A few things at home.

[can]

Well with the latest news floating about, I have to wonder if I should look at reworking my home network plans or just keep moving foward as is.

So for my own little setup, I am behind a Linux hardware firewall, and have two Seagate Cloud NAS boxes, along with a 2.4/5Ghz Wifi Router and a Gigibit switch on my network, all the computers I have connected over lan are gigibit, I'll explan why soon.

What has me trubbled, is this whole cloud thing. My Seagate NAS boxes are the GoFlex Home, my problem is they require access to the web, to get the bloody things up and running. Well I have done that and then in my (Hardware) Firewall blocked them. Now seagate has this whole access your files anywhere app for the iOS and Android devices, which sadly dosn't work for me, even when I am at home. Why, because it still requires the internet to connect, even when the NAS's are local. I was able to get around this with a 3th party app that is able to access SMB network shares.

These NAS boxes are for holding all my data, so that I can access any of my files from the network drive, without having to use a USB flash drive or what not to use them on a second computer, because I also use my NAS for backup, its nice to have the extrea speed when coping large files or even accessing large files accross my network. (Like streaming hak5 from my NAS)

---

Sadly I still want to have WIndows on one computer, mostly to jump on Second Life and play Left for Dead 1/2. But I am taking a wild guess that someone will tell me that both are on Linux and now are far easer to setup now.

I'm wanting to slowly draw myself into a place where on my local network, I have access to my all my data from a NAS and run OSX, Windows and Linux. Also in time, run both iOS and Windows Phone/Tablet (But with what is comming out, o hell no)

Or if I should start a freash Firewall, redo my network, with a FreeNAS (I did have a freeNAS setup a long time ago, but I had issues with useing only HDDs and the OS wasn't realy stable, this is before it was handed over to the new guys. The Seagate NAS'sI have, well two have a 3TB SATA drive each) system linked with my iMac running OSX any my main PC rinning Mint. Get an iPhone 5 or one of the new iPhones, so I can access the 5GHz Wifi, my iPhone 4s well can't. And turn off my 2.4 Ghz network. And go back to scanning my http logs and block any URL's that I am connecting to that I do not know of or don't want to have access too. (ATM I just look at the ads that are loaded and block them as they come up)

And two laptops as backup systems, and one as a server. (I have picked up a number of thrown out laptops, moslty banged up, but nothing really wrong with them)

---

Urg I never should have started backing up too DVD and bluray, I have fallen behind.

(Update)

Sorry I forgot to add, that I am using both a software firewall and an Antvirus on my windows system.

Edited September 17, 2013 by can

[digininja]

What is the question? You've given a lot of facts and mentioned FreeNAS and a new firewall build but not actually said what you are trying to achieve. Is it just a network with a NAS somewhere on it or do you want more than this? What does the 2.4/5Ghz wifi have to do with it?

[can]

What is the question? You've given a lot of facts and mentioned FreeNAS and a new firewall build but not actually said what you are trying to achieve. Is it just a network with a NAS somewhere on it or do you want more than this? What does the 2.4/5Ghz wifi have to do with it?

Sorry, I'm just lost on how I should setup my home network, with all the BS out there. I'm just thinking aloud.

I'll try and put it this way.

What I am slowly working towards now is a Network, with two Seagate NAS Boxes that houst all my data. And have three main computers, being a laptop, Windows PC and my Mac. Stilling running a Wireless access point with both 2.4 and 5Ghz radio frequency.

Or, should I just chuck the whole thing in and...

Setup a FreeNAS box with both hard drives from the Seagate NAS's I have (I have blocked the internet from talking to the Seagate NAS boxes) and use a few laptops running Linux on my main system with Windows as a side thing. And turn off the 2.4 Ghz side of my access point and only use the 5Ghz side.

What I am trying to achieve is something that would be more secure. What has been floating in the news of late has me a little worried.

[digininja]

What BS is out there and what are you worried about?

If you are worried about attacks you have to think of the following:

Who is going to attack you?

What do you have to hide/lose if they get in?

How much budget in both time and money do you have to put in to this?

Where is your personal balance point between usability and security?

You are asking two questions, one, how should I lay out my network and how should I secure it. You need to break these down, come up with a good structure and then make sure the software on it is locked down.

[can]

What BS is out there and what are you worried about?

If you are worried about attacks you have to think of the following:

Who is going to attack you?

What do you have to hide/lose if they get in?

How much budget in both time and money do you have to put in to this?

Where is your personal balance point between usability and security?

