From time to time I like to review my network to see where I can tighten up. Review logs, check out the landscape, and make sure there are no gaps. Today, I have some downtime, so I figured it'd be a good for it. Since I am not a certified IT professional, this is what I have cobbled together reading, and seeing what others have done. I'd like to bounce this off you guys who are more experienced than I and get your impressions. If you have any recommendations, I'm always down to be schooled.
So if you'd like to participate in my audit, I have a home network as follows:
- Modem receiving IP from ISP. Modem to router. Router to stand alone pfsense firewall. Router has a 54 character complex password for WiFi. There are no guest provisions for WiFi.
- Pfsense firewall with pfblockerng & suricata running on both lan and wan, both with a full array of rules/feeds updated daily. pfsense has tailscale as an overlay vpn. Server traffic and PC traffic have their own VLAN provided by pfsense. My approach is to deny all until something complains and address that on a case by case basis. Additionally ntopng is utilized for traffic analysis. IPv6 is disabled.
- Server running Tailscale as an overlay VPN, UFW deny all posture, and fail2ban with an aggressive posture. Server has been hardened against Lynis spec where applicable. Not all recommendations apply to my server. Server is utilizing host deny/host allow and SSH keys.
- Server is utilizing containers for services.
- Server is using Cloudflare tunnel/zero trust.
- Server and pfsense communicate via Tailscale encrypted tunnel. PC/Phone/mobile device can communicate with pfsense via Tailscale.
- Server services are accessed via https.
- PC connected to pfsense firewall with same rules as server. PC is using a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries. Firefox is using 1.1.1.1/1.0.0.1. Settings for Firefox are the strictest for Enhanced Tracking Protection, and DOH. HTTPS-Only mode enabled. PC is also running a soft firewall.
- All other devices such as phones, laptops, and tablets run a VPN with Cloudflare 1.1.1.1/1.0.0.1 for DNS queries.
- IoT devices are isolated. Phones are isolated. Smart TVs are isolated.
How secure would you say this network is and give any recommendations to further harden the network besides keeping up with current updates, monitoring and auditing logs.
Thanks
Fair, though I personally don't let my ISP indirectly dictate what I do with my LAN. If I didn't already have a v6-enabled WAN, I would still manage my LAN using IPv6 private range addresses. There are too many benefits to me, like having VMs and containers be first-class citizens on my LAN, rather than sitting behind yet another layer of NAT. That lets me avoid port forwarding at the border of my home Kubernetes cluster (or formerly, my Docker Swarm), and it means my DNS names correctly resolve to a valid IP address that's usable anywhere on my network (because no NAT when inside the LAN).
I will admit that NAT64 is kinda a drag to access v4-only resources like GitHub, but that's only necessary because they've not lit up support for v6 (despite other parts of their site supporting v6).
This is my idea of being future-ready: when the future comes, I'm already there.
That is something to consider. Thanks.