Home Network Paranoia

Some have called me paranoid, but I have a slogan of “Friends don’t let friends use wireless networks.”  The reason for this is that wireless networks compromise the need for physical access to a network to perform any attack on the internal network. 

Well, I of course, do have exceptions to my wireless rule.  I’m planning on getting a new PDA with 802.11 capabilities, I’d like to be able to access the internet from it.  As such, I’ve decided go add a wireless router to my home network.  Before I did such, I wanted to make sure that my devices and laptop would only have access to the internet from the wireless network, and not to my internal network.  I don’t any stranger standing in the woods of my back yard able to access my TaxCut and MS Money files through a wireless hack, and considering the Feds can do it in 3 minutes now, I think my paranoia is justified. 

I’m not a network security guru. I used to be a network administrator, but that was over 6 years ago and hardware was much different then.  As such, I’m publishing my network layout and asking for comments or suggestions or holes that anyone might see. 

network

As you can see, my internet access comes in through a cable modem which connects to a VoIP-capable router (yes, I use Vonage).  The reason for using this router as my opening router is somewhat physical.  In my garage, where I terminated all of my network runs, I also terminated a cable line and phone lines at a patch panel.  Since the VoIP router also provides data ports, it’s perfect for acting as a distribution for both my planned wireless router and my 8 port routing switch.  The outgoing voice line patches into a telephone patch panel distribution that supplies the house telephone runs.  The 8 port router serves as the first layer of defense for my data network It then provides access to the whole house through the patch panel distribution point where I ran all of my data lines to. (I luckily got to do all my own structured wiring while the house was being built).

Its important to note that I do not allow access from the wireless network across the internal side of the VoIP router, and I again block packets originating from the wireless router at the 8 port.  The 8 port router and the VoIP router does, however have some rules for open ports that my wife needs to play games, and that I need for various services I have running on my internal network.  Because of this, I’ve added another Cisco PIX firewall in my upstairs office to prevent any inbound requests to my file server, my development PC, and of course the computer I use for family record keeping. The file server is behind the firewall, but I have rules set up to allow access to it from the other house PC’s.

In any case, as I look at my network, I start to realize how imperfect it is.  I’m looking for advice from anyone on how to make it more secure but still provide the needed functionality to our standard home PC’s and to our private personal-data machines.

Be Sociable, Share!

    3 Thoughts on “Home Network Paranoia

    1. My Dad(biological) is the Director of Network security for a Govt. agency that I can get in trouble for even saying the name of so I’ll leave it at that. I will send him your diagram and question and let you know what he says. He is usually pretty willing to help me on stuff like this and helped wme and my brother with both of our home networks security to prevent people from doing things like http tunneling through our firewalls.

    2. Thanks, I’d appreciate it.

    3. One thing I like to remember is your network is as secure as your weakest link.

      What is your weakest link and what is your most prized asset?
      “The file server is behind the firewall, but I have rules set up to allow access to it from the other house PC’s.”

      The other house PC’s would be the weakest link and I would assume the file server to be the prized asset. The house PCs aren’t necessarily THAT weak though as they can only be accessable physically for the most part. The only way they can be accessed over the network is through the router/switch on only those ports that were opened. Depending on the services, they can be compromised with the game usually being the hardest hit.

      If I were a hacker and I wanted in, the easiest way I could do that is to get you to run spyware or some kind of software that could bind to a port. It would have to then know which services you opened and create an outbound channel that I could then tunnel through to get into your network. Since that is almost impossible, your network is pretty secure.

      Hell, my network is less secure and I’m not the least bit paranoid. I have a DSL modem running straight to my Linux firewall. From there it runs to the switch which feeds all of the other computers. I rely on VPN between my office and home to make complete connections as I need them. The rest is taken care of by NAT on the firewall side, so I don’t really have to poke holes or anything special (nor would I, things like WinMX, and eMule which “say” they need an open port can kiss my bright red ass). The easiest way to exploit my setup is to somehow trick the VPN to think that you are one of the computers at work, which has complete access on both sides of the VPN tunnel. The easier attack vector would be exploiting those few services I expose on the firewall.

      My weakest link is also the only equipment the internet sees. If they gained access to my firewall, everything is pretty much lost but I really don’t care too much for some reason. I do store my Money file on my laptop and a few crucial things but if someone really wanted in, I’m sure they could find a way.

      I do sacrifice a little security for convenience but it sure beats having to go into work for every little thing. The only times I truly need to go in are when either network is down. I go in anyway so that people can walk by my office and interrupt whatever it is I’m working on, since it seems to make them feel better than email.

      If we went wireless I’d be a lot more paranoid, that’s for sure. I don’t particularly trust it right now as it seems like a rushed technology that wasn’t quite thought through correctly. I’ll give it a couple of more years to mature and a couple of more encryption layers before I begin to think about it.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Post Navigation