Hey y’all, I have a small network with opnsense firewall, a unify ap, some client in different subnets, vpn, DNS and some servers.

As I am completely self thought, I got everything to run reading the docs and forums, but I have no idea how to test if what I build is safe and stable.

Are there good up to date tools, or checklists one could follow to audit the different parts of the network (most important the opnsense config)?

What do you check if looking for security issues?

The network mostly relies on client separation through different subnets on different vlans, but I fear I dont understand how for example the vpn and the nas work together in detail to be sure there is no security implication I oversee.

Also: how do you handle client authentication for devices on the same subnet? I know IP/mac-adress ARP entries are easily spoofed and therefore not secure, but I haven’t seen how to do it correctly

  • IsoKiero@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 day ago

    Radius is a part of 802.1x standard and for your threat model that does absolutely nothing. If a bad actor can access a device already in your network, then network level authentication doesn’t do anything. For example it prevents from someone randomly plugging their device in your switch and getting access that way, or it only allows verified clients to your WLAN. But once the network connectivity is already established you need a totally different tools.

    Mainly that means firewall on your network and/or servers. There’s multiple ways to build that. You could get a separate firewall device to block access from the rest of the network to your devices or you can set up firewall for each of your things separately. All solutions have their own pros and cons and ‘correct’ solution depends on multiple variables.

    • SomeLemmyUser@discuss.tchncs.deOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 day ago

      Okay, maybe I’m misunderstanding something, but my thinking goes like this:

      1. A personal computer I dont control, which is infected logs onto the wifi network of family A. This device has no permissions (based on its ip), so it can’t access the shared media server.
      2. This device could spoof a Mac address of a device with permissions on the same network through brute force, so it gets their IP along with its permission (access to media server)
      3. It could at least do bad actions with the permissions inherited from the spoofed device, maybe even spread further if the media server isn’t set up securely.

      In my mind I could prevent this with authentication, as I could force a device to have a keyfile or something in order to use that IP address. So the bad actor would at least first need to get access to the real device and steal the keyfile in order to spoof it. Which (in my mind) is way harder than iterating through all Mac addresses and testing which addresses get which IPs with which permissions.

      The issue i want to solve (with this part) would basically boil down to: securely giving different permissions to devices on the same network/subnet.

      The only other way I would see would be to buy more APs so there is a separate WiFi for every set of permissions I want to give out, so spoofing Mac addresses becomes irrelevant.

      • IsoKiero@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        21 hours ago

        Just protecting for spoofed IP doesn’t add much in my opinion, at least compared to the effort of setting up and maintaining 802.1x. Easier way would be to set up different local networks per family and allow access to shared services via common firewall. That doesn’t require support from devices nor it doesn’t rely on security on them. Properly setting 802.1x would mean that you’ll need to manage every device on the network somehow and, assuming you don’t actually own or control the devices, that would be at least challenging.

        Your thinking isn’t wrong, in that scenario network level authentication would help, but overhead of such setup is, again in my opinion, way more complex than what you can actually get in return. Of course if you want to just do it for the fun of it, go ahead. And also, if the devices are on the same network, they can sniff MAC addresses and IPs of neighboring devices, so protecting anything with just IP/MAC is a lost cause.