Part 3 | Ultimate Home Network 2021 | VPN, IPS, Port Security, and Port Forwarding on UniFi 6.0

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today on the hookup it's part three of my ultimate secure smart home network series in part one i walk you through hardware selection using unifi equipment in part two i covered vlans wireless networks and firewall rules and today we're going to look at port security intrusion prevention systems and vpns on the unifi 6.0 controller in part two of this series i mentioned that i made a questionable decision by putting my most untrusted devices which are my ip security cameras onto my main untagged vlan some of the questions that i saw in the comments indicate that you may need a crash course in networking so here's a quick and dirty overview of network communication this definitely won't be the most in-depth look at the osi model that you've ever seen but it will hopefully be easy to understand and give you enough information to help you make the right decisions for your network this video is sponsored by pcbway.com if you're a tinkerer inventor or maker and you haven't checked out pcb way you are seriously missing out they obviously produce full featured printed circuit boards with a ton of different materials and options but now they offer basically everything you need to turn your ideas into a physical reality whether you need 3d printing injection molding cnc machining assembly or just plain old pcb manufacturing pcbway can do it all for highly competitive prices check out pcboa's awesome services using the link in the description to support this channel layer one in the osi model is called the physical networking layer whether your devices get connected with radio waves coaxial cables ethernet or fiber it's still layer one layer two is called the data link layer which is not a super helpful name especially when it comes to vlans when two devices are on the same lan segment vlan or subnet meaning that they share the same base part of their ip address they can communicate directly using a network switch you see a switch has a big table of device mac addresses and the corresponding port on the switch that they're attached to one device sends out a network frame with a source mac address and a destination mac address and when that frame reaches the switch the switch will look it up in its table and send it out to the correct port importantly layer 2 communication doesn't require any input from the router and therefore can be done very quickly and efficiently but since the router isn't involved that also means that it doesn't check any firewall rules and therefore we can't deny communication between devices on the same vlan using firewall rules layer 3 on the other hand is the network layer which is a fancy way of saying that it uses a router to determine the correct path between devices that aren't on the same subnet if two devices are on different vlans and therefore different subnets they need to go through the router in order to communicate and as i said before if they use the router they also get checked for firewall rules which then allows us to regulate their traffic all right back to the problem at hand i made a firewall rule to block my security cameras from the internet and from my other vlans but i can't block them from communicating with devices on the same vlan because they don't need to use the router to do that so as i mentioned before the easiest way to break into my network would be to come to my house tear down a security camera off the wall and then plug your device into that camera's ethernet cable so to minimize that threat i'm going to use a feature that's available on unifi and most other managed switches called mac filtering to do this find the client that you want to assign to that port in this case it's a hikvision camera in the right hand panel you can see the device's mac address which you'll need to copy you can also see the port that it's attached to which in this case is port 1 on my 16 port gen 2 switch clicking on that link will bring up the switch and then you can select the ports menu at the top and click on the pencil icon to edit the profile of that switch port anytime i make a mac address isolation i always name the switch port accordingly so i don't end up pulling my hair out later if i ever need to change the device attached to that port under mac filter paste in the mac address that you copied from the clients page and then hit add then scroll down to the bottom and hit apply you'll see your switch change to provisioning and after it's done the only device that will be able to connect via that port is that specific camera now technically someone could grab the mac address of the camera and then use that mac address to spoof the mac address of their own device which would then allow them to have access to other devices on my network via layer 2. but honestly this solution is plenty secure for me and unless you're storing government secrets on your network it's probably good enough for you too as always i encourage you to test things for yourself but as you can see in this example connecting my laptop to the restricted port doesn't even give me an ip address so not only can i not access the internet but i also can't access any other devices on the network i also mentioned in my last video that i wanted my daughter's pc to use the content filtered network so what i'll do is find her computer on the client list and take note of which port on the switch that it's connected to then click through that switch and under ports hit the pencil icon to edit the overrides and then select the family network as the available profile this will force any traffic attached to that specific port onto the content filtered network this is also how you would put an entire unmanaged switch onto a specific vlan just make sure that the uplink port that you're using is assigned to the correct vlan in the override section and then all of the ports on the unmanaged