Here I am, going against the rule and sharing the network diagram with public.

I am a security consultant and auditor, and most of my time goes in suggesting best practices in data and network security to my customers. I do sometimes believe in practice what you preach. To understand the pain my customers go through, I always implement my own recommendations at work and home. Large part of what I present here goes with the design and security controls on the network.

In an old-school world, a network diagram is considered very confidential and sensitive. Professionals often cry that it gives out critical details to a criminal or malicious user and even may aid his/her hacking attempt in your network. Yes, it gives out the design and the logical layout of your network, but that’s not end of it. With some social engineering and good recon one can gather much more valuable and sensitive info on the target (#OPSEC practitioners, I know you’re smirking there). Nevertheless I have made up my mind in sharing the best practices.

Here is the network diagram of my home office:

My home office network (click to enlarge)

I have created 5 zones in my firewall (Six interfaces including the WAN):

Zone 1 — LAN: Inside or the trusted LAN network. This is where all the management tools and devices reside and reachable.

Zone 2 — Office: This is trusted, my office network. There aren’t many devices, but I use this network only when I test apps, run exploit tools, do VAPT, etc. Most of these tools are inside a virtual machine, I don’t run them on my native OS.

Zone 3 — Family: This trusted (but with some caution), network is for my family members. They mostly use laptop, mobiles and tablets. There is no wired connectivity for them.

Zone 4 — Guests: This is untrusted network. This is only for guests and visitors. No wired connection.

Zone 5 — DMZ: This is where I host my servers.

All these 5 zones are virtual interfaces tagged to unique VLAN IDs. These VLANs are carried over to network down below by the managed switch. VLAN separation is done in switch and firewall zones, and routing is done in the firewall. I have to create rules for every zone/interface in the firewall. This gives me more control on what traffic to allow and to where.

I have explained the restrictions and traffic flow between each zone them in diagram itself.

Most of my recommendations are implemented here, when it’s within my budget and skills. It would take another post to detail what are those recommendations. Yes, this is nowhere near A PERFECT network design or architecture. I am sure there are different ways, more controls and newer areas to cover in secure network design. Hey, I’m learning.

Welcome any suggestions or tips in securing this network further. And I’ll be happy to answer any questions.

Instead of a static image, I am looking for an app that can help me publish an online/interactive network diagram. Which can show flow of traffic and highlight active components.

UPDATED: Added more details on the zones and VLAN separation.

Published PART II on components used in my home office network. See below: