4

(updated to (hopefully) be less broad)

No matter how well one secures a network there's always the chance of an attacker gaining access. In a shared home + home office network (eg. for a remote worker and their family) there is considerable risk of this from friends and family using the network insecurely or on potentially compromised devices.

For lack of better terminology I'll refer to two types of users of the network:

  • Guests - (typically transient) users who only need access to WAN, not LAN.
  • Privileged users/devices - those who are consistent/persistent users and need to communicate with other devices on the LAN. For example, a remote worker and their direct family.

Now, let's assume the following:

  • Insiders "going rogue" isn't a concern.
  • I assume that the attacker therefore would not have any prior knowledge of the network setup beyond what can be obtained prior to breaking in.
  • WiFi is used both by guests and privileged users for mobile devices and laptops.
    • Privileged devices on WiFi would like to be able to communicate securely with other privileged devices (both wired and wireless) and vice versa.
  • Guests sometimes connect via the wired connection as well (eg. using an Ethernet port in a guest room).
  • The WiFi can't be trusted to be encrypted since not all privileged users can be trusted to not inadvertently leak the password.
  • The network includes some LAN services such as shared printers, a file server/NAS, etc. Assume that they have appropriate authentication/authorization enabled (passwords, SSH keys, etc.)
  • The network does not include any publicly accessible services (eg. no web servers accessible from the internet).

I can see two ways for an attacker to gain access to the network:

  • Via a device they have access to being added as a guest device (eg. by cracking the WiFi, or having compromised a guest's device). In this case they presumably haven't (yet) gained access to any privileged devices or passwords or secrets used by privileged devices or LAN communication.
  • By compromising a privileged device. In this case they presumably now have or can gain access to any secrets used on or by the device.

What threats do these scenarios present and how can they be mitigated via network setup? (Mitigating them via antivirus etc. is a whole different can of worms)

Note: the use case I'm interested in is for remote workers running shared home + home office networks - solutions that can be implemented by someone who is proficient technically but not necessarily in networking would be preferred.

mayhewluke
  • 443
  • 3
  • 6
  • I consider this question as too broad. There is no information what should be secured and not really information about the attack scenario. But the more valuable things you have the more somebody will try to steal them. This might be internal workers who want to make money or got blackmailed. And it is not possible to give some worker access to the data so that the work can be done but at the same time restrict the access to the same data so that they cannot be stolen by the same worker. So to answer such kind of questions one would need to have all these and more detailed information. – Steffen Ullrich Mar 19 '16 at 16:08

4 Answers4

3

One of the easiest ways to protect against internal attacks is by isolation: in other words, having multiple sub-networks. For example, (this even works in a small home network), the wifi network might be 10.0.1.0/24, and there could be another internal network where the wired desktops and servers reside, perhaps call it 10.0.2.0/24. Now even if someone hacks into the wireless network they are constrained to computers in the 10.0.1.X space, and would be unable to access the desktops and servers. You could even have specific routes so that both networks can share a printer which is in one of the networks (or a third network), without exposing anything else.

As for sniffing wired traffic on the same network, this isn't an issue unless the network uses hubs rather than switches. With switches the traffic is only sent through the device ports of the recipient, so other devices cannot "sniff" that traffic. (That is an oversimplification but the general concept should be clear.) In order for someone to sniff traffic under normal circumstances, they would have to have admin access to a switch with promiscuous capabilities.

Note that with just these basic concepts, you don't really need to worry about encrypting wired traffic within an internal network, because it is already (generally) secure. This is why when you talk about encryption, it is usually within the context of traffic over the public internet.

Outside of those basics, it is difficult to go into more detail because this is a huge topic. But that should at least clarify your initial thoughts and get you on the right track.

