Network Architecture

Status
Not open for further replies.

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
So I'm hoping someone here can help or point me in a good direction.

I'm currently trying to overhaul my network. As a result I'm trying to implement a number of things both to learn and to attempt to fix some problems and prevent others.

Currently I have a few hardwired desktop clients (Mac, Windows, Linux) along with a number of wireless clients (iPad, iPhones, other laptop devices, game consoles and a wireless printer). I also have a dedicated FreeNAS server and a dedicated Hyper-V server. I have a cable connection to my modem which then goes straight to my Sophos UTM which is being used as router/firewall. From there I have the LAN connection going into an X1052 switch which is then run to wired devices as well as the AP for wireless devices.

What I would like to do is securely configure the network to allow certain things and prevent others. More or less I'm looking for some help on segmenting it properly. I would like to be able to host a webserver (for hosting a personal website). To do this, my understanding is that it is best to put this in a DMZ and allow network traffic to flow into but not out of the webserver. So if webserver is compromised there is no access to the rest of the network. I would also like to setup a VPN so I can access freenas plugins (couchpotato, sickrage, sab) from outside my network. I had this working, but it stopped and I never could figure out why (most likely a DNS issue). I've also been unable to get plex working remotely despite having NAT and the firewall configured to do so.

I guess what I'm ultimately trying to get at is the ability to properly setup a number of VLANs and such to segment the network. I want to prevent guests from accessing FreeNAS shares, prevent webserver from accessing anything inside the network, though I would like other VMs to be able to access certain shares. I'm trying to implement common practice in regard to much of it (though I'm not entirely sure what that is in many cases). I do believe it is typical to segment things like IPMI access. There is a lot of information out there and given that most home networks are flat, most of the relevant information out there is in terms of enterprise setups, and that can sometimes be difficult to translate over to what I'm trying to do.

Sorry for the wall of text, but if someone has some suggestions on where to start, a good outline, or some good reading material for a noob like me, I would very much appreciate it.
 

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
To add to the previous as I'm sure it may come up later. FreeNAS box has quad GbE links, in addition to the 10GbE link. Same goes for the Hyper-V server. I understand this allows for LAGG setup, trunking, etc. That's part of what is so overwhelming about all of this, since I don't understand it very well, but can come in handy when trying to separate remote connections from other internal traffic, or external traffic in the case of a public facing server.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
Basically, you want a vlan for each zone, generally - production, guest and dmz. You could also add managment, but that might be a bit much for home. Then, in Sophos create rules so guest can only get to the internet, and dmz can only listen and respond on the specific ports you allow.

Then you attach each device to the proper network(s), and assign different subnets to each vlan. Generally, folks will use something like 10.(vlan#).0.1-254/24 for each vlan, but it's up to you.
 

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
I was thinking of four different vlans initially:
1. production - which is more or less devices only I have access to.
2. guest - internet access only
3. dmz - most likely be limited to a single webserver
4. other devices - shared printer, gaming consoles, streaming devices.

The 4th is where I get a little confused. Plex is a plugin on my freenas server. I want devices on the 4th vlan to be able to stream from plex, but I don't want them to have access anything else on the production vlan. I would assume that is possible, though my knowledge of vlans and what you can and can't do is limited especially in regards to freenas and jails. Currently, everything is set up and working, but it is all on the same subnet and although they are pass protected, all of my freenas shares show up as a network devices on various computers I'd rather not have access to them.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
It's possible, you just need to have everything get routed properly and have the proper holes poked in your firewall to allow the traffic back and forth through your firewall between your vlans. I'm not sure I understand the intent behind moving the printer, game console and streaming device to a separate network, unless you have visitors using them on that network as well?
 

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
Part of it is paranoia on my part. I have a decent amount of sensitive data backed up on my NAS, along with other data that I like to be able to access freely from my various workstations. I need access to printers, etc. from my workstations, but so does my wife. I love her, but given her affinity (or complete lack thereof) with technology, I'd sooner assume anything she uses is likely compromised. So if you consider her a visitor then, the answer to your final question is yes.

So maybe it is easier to think of the segmentation as
v1. access for myself only
v2. access for wife
v3. access for guests/visitors
v4. accessible to public/www

v3 and v4 don't need access to anything other than the internet and the internet would need access to v4, but I don't v3 and v4 to have access to each other. v1 needs access to v2, but v2 can't have access to v1. Now I think I know how to implement this in its most basic form. Part of my trouble is in regard to freenas. It is currently connected to the network via a single fiber connection with a single IP, and each jail is given its own IP all of which are on the same network. Jails like sabnzbd and sickrage should be fine on v1 as no one but myself needs access to them, but something like plex needs to be accessible by devices on v2. Given its in a jail can I simply give it an IP that is on v2? I'm not really sure how this part works given it is all running through the same physical link from freenas -> switch. My initial thought was to setup the vlans using the switch as that seemed to be simple way of doing it, but that wouldn't work unless I run plex through its own network interface. Even if I can do that, I have wireless devices I want on v1 and others on v2 and all of that is limited to a single interface.
 

depasseg

FreeNAS Replicant
Joined
Sep 16, 2014
Messages
2,874
The reason for your segmentation seems reasonable, but unless there are multiple devices on v1 that you want to defend against, it might not really make sense in the end.

FreeNAS can be attached to multiple vlans (so you could have share access from each network)), but then if you are connecting freenas to v2, why bother having v2 (unless there are other devices on v1 you want to defend). I don't think you can attach jails to multiple vlans so that could be a challenge, but if you are just dealing with plex, you could probably route it through sophos from v1 to v2.

In your case, if you don't have other devices on v1 to defend, I'd suggest you consider setting up multiple users in FreeNAS (or the Active Directory capability), to create a shared space where "guests" and/or your wife could have read-only access (if needed), but only your account had write access. You can even create a separate dataset and share for your files, that only your account can see and write to.

As for the wireless devices, some allow different SSID's to be tied to different vlan's. I use and love the Ubiquiti Unifi series in this manner. It just extends the vlans to wireless devices.
 

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
Thanks. That helps clarify things. I wasn't quite sure what the various limitations were, but it seems what I thought would work best isn't going to work. Sounds like I'm going to have to rethink some things. Ultimately, the most important part is separating the webserver from the network, and limiting guest access. I realize as well that vlans weren't invented with security in mind, so there are certainly ways of doing things in a secure way without them.
I'm still learning about Hyper-V, but I know most of the security can be handled through Sophos itself, and I believe I can dedicate one of my nics on that server to the webserver vm and limit access to only that interface. I may just have to do some more research on the Sophos side of things and rely on that for a majority of my security concerns.
 

Mirfster

Doesn't know what he's talking about
Joined
Oct 2, 2015
Messages
3,215

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
Real question is what protection do you have from your wife when she finds out you want/need a segment separate from her? ;)

Haha. Technobabble usually works. I just start talking about tech stuff and she generally tunes out after about 2 seconds since she doesn't know or care what I'm talking about.
 

gpsguy

Active Member
Joined
Jan 22, 2012
Messages
4,472
Do look into using the features in your Sophos UTM. Yes, you could dedicate one of your NIC's for your webserver.

It also offers several options for VPN capability. I like the HTM5VPN option.

I'm still learning about Hyper-V, but I know most of the security can be handled through Sophos itself, and I believe I can dedicate one of my nics on that server to the webserver vm and limit access to only that interface. I may just have to do some more research on the Sophos side of things and rely on that for a majority of my security concerns.
 
Status
Not open for further replies.
Top