This is going to be long, and cover alot of aspect of home network, sorry ill break it down into full and bullet format. Thanks in advance.
CLIFFS:
- im old, current knowledge in security/networking consists of IIS and NT 4 server era hardware/software, you know when buying a cisco pix and calling it good was all there was.
- Want reliable secure home network with cutting edge features(Qos, network level AV, IPS/IDS, add blocking)
-planning to buy supermicro sys-e200-9b, anything better available in mini-ITX or NUC format?
- What software do i want to run?, im thinking after initial research about pfsense with squid\snort. better options? should i run multiple software's in VM?
FULL VERSION:
What i want is to build a new fully secure and safe home network, harden it against attack, and have more control over it in general, with good monitoring and logging. Right now im just using a soho wireless router with a statefull inspection firewall, because im lazy and back in the day stateful inspection was all that was available and needed. I have worked in IT before in a web hosting company, back in the 90's, so i have experience with enterprise level firewalls and networks but its seriously outdated, like from when IIS and NT 4 server were cutting edge..... so i have old knowledge and understanding of how networks work, but need updated info on new software/hardware. Lately ive just been PC gaming with no attention to keeping up to date with networking.
What i want the software(s) to have:
- Network level antivirus/malware inspection of all HTTP and HTTPS traffic in realtime
- Ability to put my current router in its own network(DMZ) and use it as just a wireless AP with no access to wired network at all just internet access(to prevent attacks coming from hacking my router, i live in a dense metropolitan area, and from my cell phone i can see over 200 wireless networks, thats how dense... its insane, figuring out good bands to have decent wireless throughput has been a challenge to say the least, i have more than 4 30+ story apartment building withing a few hundred feet of me)
- Qos\traffic shaping
- IPS/IDS, the more advanced the better
- Would love to have virus/malware inspection of torrent traffic in realtime on the network level but have not figured out how to do this yet, any ideas???? layer 7 DPI looks like it could do this but i have no idea how to implement this, i would imagine that if the torrent traffic is encrypted that this will be a monumental task indeed, if its even possible.
- ability to block telemetry data going back from wired lan to internet from me and the Gf's main PC's(both win10), i realize this will likely entail packet inspection from wired LAN PC's over time and customizing the firewall rules to block this, thats ok im willing to put in the time/effort to make this happen, i know how to use wireshark to inspect traffic\packets and ports, but software that will log this traffic to be inspected later would help, not sure if any pfsense packages can do this but im willing to make custom firewall rules anyways.
- Add blocking on the network level(i have a rasberry pi with pi-hole doing DNS level ad blocking now which is very effective, i can keep using this or if better option let me know)
- Caching web proxy to save data usage, transparent proxy ideally.
- Good VPN support
- Obviously DHCP server will be needed
This is spurred on by all the telemetry and data mining going on nowadays and adds, everyone is after your data and i finally want to put a stop to as much of it as i can and protect my personal data and my network/data seriously, more than what SOHO routers offer, and with all the legal issues with torrents i would like to keep that as anonymous/safe as possible as well. I just want better than what SOHO routers can offer, i want to get back to more of an enterprise level of network monitoring and fire walling. And im worried as much about telemetry/data going out as i am about outside attacks coming in, actually im worried more about personal data going out lol.
To do this im planning on buying a supermicro sys-e200-9b, this is a quad core intel n3700 with 4 intel NIC's in mini-ITX form factor. I will put the full 8GB of ram in it, and run a SSD 64 or 128GB. If you guys have a better small mini itx or NUC size computer to use let me know. Has to be small, im going to wall mount it beside my router/cable modem. so no full size atx or micro atx or rack mount. Would like to keep power usage below 20-30w for whole system.
From what i can tell after preliminary research Pfsense with squid and snort can do most of what im after(i used iptables back in the day, thats how old i am....) If there is a better software package to use please let me know. Im willing to run this on anything BSD/Linux/Windows doesnt matter, the hardware ill be buying can run anything x86, ill even go ARM hardware if that is more feasible, im out of date on software, let me know. I doubt buying a windows server license is worth it over linux/BSD but im open to anything. I dont care if its CLI or GUI , i can do both, im looking for whats most effective and capable. I just want something that will work and work well, and be as reliable as the price of gold.
A question though, i have never ran VM's before for anything beyond basic research on new OS's. Im currently running alot of servers on my LAN, a DLNA media server, Lan file server, FTP server, HTTP server, Mail server. These are all currently running on different ATX PC boxes or NUC/pi's on a wired LAN(thats right, im running 5 PC's as servers for different tasks, not counting my main PC and the Gf's, on various OS's). This consumes alot of power I would like to consolidate these if possible. Would running them and Pfsense on the same supermicro box im planning on buying all in VM's be as secure as running them separate?
Or am i better off having a dedicated pfsense(or other firewall) box on the perimeter and then running all the servers in VM or just all on one OS on one box inside the firewall? The most powerful computer serving currently is a AMD Phenom II 940 with 8GB ram, im sure it could run all servers in VM or all on linux/windows if this is a good idea as running them separate.
To all who read all that, thank you! and let me know your opinions. I hope i didnt come off as a paranoid mofo lol.