switch will also be on that vlan if you have unused ethernet ports in public places it is best practice to leave those ports completely physically disconnected from the switch this is a process called air gapping and it probably applies to very few homes but in the off chance that a business is watching this guide please don't leave public ethernet jacks attached and connected to your main vlan they are by far the easiest point of entry for any attacker with physical access to your building and honestly it's just as bad or worse than leaving the room with all of your client records unlocked even though firewall rules and port security are the most important tools for securing your network there are a few other features available in the dream machine pro that can provide additional layers of security specifically ips and ids ibs stands for intrusion detection system while ips stands for intrusion prevention system and they both have the same main concept but different final outcomes ids and ips work in the same general way as anti-virus software on your computer which is oddly similar to your body's own immune system basically when a new virus is discovered security researchers try to pinpoint a part of that virus that's sufficiently unique to identify without also falsely identifying non-virus files they call this part of the file the viruses signature these signatures get added to an ever-growing and constantly updated database that your antivirus program can reference as it's examining each file on your computer if part of the file matches the signature in the database it will be flagged quarantined or just outright deleted depending on the preferences that you set ids and ips work in the same way in that they reference a large database of signatures related to malicious network traffic if you have intrusion detection enabled any matches will generate an alert that you'll have to deal with yourself while intrusion prevention will block that traffic automatically the likelihood of false positives and the impact on your network if legitimate traffic is blocked will determine whether ids or ips is right for you it's also worth noting that inspecting each packet for malicious traffic is pretty cpu intensive and while the dream machine pro claims to have three and a half gigabits per second of throughput with ips enabled this metric is tested using very similar traffic types and packets and it's reasonable to expect that real world throughput may be less i have actually been able to successfully cap out my dream machine pros cpu at 100 utilization by downloading multiple very large torrent files at the same time this increase in cpu utilization is likely due to the nature of torrent files where the data is being pulled from hundreds or sometimes even thousands of unique sources very quickly under non-torrent based heavy transfers the cpu utilization never even gets close to 100 so i imagine that's got something to do with it to that end you can actually select categories in the ips menu to refer to a specific subset of signatures for malicious traffic so if you want to use peer-to-peer software on your network and you're concerned that your traffic will be blocked by ips or that your network speeds will be significantly slowed you can actually just disable that whole subset of malicious signatures unify hasn't been particularly transparent about where they're pulling their signature database from whether they're maintaining it on their own or how often it's being updated but most people who know more than me seem to think that it's largely based on a product called ciracata which is a popular open source ips and ids solution i also can't find any information as to whether the signature files are being automatically pushed to the udm or whether they're being pushed with each new firmware upgrade but i definitely hope they're going to offer that option to upgrade signature files without completely updating the firmware of your device because signature updates should be happening significantly more than device updates and you should be able to do them without the fear of breaking changes alright so that covers the security of the devices that we willingly attach to our network but one of the largest vulnerabilities of any network comes when we override the implicit deny rule for incoming traffic as i said in part two of this series basically all networks are set up so that internal traffic can leave and returning traffic called established and related is allowed but external traffic shouldn't be allowed to initiate a connection with anything on your network however if you're running a service on your home network like a media server camera system or a home automation hub you may want to be able to access that service from outside your network and the way that you do this is by forwarding requests made to your external ip address to an internal ip that runs that service and if you imagine your firewall as a giant building with hundreds of office doors called ports knocking on most of them will get no answer but occasionally when you knock on a door it will open and you'll be led down a hallway to another door which belongs to a specific device on your network in the unifi controller you can see all of your forwarded ports in the advanced features advanced gateway settings and then port forwarding they also show up in your firewall rules as ghosted texts that cannot be edited if you have ports forwarded that you don't remember doing you may have upnp enabled which is a service that allows devices on your network to request that port be opened there is almost no reason to have upnp enabled on your network so you should definitely disable that in the advanced features menu and then take a hard look at which devices you actually want to have exposed to the internet the more devices on your network that are exposed in this way the greater your risk in cyber security we refer to this as your attack surface and the best practice is to minimize