Tuesday 25 April 2017

Securely implementing a home network



As we speak I am currently in the process of designing my new home, lucky enough myself and my wife to be are in the position where we get to build from scratch. The beauty with building from scratch is of course you start with a blank canvas. We are at the stage where all the necessities have been figured out such as heating systems, insulation, build type, house size etc so its time to get to the really fun part... the home network.

Having past my CCNA over 3 years ago, my networking has gone a tad off the boil so this is  a great excuse to get myself back up to scratch. The beauty with building a network from scratch is you can do whatever you want and that is exactly what I plan on doing. As I do work in security I won't be detailing the underlying hardware components but I will give the high level view.

My first consideration is cable type and at a little more expense I have decided to run with CAT 6A throughout the house, remember if you chose CAT 6A make sure your wall jacks are also CAT 6A and any other network hardware component that delivers connectivity throughout your home.
For flexibility I will be running with un-shielded pair CAT 6A and I am also going to run in some external cable in case I ever decide to run CCTV.

I aim to install approximately 26 ports internally and a number externally so I have chosen a 48 port managed switch to connected everything to.
Choosing your switch is important from a network security and stability perspective you should try get a switch that supports, multiple VLANS, QoS, Access Controls Lists, IP Source Guard, Port-level controls, Dynamic ARP inspection. This will cost a few bob but will give you great control over how your network works. The above are just examples of a few security features and if you want to know more about each I'm sure google will be an obliging teacher.

From a general helpfulness note when you pull in your cables label each one on the wall and give it a corresponding number of the switch. This practice can be a pain in the ass but you will thank yourself later. Once you have your ports labelled and patched its time to decide the function of each port and make a list.

I suggest grouping the ports that will carry the same traffic together such as:

- Wireless Access Point traffic
- VOIP traffic
- IOT devices
- Media and Smart TVs
- Home Heating System / Solar
- CCTV
- Office

Once you have worked out what ports are mapping to what service group these ports into VLANs, this will help protect your traffic  by segregating your services and helping to aggregate your network.

For ports where the devices wont change I suggest binding the MAC address to add a small bit of integrity. Switches with QoS options are great as you can now easily configure what traffic you want to give priority to such as VOIP or media. This gives you a more granular control over how your networked devices will work.

I suggest you also buy a switch that has a number of gigabit up-link ports so you can connect into your router.
For my choice of router I want something that is capable of holding a solid baseline and is powerful, I also want it to be able to handle VOIP traffic and run a VPN. Installing a VPN at the router level can cause issues so unless your technical I might skip this part remember I have no problem spending my weekends fluting around with this stuff till its fine tuned.

There is also the option to add in additional security such as firewalls or I could fire up SNORT to give me some intrusion detection capabilities all of which I have ample time to prepare for. The main point of this post is that implementing a home network should cause you to think about how you want it to work, what you want to use it for and how secure you want to be. If your not technical leave it to the pros but make sure you get someone who knows what there doing or you could be exposing yourself to a whole world hurt.