subject:"\[pfSense\] Rebuilding confidence"

[pfSense] Rebuilding confidence

2018-05-20 Thread Antonio Leding

Richard,

One thing to take a look at would be Security Onion.  I use this in concert 
with my other security gear as a means by which to analyze all traffic coming 
in\out of my network.  That analysis drives several follow-on activities such 
as Snort tuning, forensics, etc.

Re: wifi, check out Mikrotik.  I did an eval about 6 months ago that included 
MT, Ubiquity, Dlink, Linksys, etc. - about 5 vends in all.  I do agree the 
Ubiquity line is solid but it is a bit costly when compared to some other 
options such as MT.  The latter is far and away the best value especially when 
considering their wireless performance.  I need to also state there is a bit of 
a learning curve there but once you dig in and get the hang of it, it’s not an 
issue at all.  MT devices also have have a very comprehensive feature set.

Let me know if you have any other questions re: this stuff...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Rebuilding confidence

2018-05-13 Thread ED Fochler

Richard, 
I agree with Eero, VLANs are real security.  It will require time and 
effort and maybe some additional equipment.  If it helps you sleep at night, 
it's worth it.  You might start with just IP groupings and rules though.

I have an admin network that only has a couple of computers wired into it.  
admin has access to my home and the internet.  My home network (mostly 
wireless, satellite box, etc) does not have access to admin, but does have 
access to the internet.
That's VLANs.

I also recommend floating address dhcp for addresses .100-.199 and dhcp 
reservations for .200+ devices that should not have access to the internet, 
like a printer.  And addresses below .100 for devices you know and wish to 
identify regularly.  Then you can try limiting access to the internet to none 
for .200+, only to ports 80, 443 for .100-.199, and full internet (but not 
admin) access for your iphone, xbox, whatever.  It's not as strong a separation 
between trusted and untrusted networks as VLANs are, but it does inhibit some 
multi-stage infection vectors.  I do both.

I can still use my iphone as a remote for my satellite box with this config.  I 
don't fear having my set top box infect my computer that I use for web-banking 
because they do not talk.

D-Link has some low cost vlan-smart switches available that seem to work pretty 
well at a totally acceptable cost.

Ethernet over powerline is an easy way to get more private devices off of your 
wireless network without running cat-6 through your walls or punching your own 
RJ-45 connectors.

PFSense should be able to provide you with separated networks with additional 
ports or by send multiple tagged VLANs to a smart/managed switched where you 
can break them out as needed.  And statically assigning addresses, blocking 
communication by address range, it's all in there.

Good luck,

ED.

> On 2018, May 13, at 3:48 PM, Eero Volotinen  wrote:
> 
> Well. You should use VLANs to segment IoT devices into different network.
> Anyway... some commercial vendor might provide a bit better protection ;)
> 
> You can replace you apple timemachine with unifi aps.
> https://www.ubnt.com/unifi/unifi-ap/
> 
> Eero
> 
> On Sun, May 13, 2018 at 10:44 PM Richard A. Relph 
> wrote:
> 
>> Hi,
>>I’ve been using a SG-2440 for a couple of years now, but only as a
>> well-maintained basic NAT router. I know I’m not using all the capabilities
>> the box offers.
>>I’m increasingly concerned about ‘infected’ IoT devices inside my
>> firewall. I don’t have any specific concerns. But confidence is
>> continuously declining that everything I implicitly trust is really worthy
>> of that trust. I’m looking for a tool that will provide me some evidence
>> that my network is behaving well, and identify devices that might be
>> betraying my trust.
>> 
>>I’ve been tempted by the McAfee Secure Home Platform built in to
>> certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
>>I’d be interested in this groups thoughts on that product… but I’m
>> even more interested in thoughts on what pfSense offers that could detect
>> “unusual” traffic.
>> 
>> Thanks in advance,
>> Richard
>> PS. Also looking for recommendations to replace my aging Access Point… An
>> Apple TimeMachine (in Bridge mode).
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Rebuilding confidence

2018-05-13 Thread Eero Volotinen

Well. You should use VLANs to segment IoT devices into different network.
Anyway... some commercial vendor might provide a bit better protection ;)

You can replace you apple timemachine with unifi aps.
https://www.ubnt.com/unifi/unifi-ap/

Eero

On Sun, May 13, 2018 at 10:44 PM Richard A. Relph 
wrote:

> Hi,
> I’ve been using a SG-2440 for a couple of years now, but only as a
> well-maintained basic NAT router. I know I’m not using all the capabilities
> the box offers.
> I’m increasingly concerned about ‘infected’ IoT devices inside my
> firewall. I don’t have any specific concerns. But confidence is
> continuously declining that everything I implicitly trust is really worthy
> of that trust. I’m looking for a tool that will provide me some evidence
> that my network is behaving well, and identify devices that might be
> betraying my trust.
>
> I’ve been tempted by the McAfee Secure Home Platform built in to
> certain Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
> I’d be interested in this groups thoughts on that product… but I’m
> even more interested in thoughts on what pfSense offers that could detect
> “unusual” traffic.
>
> Thanks in advance,
> Richard
> PS. Also looking for recommendations to replace my aging Access Point… An
> Apple TimeMachine (in Bridge mode).
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Rebuilding confidence

2018-05-13 Thread Richard A. Relph

Hi,
I’ve been using a SG-2440 for a couple of years now, but only as a 
well-maintained basic NAT router. I know I’m not using all the capabilities the 
box offers.
I’m increasingly concerned about ‘infected’ IoT devices inside my firewall. 
I don’t have any specific concerns. But confidence is continuously declining 
that everything I implicitly trust is really worthy of that trust. I’m looking 
for a tool that will provide me some evidence that my network is behaving well, 
and identify devices that might be betraying my trust.

I’ve been tempted by the McAfee Secure Home Platform built in to certain 
Arris Cable Modem/Routers. https://securehomeplatform.mcafee.com
I’d be interested in this groups thoughts on that product… but I’m even 
more interested in thoughts on what pfSense offers that could detect “unusual” 
traffic.

Thanks in advance,
Richard
PS. Also looking for recommendations to replace my aging Access Point… An Apple 
TimeMachine (in Bridge mode).
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Rebuilding confidence

Re: [pfSense] Rebuilding confidence

Re: [pfSense] Rebuilding confidence

[pfSense] Rebuilding confidence

4 matches

Site Navigation

Mail list logo

Footer information