attack surface as much as possible think about a castle a castle wall doesn't have hundreds of exterior doors it has one main door that's highly fortified basically instead of needing to ensure that each machine and service on your network is secure which is often impossible with devices like security cameras and nvrs you put all of your services behind a single door and then you fortify that one door as much as possible if you're running a lot of services for a lot of people then you might need to set up something like a reverse proxy for the store but for most people with only a few services and a few different people who want to be able to connect to them the best and most secure solution is to use a virtual private network or vpn vpn in this context is not like the ones that you see advertised on youtube all the time a vpn is a secure tunnel between one device and another in the case of nordvpn or tunnelbear you have a secure tunnel between your computer and a device at a remote location called a vpn concentrator this type of vpn allows you to securely send your internet traffic to this remote location through an encrypted tunnel and then your traffic leaves that remote location exactly as if your computer was located inside of that site this is useful if you're trying to hide your traffic because you're doing something illegal or if you want to access content that's not normally available in your region the vpn that we're going to set up works in the same way but for a totally different purpose anytime that we're outside of our home network we'll use a vpn tunnel to connect back to the dream machine pro and then after that all of our traffic will appear to be originating from inside of our local network which allows us to access all of our local services just like we can when we're home but without the risk of exposing those services to the internet to set up a vpn in the unifi 6.0 controller click on settings and then advanced features scroll down to where it says radius server radius stands for remote authentication dial in user service even though dialing in really isn't a thing anymore in this default profile you'll want to define a user for each person who's going to log into your vpn in this case me and my wife each user has their own password to protect their specific account and the vpn itself has a password to prevent unauthorized access as you can imagine best practice is for each of these passwords to be strong and unique don't use the same password for your vpn as you do for your users next head back over to the network section and add a new network give it a descriptive name and then under vpn settings you'll select remote user the only protocol that's supported by the unifi vpn is l2tp so you can't change that and then under pre-shared key you're going to enter a secure password that your users will need to know in order to connect to your vpn enter the gateway and subnet that you want your vpn clients to connect to and then remember to adjust your local ip addresses firewall rule to include this new subnet for name server you can just leave it on auto and then make sure your default radius profile is selected to use this vpn on your remote device you'll add a vpn configuration using l2tp then for server you'll put in your external ip address for your dream machine pro or use a dynamic dns service like duct dns for account you'll put in your name that you define in your radius profile and then the password for that user the secret is the main password for the vpn that you defined when you set up your new network if your device supports split tunneling you can configure it so only individual programs and services will use the vpn but for the most part you should just select send all traffic for the most trouble-free configuration a vpn solution isn't perfect and some services aren't going to operate properly without exposing them to the internet push notifications for example are a service that typically requires port forwarding and it's difficult to change those settings to set up push to work within a local network as always after you put a solution in place you should test it to make sure it functions as you expect it to you can see for instance that when i try to connect to my blue iris camera server on the cellular network i get the response no connection to the server but after connecting to my vpn the server connects almost instantly allowing me to remotely view my cameras without needing to expose them to the internet because the vpn makes it appear as if the traffic is local am i telling you that you absolutely shouldn't do any port forwarding no but for each service you're considering exposing you should ask yourself these four questions number one how sure can i be that the developers of this service were both competent and security conscious enough to minimize vulnerabilities number two how often is this service being upgraded to provide security patches for the ever-evolving cyber security race number three what data or privacy is at stake if the service is compromised and number four how likely is it that other devices in the house could be attacked as a result of this forwarded service being compromised in the future i may make a video about reverse proxies and more robust vpn solutions than the built-in unifi vpn but for now this series has been long enough so thank you so much to my awesome patrons over at patreon for continuing to support this channel if you're interested in supporting this channel please check out the links down in the description if you enjoyed this video please hit that thumbs up button and consider subscribing and as always thanks for watching the hookup you

Info

Channel: The Hook Up

Views: 71,456

Rating: 4.9624414 out of 5

Keywords: home assistant, hassio, home automation, hass.io, smart home, diy, electronics, arduino, esp8266, nodemcu, wemos d1, automation

Id: R6ohtF9AXkE

Channel Id: undefined

Length: 15min 58sec (958 seconds)

Published: Wed Feb 24 2021