Home network policies: the Mirror Universe
As a network professional, my first attempts to configure my home network sticking to the books and best practices were failures. The problem was simple: even if I am a professional and I was using professional-grade equipment, a home network is not a business-oriented network.
All can be summed up in: the Mirror Universe, where everything is upside-down. You won’t want to block online gaming, you’ll want to prioritize it. Same applies to Netflix over other HTTPS sessions. You’ll want your iDevice to be able to talk to the AppleTV on the same broadcast domain, you won’t want to isolate it as your would do with BYODs. And so on.
Since professional equipment is built with offices in mind, this means that sometimes you will end up doing very weird setups, where the settings in some section of the configuration interface will be the exact opposite of what you would do in an office scenario. And sometimes you will have to improvise with a couple of dirty tricks.
First things first: what services are you and your family / cohabitants / guests going to use and what services you are going to serve to them?
Some quick ideas, some of which I will cover for you in this series:
- A border gateway/firewall that deserves those definitions (which your COTS uber-overpriced-gamer-router is not, from my perspective), with IDS, multiple network interfaces/VLAN support and such
- Prioritized online games / VoIP / video streaming services
- DNS caching and filtering for faster browsing as well as for your privacy and security
- HTTP(s) caching proxy for faster internet and less download traffic on the line, as well as for bad content filtering
- A family friendly subnet for your kids where all filtering takes place
- Decent WIFI solution, and by decent I mean a centrally managed WIFI network with a controller
- 4G / WIMAX / VDSL failover and balance
- Properly insulated and regulated guest network
- Local Video archive and streaming to smart TVs and set-top boxes (or smarter things like Chromecasts, AppleTVs, XBMCs and such)
- Audiophile-grade-capable multiroom music distribution system
- Security Cameras
- Home automation, the safest possible way
- VPN link between you and your best friend’s house
- Off-site backups for yours and your friends important documents and photos between your servers over VPN
While you are thinking about what you could achieve with your future network, are you sure you know the basics? I strongly suggest you my colleague’s great TCP/IP assay here!
First off: I love VLANs. Really. They are one of the best things pro-equipment can offer you. Some of you are scared of them or see them as a nuisance when plugging stuff around the house. I promise you this: if you plan-out your network with proper reasoning, you won’t even notice them.
Start by grouping your services and clients by risk zone. How dangerous would be a compromise of a certain device? How would it impact your home network/privacy? What if someone could use it to pivot around and access the devices into the same VLAN? These are the main questions to help you create your list of VLANs and devices. For a normal household you will probably end up with something like this:
- Admin network: mandatory, where you will expose all the configuration interfaces of all your core devices (switches, routers and so on)
- Computers, clients and media devices: mandatory, this is the main network, where your internal WIFI will go. Purists will object that media devices should be on their own VLAN, but the problem is that many media devices (I’m looking at you Chromecasts, Airplay nodes, Roon nodes and so on) make heavy use of discovery protocols based on the broadcast domain or such, see Bonjour / Avahi, for example. This means that if you split them from your cellphones they simply become paperweights. What I suggest you not to connect to this VLAN are smart TVs and COTS IoT things. They have an history of attack vectors that they will require a VLAN of their own.
- Internal Untrusted Things: Kinda mandatory. I put here the things that I do not trust, like COTS IoT scales, toothbrushes, air conditioner controllers. Basically all the things just need to phone home to be available in the relevant app or cloud. There is no need to give them the possibility to exchange data inside the network.
- Building automation: I’m talking pro-level building automation, not the COTS IoT things. Like Z-Wave / KNX controllers. They deserve their insulated network, since they are connected to critical systems in the house
- VoIP: If you want a dedicated intercom + landline phone setup possibly with WIFI doorbells, you’ll want them on a dedicated VLAN, both for security switching / routing priority assignment with QoS and traffic shaping.
- Security: if you want your set of CCTV cams over ip and / or you have an internet enabled alarm system, this is totally mandatory. ù
- Guest network(s): Least but not last, one of the most important VLANs, the one to share with your friends, because „home is where your WIFI auto-connects“. Why the plural? You will find out in the next episodes.
Next time I will give you some examples. Until then, share your love for VLANs and start dividing your network by risk zones!