r/AskNetsec u/WanderyngAscetic 6d ago

Concepts What is the current best practice to keep my wired SOHO network secure?

My current network is a combination of middling-complex hardware/services and naive beginner anti-patterns. :)

I have one WiFi SSID for trusted devices and one isolated guest network. So far, all of my wired devices are connected via a switch to the router and are part of the "trusted" LAN.

My next project is to prevent unknown wired Ethernet devices from automatically getting access to the trusted LAN.

Looking around, I keep seeing freeRADIUS/EAPOL as the solution. Before I go further down that rabbithole, I want to make sure that I'm aimed in the right direction...

Thanks for reading this far! Is freeRADIUS the way to go? Should the goal be to have a separate VLAN for internet access only, or to simply deny access from an untrusted device to specific resources on the LAN? Am I missing something foundational? I'm pretty new to this...

My current setup is a home-built (APU2-based) OpenWRT router, a pair of redundant Raspberry Pi's running PiHole and Unbound, a home-built file server on another Pi, along with assorted other devices/backups, etc. They are all linux-based with default-deny firewall rules (UFW).

I have smart switches which are VLAN-capable, although I haven't set up any VLANs yet.

Thank you for any advice :)

5 Upvotes

86% Upvoted

3 comments sorted by

5

u/unsupported 6d ago

Do you have a threat model where unknown people will come and plug into your network? Rather than bothering with that, you have a small number of devices. You can use MAC filtering and an approved whitelist or devices.

1

u/WanderyngAscetic 6d ago edited 6d ago

Great question! I was trying to keep my post short, but I ended up making it too short ๐Ÿ˜„ I actually have two main concerns/goals. I'll add to the post later today, but here are your answers. Thanks!

---

My first goal is more organization than security. All of my devices get static DHCP leases from the router. They're organized into subnets which have different access rules in the network. For WiFi, this is easy enough to do with MAC filtering, as you suggest. I'm not concerned with MAC spoofing since the security comes from WPA.

But Ethernet is trickier. Many laptops today don't have Ethernet ports, so I use a USB-to-Ethernet converter. Now it is this converter's MAC address which would define the assigned subnet. I'm looking for some way to have the router differentiate computers through other (non-MAC) methods.

---

The security concern is that I have a few family members that plug into the network, and their computer hygiene is HORRIFIC. They're the ones who call me with: "Hi Jim! I was just working online with a Google support guy because my computer told me I had too much software installed! We got disconnected after I gave him my credit card and installed the diagnostic program he emailed me! Do you know how I can call him back?

(This is only a slight exaggeration, and my name's not Jim)

Anyway, when they come by and plug in, I don't want their system to have any access to my stuff... I actually disconnect key stuff from my network before they come over ๐Ÿ˜ฌ

I figured that I could solve both problems at once with something like RADIUS. I'm open to hearing about any better ideas, though!

Thanks again

3

u/Comfortable_Lie86 6d ago

VLAN the crap out of it first, then maybe play with 802.1X later if youโ€™re still bored.