TTT
  • 9,122
  • 4
  • 19
  • 31
  • Thanks, that did help clarify my initial thoughts. I've updated my question now since the original was voted as too broad. – mayhewluke Mar 21 '16 at 20:59
  • It would be great to get more pieces of information about *securing the internal network*. - - I am often in insecure networks long-times: untrustworthy ISPs and governments. - - Wiresharking shows that packet loss and compromises happen at specific nodes. - - Establishing stable VPN for all my traffic has been a pain with NordVPN and TP-link. - - Isolation may however work. Can you please expand about it. – Léo Léopold Hertz 준영 Dec 25 '16 at 23:03
  • 1
    @LéoLéopoldHertz준영 - Isolation is used by the network owner/admin to make sure that certain users cannot access things they shouldn't have access to. In your situation it sounds like you are the *user* rather than the *network admin*, so isolation wouldn't help keep your traffic secure from a spying ISP or government. Continuing to use a VPN is probably the best thing you can do. – TTT Dec 26 '16 at 03:09
1

The question you ask is a little broad for my liking seeing as there are more factors than you could imagine with the little information provided, but i will try my best to help!

The problem obviously as you state in a around about way is not so much attacks getting in but more what can they do once they are here...

The thing i shall suggest is VLANs this is works similar to the suggestion already made here but with some small differences you can tag network traffic coming in from interfaces (such as wireless, Ethernet or have multiple WiFi). Using VLANS (in my own opinion) is alot easier to manage. Going on what you said about enterprise technology being a non-preference, this would probably be easier to achieve with basic equipment going along with the fact this question is being asked you dont have alot of experience with networking. So this would be a simple route to take and easier to configure than multiple subnets with less technology.

WHY?

segregation is you best line of defense on internal traffic, without knowing much else of your set up I cannot guess what you have to protect.

do you have servers? I main server of entry (VPN server)? what are you protecting?

consider firewalls as well a VPNs and vlan traffic.. you should have a VLAN for every type of network connection.

LAN traffic = new vlan

WiFi = new vlan

VPN in bound = new vlan

By keeping everything segregated you can keep each section protected and monitor each section also. using firewalls can also stop people using what ever protocols they like upon entry.

Also when protecting a network remember time of response is also important.

TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • 1
    I agree with you that L2 VLANs are a good alternative to L3 subnets. But I think subnets are more likely to get the brownie points. :) – TTT Mar 19 '16 at 16:54
  • The question was voted closed due to being too broad, so you're in good company with that view :) I've updated the question now and it's apparently been refined enough to be re-opened. – mayhewluke Mar 21 '16 at 21:04
1

First and foremost, you would never allow guests to access your network. A separate network should be created for them. But let's go with it. So you have a flat network of systems (doesn't matter if they're servers, desktop, etc., everything is flat.) Do you have a documented network? Meaning, do you know what systems are supposed to interconnect with what? Having this level of information allows you to access those systems and create policies with regards to access via way of usernames, and or firewall rules. If you have say a shared folder on a system you could isolate connections to that machine using firewall rules, ACLs, etc., it all boils down to what you are trying to accomplish. Your best bet is isolation without the added fluff explanations/diagrams/etc

munkeyoto
  • 8,682
  • 16
  • 31
1

There are some great answers on architecture and correctly designing a network already, so I won't address those. What I haven't seen mentioned is watching for data exfiltration methods. If someone is inside your network, ostensibly they are looking for additional hosts they can compromise and data that might be useful to them. (Credit cards, authentication-related data, database dumps, email)

What you want to look for in most cases is data that is being sent through non-standard ports. A good intrusion detection system will analyze the data being sent over those ports and trigger an alert if the packet headers / contents do not match what is expected. For instance, since DNS is a necessity for internet access to work, most companies allow outbound DNS. For that reason, there are quite a few data exfiltration methods that use port 53. Some tools will also use TCP ports 80 or 443 since those are also frequently wide open, and it's relatively easy to detect non-HTTP/HHTPS traffic over those ports.

Security works best in layers...harden and update your hosts, segregate your network, have sensible firewall rules in place, monitor for exploit and data exfiltration, audit authentication and use of privileged accounts, etc. Leave as few cracks as possible and make yourself an unappealing target.

Jason M
  • 11
  • 2