and any new ones (kids as they get older) I could set up on a second VPN server instance with different IP range) https and/or SSH access to the Home network

Does this sound like one of the best approaches to balance security and user-friendliness? Thanks for any thoughtful responses.

 

[st3v3n]

Burntoc, A well written post. I worked in security and other IT over the decades. I'm not a wizard and only try to keep my edge in private life. Slowly, bit by byte, I also slid into 'easier' management category style in retirement post-profession. Your post indicates you possess the equipment and experience to enable you to take the next step, since you recognize the need to reclaim the level of security you deserve. Security is never going to be easy to apply to some devices or the people who have accepted a default and lower level of security.

Static IPs should be handled by the router already, and everything should likewise be protected by VPN on the net. Since you're obviously managing your VLANs, you should already be there. I try to avoid treading in the IoT swamp, it's based on hopeless insecurity, and I've seen the physical and mental damage it can bring. Since you asked how crazy anything might sound, the answer is; nothing. You're the admin and you get to make the tough calls; whatever you say goes as far as 'user-friendliness' and fortunately, no one gets to surpass or usurp the admin's authority. Your home visitors and users always get to ask you nicely (one would hope) if they need your help and permission. No serious effort you devote to security should be considered crazy. I'd rather not sound preachy, but I consulted for a time on security-privacy practices before it was fashionable. Since no one is forced to read this, you're free to disregard as well. I chose to respond only as one former fellow pro to another, based on sound and proven practice.

Even when the task paid well, I found it could be infuriating when trying to convince management to listen or accept good advice when it went against their innate weakness to have 'ease of use' which came at the expense of security. If people aren't willing to compromise or sacrifice a bit of ease to avoid viruses, malware, stolen data and hacked devices rendered unusable, then they're unlikely to believe in, learn or adapt to a secure environment. You fortunately have the happy task of deciding what's right and not-so-crazy for your peace of mind and family. Nothing's too good for the admin's security protocols.

Fire-walling and routing policies are what you're already doing, if I understand you. For my 2 cents worth, the quickest/easiest/best route for your and overall security, would be to consider a second and completely independent internet drop for secure devices, NAS, etc;, i.e., a dual-WAN, physically separated net which -never- under any circumstances allows any in-the-wild or insecure device to access that net. Player's privilege. It goes without saying, IoT never traverses that net. You still remember how to pick up a gallon of milk on the way home without trusting the fridge to order it in for you, right? Wink. Many still endlessly argue security is paranoia, and easily accomplished without having a truly separate internet connection, which is only as secure as you want to make it. When you do it on the cheap, to get by, eventually it catches and bites you or those you care about. A second drop isn't that much (depending), and easy for a former pro to secure if no insecure users can access that net.

Only you as admin can make that judgment call; involve your senior VP/ budget officer to approve your plan. A secure-only net will cost a negligible bit of the fiat money we're all so fond of, but it's worth it. The user friendliness already present on your current system won't be affected and if anything, this represents a teaching opportunity as your kids grow older; security begins at home. You've earned this perk. You don't have to resort to old-school 'sneaker-net' operations since the modern version is much more secure and quicker these days. The security principle is the same and you won't have to install a Faraday cage. Kids should learn security as they grow, or they'll never appreciate it.

Yoy'll be able to provide for better security on the 'user friendly' net for the family without compromising the separate secure net. Secure devices always deserve secure solutions, but IoT can never be rendered secure; you can only restrict it from contaminating everything else you have by keeping it as separated as possible. The hundreds of billions of IoT devices that have already compromised on the newly 'weaponized' web, as some pros call it, are part of a problem most people are unwilling to consider until it directly impacts them or someone they care about. You're lucky to be able to secure your small part. Good luck sir.

 

[burntoc]

Burntoc, A well written post. I worked in security and other IT over the decades. I'm not a wizard and only try to keep my edge in private life. Slowly, bit by byte, I also slid into 'easier' management category style in retirement post-profession. Your post indicates you possess the equipment and experience to enable you to take the next step, since you recognize the need to reclaim the level of security you deserve. Security is never going to be easy to apply to some devices or the people who have accepted a default and lower level of security.

[SNIP]

Yoy'll be able to provide for better security on the 'user friendly' net for the family without compromising the separate secure net. Secure devices always deserve secure solutions, but IoT can never be rendered secure; you can only restrict it from contaminating everything else you have by keeping it as separated as possible. The hundreds of billions of IoT devices that have already compromised on the newly 'weaponized' web, as some pros call it, are part of a problem most people are unwilling to consider until it directly impacts them or someone they care about. You're lucky to be able to secure your small part. Good luck sir.

Thank you very much. I like the idea of another private physical net, or at least keeping it off this one except for maybe scheduled synch jobs. Your comments, and my continued reflection on the matter are making me believe that, for me at least, the approach laid out is as good as any!

 

[st3v3n]

Glad to help. I had a separate drop a few years ago from a different provider when there were choices, some even offered free installation or discounts, less likely this year. With the volume NAS has reached at home the trick is always having it accessible inside and not outside, or when you're syncing locally and securely. Have never bought into cloud backups, it's cheaper/safer/quicker to keep backup drives secured off premises nearby and rotate. When online goes offline, clouds are only useful for shade.

Giving family their uniquely coded flash drives solved data use and distribution in house. Simple when you're used to doing things that way but guaranteed to drive non-family a bit nuts. In house wi-fi doesn't extend outside or like the main system, isn't on unless needed, and most kids are willing to learn if it's interesting and combined with points; they learn so quickly when motivated. Have taught the elders multiple -correct- key combos for logging in, and when/where the correct flash drive should be inserted. They tend to stay current and to invent new and interesting ways to return the favor. Now that insurers are less obnoxious about insuring systems, chaining machines down isn't absolutely necessary.

Online security has remained a strict mindset when you're serious about it and will always be an ever-moving target, fun to chase. Keeping procedures lengthy enough makes most outsiders lose interest and move on, but no so much so that family can't learn and have fun with their devices, yet not on Dad's system. Jobs refused to allow his kids to have iPads, but moderation within limits is generally a good thing.