You are asking two questions, one, how should I lay out my network and how should I secure it. You need to break these down, come up with a good structure and then make sure the software on it is locked down.

Well the not so shocking, NSA and Microsoft exploation that has been going on in the news for a while now.

As for your question on who is going to be attacking you, well anybody from anywhere. I know the most secure thing to do it, just unplug the internet and the wifi, my home network will work just fine, even without the net connected.

Well budget wise I don't have any money to spend anymore, I already have the Seagate NAS boxes, I picked them up from the clearence bin.

I don't have anything to hide, but I have my iTunes libary and a tone of eBooks, funny gif/memes etc that I would rather not loose, most are backuped to DVD or Bluray.

As for usability and security, I am already running an antvirus and firewall both from sepreate venders, that and I have my Linux hardware firewall, running and for sometime, hell I have even blocked all but some ports.

[digininja]

Well the not so shocking, NSA and Microsoft exploation that has been going on in the news for a while now.

As for your question on who is going to be attacking you, well anybody from anywhere. I know the most secure thing to do it, just unplug the internet and the wifi, my home network will work just fine, even without the net connected.

Do you really think you'll be attacked by anyone from anywhere? Will the NSA come after you and target your specific network, its unlikely. Are you likely to be a specific target for any attackers, again, unless you upset someone or a group, then unlikely. Your main adversary will probably be script kiddies who run automated scans across areas of the internet and then attack anything they see with a weakness. Defending against script kiddies is completely different than defending against the NSA. For the former, a fully locked down firewall with no ingress rules will keep them out as you aren't offering any attack surface, for the latter, you won't keep them out.

You have to know who you are defending against before you can put up your defences.

Well budget wise I don't have any money to spend anymore, I already have the Seagate NAS boxes, I picked them up from the clearence bin.

I don't have anything to hide, but I have my iTunes libary and a tone of eBooks, funny gif/memes etc that I would rather not loose, most are backuped to DVD or Bluray.

That doesn't sound like you need security, it sounds more like you need a good backup. There are plenty of services which offer that, I'd make sure you go off site in some way just in case anything bad happens to your house.

As for usability and security, I am already running an antvirus and firewall both from sepreate venders, that and I have my Linux hardware firewall, running and for sometime, hell I have even blocked all but some ports.

Have you blocked ports on the way out or in? Good egress filtering is just as important as ingress filtering however it is very hard to do and keep a system running as apps tend to need to talk outbound and you end up opening ports all over the range just so your favourite editor can check for updates and that other app you like can call home.

My personal suggestion would be to build the network you want then make sure you have a well locked down firewall which isn't allowing any inbound traffic. If you want to add a second layer of protection then run Security Onion on a box between your switch and the firewall so it can spot any odd traffic that is leaving your network.

Make sure everything is patched, the best way to do this is to use something like Nessus home feed and give it credentials so it can do full checks.

Back up your stuff to some remote system just in case.

[can]

You have to know who you are defending against before you can put up your defences.

Well the sad thing is, if you plan for one kind of atack, you leave yourself open to pritty much anything else.

That doesn't sound like you need security, it sounds more like you need a good backup. There are plenty of services which offer that, I'd make sure you go off site in some way just in case anything bad happens to your house.

I did have a good online backup service, I'd rather not say who I used, but they screwed up there service and I ended up dropping it.

Have you blocked ports on the way out or in? Good egress filtering is just as important as ingress filtering however it is very hard to do and keep a system running as apps tend to need to talk outbound and you end up opening ports all over the range just so your favourite editor can check for

I have set my firewall to block all ports and I have to open the ones I need to use the services I want, that covers both inbound and outbound.

Make sure everything is patched, the best way to do this is to use something like Nessus home feed and give it credentials so it can do full checks.

Back up your stuff to some remote system just in case.

I have my antviurs, firewalls and OS's set to auto update. And I do check on them every few months or so to make sure things are kept upto date.

[digininja]

Well the sad thing is, if you plan for one kind of atack, you leave yourself open to pritty much anything else.

I'd disagree with that. The defence against script kiddie automated scans is to lock down your firewall and ideally not to allow any inbound connections. This defence also helps protect against a targeted attack.

As I said, work out who you are scared of and defend against that level of attacker. You will then be safe against all those up to that level. I'd suggest your only real worry is against automated script kiddie scans so put things in place to defend against those, if you want to go a step further and defend against a targeted attack from someone with a basic skill level then in defending against them you'll also protect against script kiddies.

I did have a good online backup service, I'd rather not say who I used, but they screwed up there service and I ended up dropping it.

