This is Part II of my series on designing a secure home office network. Here I am detailing the components used in that network, including software and hardware I used. This is not achieved with just one device or product, nor it’s a one size fits all. I wouldn't claim this the ‘most secure network of all’, either. Read on and adopt what’s best for your network.

In Part I, I wrote about the design of my home office (or SOHO) network.

The following three components played good role in achieving this design (see the diagram in Part I):

A pretty good firewall or perimeter security device A managed switch A robust wireless System

Firewall

The core of my network is the firewall. Some just prefer a ‘high-end’ WiFi Router, which doesn’t do much except connecting to your ISP with a NAT and you to the WiFi. But we are not talking about mediocre designs, are we? What we need in a firewall, at the least, is good perimeter defense, zone separation, traffic shaping, packet analysis and filtering. Apart from all these, my firewall will be running following services DHCP, DNS, NTP, IPS, VPN, WAN fail over and few other services. It’s better to keep WiFi separate from firewall. So in short this will be an all-in-one device, similar to the UTM boxes (unified threat management) of enterprise. Here is the list of hardware and software I use.

Hardware

1. PC Engines APU-1C System board : This is a small fanless SBC (single board computer) designed primarily for networking, made by a Swiss firm. This board has 64-bit dual core AMD CPU, 2GB RAM, 3 GBe ports, all in a 6" x 6" enclosure. Apart from a full-fledged firewall, the hardware can easily handle some advanced services like IPS or IDS (either with Suricata or Snort), WAN fail over, a OpenVPN server, three site to site tunnels, pfBlocker, traffic shaping, etc.

This is the APU 1C Board. mSATA disk is not shown. (This model is almost EOL, I would suggest APU2) — P.s: Always use ‘black’ colored case, for better heat dissipation!

2. Netgear GS108Tv2 Network Switch : This is an entry-level managed GBe smart switch. This model has 8 gigabit ports, supports VLAN, jumbo frames, port mirroring and many other L2 features. That should be good enough even for a small office.

Notice 4 Ports are on GB with Jumbo frames enabled.

3. Unfi AP AC Lite WiFi Access Point : This wireless access point by Ubiquiti Networks is one of the finest WiFi hardware I have ever seen. They are an enterprise class hardware, with enterprise class management software, but at an affordable price. These devices have exceptionally large coverage with good network throughput. The speed & stability is just great. The management software itself has many advanced features to control, block users and limit speeds.

RF scan results. How the Unifi decides which channel to use.

My neighbors, no one’s on 5G. Despite many APs on channel 6, Unifi decides to stay put!

4. Couple of Raspberry Pi’s : Have two RPi’s running headless Raspbian with management tools like the Unifi controller software for Ubiquiti AP and UPS monitoring daemon.

Software

1. pfSense : This is a FreeBSD based open source software for network security. It’s robust, scalable, and widely used even among enterprise users. It’s compatible with most x86 hardware (follows FreeBSD requirements) and works with variety of network cards. But that doesn’t mean than you can run it on ‘any hardware’. Good hardware is crucial when your whole business is dependent on it. If you are building the box yourself, make sure you select the right board with good network cards (Intel GBe cards are best). Else you would keep troubleshooting for slow Internet, dropped packets & inconsistent network. Mini-PCs and embedded boards from PC Engines and Netgate are well suited. It’s important to note that most of my other software components run on this firewall platform.

This is how the firewall dashboard looks like. Can’t show my dashboard, it has too much information! [Source]

2. Suricata IDS : This is a free and open source real-time Intrusion Detection and inline Intrusion Prevention (IDS/ IPS) engine. This is installed as a package on pfSense firewall. It can source rules from Snort and Emerging Threats (ET) packages. Once you configure and install it, you will be surprised to know what kind of attacks happen, and extent of ‘bad’ traffic on your network! It does need some fine tuning. Non-standard or weakly configured apps or site traffic might get blocked.

This service adds considerable load on the CPU and memory.

These are typical Suricata IPS alerts on malicious traffic. Note the ‘Potential Bad Traffic’ alert, this is the Telegram app on my phone trying to sync with it’s server on port 443 with HTTP instead of HTTPS.

3. pfBlockerNG: This is a pfSense only package. pfBlockerNG creates an Alias (group or list) with thousands of ‘bad’ IP addresses to (mostly) block them from coming into your network. These lists are made of malware hosting sites, Ad servers, Spam, compromised hosts and many more. These lists are prepared by many entities — communities, monitoring apps, and even individuals, most of these are free. pfBlocker creates an alias table and adds them to the WAN interface to block. List owners updates the lists frequently and a cron job in pfSense updates them. Configuring this is not difficult, but needs some work if you have multiple LANs.

Deny alerts with IP, rule and list names.

4. DNSBL: This is DNS Blackhole list (or blacklist). This is a module within pfBlockerNG but I am listing it separately since it’s function and configuration is different. This also maintains an alias list, but of all ‘bad’ Domain names that serve ads, malware, etc. DNSBL intercepts all DNS request to these bad servers and pushes a 1x1 gif image to your browsers. Not tested this particularly, but haven’t seen a frowny anti-adblocker page from sites which you normally get with browser based adblockers.

Configuring this is little tricky, and it might throw up lot of false positives & even make some apps or sites inoperable. It does need little tweaking.

DNSBL deny alerts. Notice most are HTTPS traffic. DNSBL intercepts only ad traffic not the primary domain SSL.

That’s not the end of it. There are other smaller services and apps I run on my network.

If I get time I will write on how each of these are configured. Do share your views.

Update: Updated the pfSense screenshot to latest version.