CLIFFS:
- im old, current knowledge in security/networking consists of IIS and NT 4 server era hardware/software, you know when buying a cisco pix and calling it good was all there was.
- Want reliable secure home network with cutting edge features(Qos, network level AV, IPS/IDS, add blocking)
-planning to buy supermicro sys-e200-9b, anything better available in mini-ITX or NUC format?
- What software do i want to run?, im thinking after initial research about pfsense with squid\snort. better options? should i run multiple software's in VM?
FULL VERSION:
What i want is to build a new fully secure and safe home network, harden it against attack, and have more control over it in general, with good monitoring and logging. Right now im just using a soho wireless router with a statefull inspection firewall, because im lazy and back in the day stateful inspection was all that was available and needed. I have worked in IT before in a web hosting company, back in the 90's, so i have experience with enterprise level firewalls and networks but its seriously outdated, like from when IIS and NT 4 server were cutting edge..... so i have old knowledge and understanding of how networks work, but need updated info on new software/hardware. Lately ive just been PC gaming with no attention to keeping up to date with networking.
What i want the software(s) to have:
- Network level antivirus/malware inspection of all HTTP and HTTPS traffic in realtime
- Ability to put my current router in its own network(DMZ) and use it as just a wireless AP with no access to wired network at all just internet access(to prevent attacks coming from hacking my router, i live in a dense metropolitan area, and from my cell phone i can see over 200 wireless networks, thats how dense... its insane, figuring out good bands to have decent wireless throughput has been a challenge to say the least, i have more than 4 30+ story apartment building withing a few hundred feet of me)
- Qos\traffic shaping
- IPS/IDS, the more advanced the better
- Would love to have virus/malware inspection of torrent traffic in realtime on the network level but have not figured out how to do this yet, any ideas???? layer 7 DPI looks like it could do this but i have no idea how to implement this, i would imagine that if the torrent traffic is encrypted that this will be a monumental task indeed, if its even possible.
- ability to block telemetry data going back from wired lan to internet from me and the Gf's main PC's(both win10), i realize this will likely entail packet inspection from wired LAN PC's over time and customizing the firewall rules to block this, thats ok im willing to put in the time/effort to make this happen, i know how to use wireshark to inspect traffic\packets and ports, but software that will log this traffic to be inspected later would help, not sure if any pfsense packages can do this but im willing to make custom firewall rules anyways.
- Add blocking on the network level(i have a rasberry pi with pi-hole doing DNS level ad blocking now which is very effective, i can keep using this or if better option let me know)
- Caching web proxy to save data usage, transparent proxy ideally.
- Good VPN support
- Obviously DHCP server will be needed
This is spurred on by all the telemetry and data mining going on nowadays and adds, everyone is after your data and i finally want to put a stop to as much of it as i can and protect my personal data and my network/data seriously, more than what SOHO routers offer, and with all the legal issues with torrents i would like to keep that as anonymous/safe as possible as well. I just want better than what SOHO routers can offer, i want to get back to more of an enterprise level of network monitoring and fire walling. And im worried as much about telemetry/data going out as i am about outside attacks coming in, actually im worried more about personal data going out lol.
To do this im planning on buying a supermicro sys-e200-9b, this is a quad core intel n3700 with 4 intel NIC's in mini-ITX form factor. I will put the full 8GB of ram in it, and run a SSD 64 or 128GB. If you guys have a better small mini itx or NUC size computer to use let me know. Has to be small, im going to wall mount it beside my router/cable modem. so no full size atx or micro atx or rack mount. Would like to keep power usage below 20-30w for whole system.
From what i can tell after preliminary research Pfsense with squid and snort can do most of what im after(i used iptables back in the day, thats how old i am....) If there is a better software package to use please let me know. Im willing to run this on anything BSD/Linux/Windows doesnt matter, the hardware ill be buying can run anything x86, ill even go ARM hardware if that is more feasible, im out of date on software, let me know. I doubt buying a windows server license is worth it over linux/BSD but im open to anything. I dont care if its CLI or GUI , i can do both, im looking for whats most effective and capable. I just want something that will work and work well, and be as reliable as the price of gold.
A question though, i have never ran VM's before for anything beyond basic research on new OS's. Im currently running alot of servers on my LAN, a DLNA media server, Lan file server, FTP server, HTTP server, Mail server. These are all currently running on different ATX PC boxes or NUC/pi's on a wired LAN(thats right, im running 5 PC's as servers for different tasks, not counting my main PC and the Gf's, on various OS's). This consumes alot of power I would like to consolidate these if possible. Would running them and Pfsense on the same supermicro box im planning on buying all in VM's be as secure as running them separate?
Or am i better off having a dedicated pfsense(or other firewall) box on the perimeter and then running all the servers in VM or just all on one OS on one box inside the firewall? The most powerful computer serving currently is a AMD Phenom II 940 with 8GB ram, im sure it could run all servers in VM or all on linux/windows if this is a good idea as running them separate.
To all who read all that, thank you! and let me know your opinions. I hope i didnt come off as a paranoid mofo lol.
She refuses to use a less than admin account on her PC and doesnt even use any noscript/popup blocking plug ins, its scary actually, she nukes her PC at least twice a year with some kind of virus/trojan/infection. 
Facebook
Twitter