Mixing your personal and work devices while connected to your home network and accessing the Internet is a risky proposition from a security and privacy standpoint. Why? I frequently monitor my firewall logs. What I observe on my WAN interface are blocked IP addresses sourced from adversarial nation states which makes the hair on the back of my neck stand up. Add to that unknown threat actors from friendly countries including domestic locations performing Shodan IP reconnaissance and port scans for vulnerable internet-connected devices to exploit further adds to that paranoia.
Just from a data privacy perspective, think of your home filled with a bunch of endpoints that act as telemetry sensors whose main function is to constantly collect your personal information and then store it for an indefinite period of time. These endpoints can be used by anyone in your household for work or entertainment with constant access to the insecure Internet.
The likelihood of being phished for your user credentials or a family member unknowingly downloading and installing leaky or malicious apps and games onto these endpoints is very high. Throw in a couple of inherently insecure IoT endpoints that includes your smart televisions and personal assistant devices like Google Home or Amazon Echo that are used for home automation systems and require an always-on internet connection in order to work, leaves your home network and endpoints vulnerable to being easily exploited by threat actors.
I also closely monitor my intrusion detection and prevention system (IDS/IPS) alerts and see some scary network traffic on my LAN interfaces as well. These IoT devices and smart televisions inside my home generate a lot of outbound network traffic when they call home, and when my family and I are accessing social media or retail websites, are two of the most common scenarios for leaking your stored personal and work data. Threat actors commonly use phishing and pharming attacks, malicious ads and drive-by malware downloads as threat vectors to grab that sensitive data. My family and I would never know that threats existed in our home network and connected devices if I didn’t add network detection and prevention tools. Using just a home wireless router with a rudimentary firewall and network address translation (NAT) as a barrier to try to keep threat actors out will absolutely not suffice, today.
With the onset of the pandemic and the fundamental shift for employees to work exclusively from home, these scenarios have been playing out during the past year. The company you work for can enforce zero-trust security policies by fully managing and enabling controls for endpoints while physically connected to the corporate network including devices connected via remote access VPN. This is great for your work devices, but security for your personal devices that are also connected to the same home network are insecure and requires additional tools and implementing best practices to mitigate today’s sophisticated threats.
As the pandemic hit last year, we wrote a quick blog about securing your working from home environment. That was just the beginning. The goal of this blog is to extend the zero-trust security framework to your home by providing some additional tools and techniques to further protect you and your family from threat actors lurking on the Internet.
What do I use for my home network and connected endpoints? Over a year back, I finally retired my trusty Cisco ASA 5505 firewall because as my internet speed became faster, the fast Ethernet (FE) switch port connections became a bandwidth and speed bottleneck for all my home network and Internet traffic. I couldn’t enable link aggregation via EtherChannel on the firewall switch ports to accommodate a faster link especially connected to the gigabit Ethernet (GE) interfaces on my wireless access points. The ASA 5505 did not support this feature.
My inexpensive solution was to buy a 4-port gigabit Ethernet (GE) LAN mini-PC and quickly installed pfSense firewall. pfSense has an intuitive admin user interface (UI) and there are several websites that walk you through working configurations to get you up and running quickly. Another option is OPNsense firewall which has a much easier to follow admin UI layout. Besides the WAN interface, I created three separate subnets because I had three physically separate LAN interfaces on the firewall.
I segmented my networks into the following configuration. Network traffic between LAN interfaces is not allowed. Only upstream traffic is permitted from each LAN segment destined for the Internet through the WAN interface. The downstream Internet return traffic is permitted from the WAN interface back to the source LAN segment. All other external ingress traffic is blocked.
– The LAN interface is directly connected to my WiFi 6 access point where my personally-owned wireless mobile and IoT devices, and laptops are connected. I enabled WPA3-Personal WiFi security on my access point and all our wirelessly-connected devices that support this newer protocol.
– The OPT1 interface provides an uplink connection to my managed switch. Connected to the switch are my work laptop and a second wireless access point to connect my work mobile device.
– The OPT2 interface provides an uplink connection to a 5-port unmanaged switch. Connected to this switch is our smart television so we can stream movies. The TV does not have a front facing camera. Also connected is the hub to our home alarm system. Premium video streaming services and alarm systems require your location data in order to work properly.