Find someone else then. Having backups at home is only good in certain situations. If your house is robbed or flooded or burns down then all your home backups are gone.

I have set my firewall to block all ports and I have to open the ones I need to use the services I want, that covers both inbound and outbound.

Do you really need to allow inbound access? Unless you are hosting services then the only thing I can think of would be bit torrent which improves with inbound access. If you are hosting your own web site or email server then you have a lot more to worry about than basic network setup.

I have my antviurs, firewalls and OS's set to auto update. And I do check on them every few months or so to make sure things are kept upto date.

So if something fails you are happy to run a couple of months with an out of date browser? That is brave but if it is the level you are happy to work to then there is no problem with that as long as you have made the decision and are happy with it.

[digip]

You have the NAS accessible on the local LAN and want internet access to the files, just setup a tunnel or VPN into one of the home boxes to access the NAS over the tunnel or VPN and pull files down from the internet as needed. Not sure what the issue is. I wouldn't put anything stored on a NAS directly on the internet or in a DMZ, and even though its a NAS, its still a possible pivot point depending on the underlying OS and software in use, so for me, keep everything locked down, VPN home, then access what you need.

[can]

You have the NAS accessible on the local LAN and want internet access to the files, just setup a tunnel or VPN into one of the home boxes to access the NAS over the tunnel or VPN and pull files down from the internet as needed. Not sure what the issue is. I wouldn't put anything stored on a NAS directly on the internet or in a DMZ, and even though its a NAS, its still a possible pivot point depending on the underlying OS and software in use, so for me, keep everything locked down, VPN home, then access what you need.

The thing is I do not wnat to use special software, or have it accessable to the internet. The Problem with the GoFlex NAS boxes, is that they must be conntected to the internet to be setup. There is no way around that.

That was easy to fix, just block the mac address is my firewall from accessing the internet. I do not want my NAS connected to the internet.

But in doing the the Seagate app for things like android and iOS will not work unless the NAS is taking to Seagates servies. To fix that little number I found a paid app that can access SMB shares.

[digip]

The thing is I do not wnat to use special software, or have it accessable to the internet. The Problem with the GoFlex NAS boxes, is that they must be conntected to the internet to be setup. There is no way around that.

That was easy to fix, just block the mac address is my firewall from accessing the internet. I do not want my NAS connected to the internet.

But in doing the the Seagate app for things like android and iOS will not work unless the NAS is taking to Seagates servies. To fix that little number I found a paid app that can access SMB shares.

What I was saying is don't have it directly on the internet. Setup a home VPN or Tunnel, connect to the home VPN, and from there, access the NAS to pull the files down over the tunnel, so its, 1, encrypted and no one can see the data, and 2, NAS is not sitting in a DMZ or port forwarded to in order to reach it.

So long as you got it working though, guess thats all that matters, but does the software you are using encrypt the traffic? If not, then I would think about setting up a way to remote into one of the home boxes over a VPN or Tunnel and then use that machine to pull down the files back to you. Just my 2 cents.

[ksecurity]

@can Hey can...other commentors hit the nail on the head, and you definitely have some options as to your setup. But to address your inital concern about security, digininja's points are dead on as per what approach to take. A rule of thumb to keep in mind when debating how to setup some perimeter defences and how they reflect your concerns about the outside world, is that as you start to increase your security level and mechanisms to a substantial amount, functionality, err I should say ease-of-use has the tendency to go down. Also, the more you add in to whatever it is you try to setup, the potential to increase the attack surface whilst trying to highten security can occur. That's why, like digininja said, if you spend some time identifying what specific threats you think you face, coupled with what it is of value you think you have to protect (other than the crap feeling of being hacked) are, adjust accordingly.

I mean if each machine on your network is run through some form of hardening, nothing to insane, you're good from a vast majority of hackers (more like scriddies). Outside of that, as for home machines and networks, I feel the real threat comes from what you 'invite in' so to speak. Defences become irrelevant if you bring an infection, malware inside the network.

As for you NAS arrangement, apologies if I read wrong but I have something similar and 1)yes it required networking (obviously) but 2) it does not NEED to face the internet in any way, if you setup something wher the NAS is accesssible by all machines on the internal network, make settings or just manually deny external access to anything other than one machine with (like digip said) some kind of tunneling in, your going for a mitigation approach. Talking about rules of thumb, the 'least privilege' mentality can be a life saver.

Anywho, thought I'd chime in..sry if I missed the mark, dead tired and haven't slept for about 28 hrs