Security Zones and ntopng

I setup a bridging firewall to break our home LAN into 5 logical segments. The first is the trusted lan+wifi (blue). Next is the untrusted lan+wifi (black). My lab’s lan (green) is separate, and there is also a DMZ segment (pink), where containerized services run on the firewall. The fifth and last segment (red) connects to the AT&T Internet router. Each segment is attached to a different interface of my firewall, which is bridging all of them together, into a single IP network, but with an IP aware firewall on each bridge port.

I setup an NTP time server, and DHCPD, BIND and MRTG containers on the firewall. I block the AT&T router’s IPv4 DHCP traffic, so our LAN clients get served by our own DHCP daemon, so everyone gets dynamic DNS registration on our local dns server. The AT&T router is just a router, but it’s still handling dhcp for IPv6, and it’s still acting as a IPv4/v6 firewall, and doing IPv4 outbound NAT. I shutoff the router’s built-in WiFi access point, and no traffic coming from it is trusted inside my firewall.

I’m somewhat concerned about isolating and monitoring all of our IoT devices, including our TiVos, TVs, set top boxes, stereos, security cameras, voip phone, thermostat, lighting controller, streaming video sticks, and printer. I put all of those things on the untrusted black lan, where they can only talk to each other, the pink dmz net, and the red net (the Internet), and I can track and limit protocols and remote destinations they use, and hopefully prevent them from ever being used by black hats to attack our devices, which are all on the trusted, blue lan. We can connect from trusted to untrusted, but they cannot connect the other way around. My lab’s green lan is actually untrusted as well, just like the black network, so it can only qccess the pink dmz and the red net.

For log management, I setup ElasticSearch in another container, and forward all my syslog traffic to it. I mean, ELK is okay, but it’s no Splunk. But it’s way easier to setup, and its unrestricted, and with my network services logging verbosely, I get plenty of logs each day.

I installed ntopng on my firewall, to monitor the network and track what devices was connecting to what internet sites. It builds a long history of “flows”, where a flow is a single connection between two hosts on our network. It wasn’t much of a surprise that my bittorrent server is the busiest thing on our LAN. Ntopng is pretty neat, and only uses about 35% cpu, according to dstat. The load average is over 2.0, but the cpus are 65% idle. Very useful tool. Almost worth the $150 fee for the small business pro version, but not worth it (for me) to pay the additional $299 fee to use the mysql database plugin.