Forgive the n00b question, but I guess I’m a jonhnny-come-lately to the Librem products and the whole security/privacy issues. So, I just ordered a maxed out Librem 14 w/ Qubes OS, but now I’m re-evaluating my whole home network security and privacy.
Consequently, I would greatly appreciate recommendations for best practices and best devices to replace my current network routers and best self-hosting solutions to replace my plethora of Ring doorbells, cameras, and security sensors; I was thinking a maxed out Librem Mini would suffice for a self-hosting device, but what about the other cellular backup security base station, cameras, and other devices and software?
I am using the Turris omnia as my router and am satisfied with it. Since wifi is one of the ways in which big tech snoops on us, I have been toying with moving to powerline networking to eliminate wifi from our domicile. As I have mentioned elsewhere, I use algo vpn as a disposable vpn on my linux box (and, when I get it, L-14) and mobile devices. I keep two vpns at all times, one a standard algo vpn and the other uses decloudus as a dns resolver. I have listed other things that I am doing here.
The current issue that I am grappling with is that the documentation for the router which I am considering says that the router should be vertical but all of the outlets in our apartment would require them to be horizontal(!).
I was hoping that Librem One would be a viable solution but since it’s been down for weeks when I tried to register, any other leading candidates? e.g. ProtonMail/Calendar/Drive?
An interesting question: my impression is that I prefer signal and asked my wife who is also using both and she agreed with me, but chatting about it we are not sure we prefer signal because it is better or because it has been easier to get people to use signal and therefore we have more contacts on signal than threema.
Having used power line, I would either run Ethernet or use wifi if at all possible, powerline can be the solution, but generally that’s when nothing else is an option.
While snooping on wifi is a thing governments can do, so is snooping on powerline so this isn’t really more secure from that threat.
I have powerline deployed where it was the best option, but it still very much has performance limits that are fairly painful.
If you’re afraid of WIFI as most of us here are. For your cameras, suggest PoE cabling. Which means crawling in your attic if you have one. Then do you settle for dropping a wire through a hole in your ceiling or snaking it down to a receptacle? I did the former but strategically placed a tall bookshelf in front of it.
And if you don’t have a recording product with PoE built-in you’ll need a multiport PoE injector.
If you’re really paranoid nothing beats emission control with coax and 10base2, but it is really slow.
Thanks for the info. In my case, it’s not about paranoia, it’s about not letting FAAMG profit off me.
As far as the cameras, they are all outside providing 360-degree coverage around my house so not worried too much about that. As far as the wifi, I’m in the country off a long driveway so just have to worry about a few neighbors in wifi range.
Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
Security Onion includes Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, TheHive, Cortex, CyberChef, NetworkMiner, and many other security tools.
It’s an oldie but goodie. Highly recommend. And lots of documentation and a couple of good books too. Easy to get into with a bit of practice.
Truth be told, I don’t run it because I have a commercial option available to me at no personal cost; however, Security Onion is where I cut my network security monitoring teeth. And it’s free! If I didn’t have a commercial choice at my disposal, I would be running SO for sure.
To answer the actionable question - I would run it on its own hardware and would attach the Zeek interface either to a network tap (DualComm makes a good one: https://www.dualcomm.com/collections/network-tap in the ETAP-2003) or if one has a managed switch - attach it to a trunk interface.
You don’t have to give up WiFi. Get multiple access points, and lower their emission power such that they aren’t visible where you don’t want them to. Disable 2.4GHz radios for bonus points.
That would require you to configure proper handoff between them, though.
The worst cameras are ones that insist on connecting to the internet and make your video available from the internet and run blackbox software so you have no idea what they are doing with the internet.
You need to decide whether access from the internet is or is not a requirement - and if it is not a requirement but you have cameras that access the internet then you should block them at the internet gateway.
How can we separate devices from each other in the network?
Say we have devices like a server, *nix and windows desktops / laptops, Linux and android smartphones & tablets, IoT devices like TVs and sockets, networking devices like routers. Some devices we consider trusted and some untrusted.
Now I want at least to separate the untrusted devices from the trusted. Ideally even more: separating all untrusted devices from each other.
We could put the untrusted devices into an extra IP subnet, but AFAICS an untrusted device could simply register IP addresses for other IP subnets and so could access that subnets where it shouldn’t have access to. So I guess we need some kind firewalling.
Which we probably need anyway because we also some untrusted devices shoud have full internet access and others only partially and the rest none internet access at all.
What approaches do we have? Consumer market routers are usually limited. Sometimes a DMZ can be defines which would be a first step, but think none of my routers can manage multiple zones. I’m not sure if one of them has a DHCP server able to handle to give many devices an IP in an extra subnet. What they have is a function to manually define routes. I tried that once without success. I am not sure how far we could go with this.
At that point I would say to consumer users: welcome to professional level networking.
Do we need networking equipment capable of managing virtual networks and Ethernet port security?
Or should we run pfsense in a VM on the server and route all traffic through it? Would maybe set the server under risk if it is not dedicated for this purpose alone.
Or can this be achieved by dhcpd and nftables (successor over iptables) alone?
I think most of us who take security seriously are grappling with this. It is too easy to buy the latest gadget and said gadget wants to be on the network and maybe even on the internet.
It is easy to get it working but it is not easy to get it working securely.
Some random ideas:
if the gadget connects using WiFi then use a WAP that allows you to control or separate traffic e.g. through multiple SSIDs (and the untrusted device can’t put itself on a different SSID assuming that you use a different and strong WPA key on each SSID)
use a switch that allows L3/4 filtering (which might be able to enforce a separate subnet if you wanted to have two subnets on the same network - as you discuss)
a switch with VLAN capability is an option but I think you will run into trouble if the untrusted device requires internet access and your router does not support VLANs
put the untrusted devices on their own subnet and network and put a router between their subnet and the main subnet and implement firewall rules in that router (this doesn’t isolate untrusted devices from each other)
Yes. Exactly.
In my case though I may still want untrusted devices to be able to access core services like DHCP and DNS.
