Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

  • IsoKiero@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 days ago

    Perhaps the easiest, and still at least decent, approach is to just run nmap (or any other port scanner) against your own subnets/IP addresses. That way you’ll at least find out if the firewall allows something trough which it shouldn’t, Also you can run tcpdump/wireshark on destination host to see if it receives packets it shouldn’t.

    For client authentication, if ARP filtering is not enough, you could set up 802.1x, but that’s likely a massive overkill (and overhead) for home network. I personally don’t authenticate clients separately. Just WPA2 on wifi and firewall rules to allow/deny traffic between subnets. Sure, it’s pretty easy to bypass, but in practise you’d need to be inside the house to access some parts of the network. But my threat model is mostly about a handful of IOT things which I don’t trust with full network access, not about someone unauthorized getting access to my home network.

    • SomeLemmyUser@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      1
      ·
      1 day ago

      I tried that a little, but my problem was that there was to much stuff going on in the network for me to understand and review all. I am currently not reachable at all from the big internet, only local server access and I only get working connections if I rset an IP corresponding to the vlan I am in, but unify broadcasting, Nat, VPN, etc. Make a lot of connections and connection attempts internally I dont understand.

      Problem with no client authentication is that the network is used by multiple separate households not necessary trusting each other, and some now want to host servers to the public, which would mean lots of untrusted traffic. I am concerned if they dont handle their security right and have access to for example our shared media server, they could scrape ip-mac address pairs to get deeper in the network. Any thoughts on benefits and lows of 802.1 vs. Radius?

      • IsoKiero@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 day ago

        Radius is a part of 802.1x standard and for your threat model that does absolutely nothing. If a bad actor can access a device already in your network, then network level authentication doesn’t do anything. For example it prevents from someone randomly plugging their device in your switch and getting access that way, or it only allows verified clients to your WLAN. But once the network connectivity is already established you need a totally different tools.

        Mainly that means firewall on your network and/or servers. There’s multiple ways to build that. You could get a separate firewall device to block access from the rest of the network to your devices or you can set up firewall for each of your things separately. All solutions have their own pros and cons and ‘correct’ solution depends on multiple variables.

        • SomeLemmyUser@discuss.tchncs.deOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          1 day ago

          Okay, maybe I’m misunderstanding something, but my thinking goes like this:

          1. A personal computer I dont control, which is infected logs onto the wifi network of family A. This device has no permissions (based on its ip), so it can’t access the shared media server.
          2. This device could spoof a Mac address of a device with permissions on the same network through brute force, so it gets their IP along with its permission (access to media server)
          3. It could at least do bad actions with the permissions inherited from the spoofed device, maybe even spread further if the media server isn’t set up securely.

          In my mind I could prevent this with authentication, as I could force a device to have a keyfile or something in order to use that IP address. So the bad actor would at least first need to get access to the real device and steal the keyfile in order to spoof it. Which (in my mind) is way harder than iterating through all Mac addresses and testing which addresses get which IPs with which permissions.

          The issue i want to solve (with this part) would basically boil down to: securely giving different permissions to devices on the same network/subnet.

          The only other way I would see would be to buy more APs so there is a separate WiFi for every set of permissions I want to give out, so spoofing Mac addresses becomes irrelevant.

          • IsoKiero@sopuli.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            21 hours ago

            Just protecting for spoofed IP doesn’t add much in my opinion, at least compared to the effort of setting up and maintaining 802.1x. Easier way would be to set up different local networks per family and allow access to shared services via common firewall. That doesn’t require support from devices nor it doesn’t rely on security on them. Properly setting 802.1x would mean that you’ll need to manage every device on the network somehow and, assuming you don’t actually own or control the devices, that would be at least challenging.

            Your thinking isn’t wrong, in that scenario network level authentication would help, but overhead of such setup is, again in my opinion, way more complex than what you can actually get in return. Of course if you want to just do it for the fun of it, go ahead. And also, if the devices are on the same network, they can sniff MAC addresses and IPs of neighboring devices, so protecting anything with just IP/MAC is a lost cause.