How to completely secure a network

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

coffeeprogrammer

Well-known member
Jul 19, 2021
175
15
So here is a network security question. I've rolling around in my mind is how I could be 100% certain nothing was coming in or out of out of my home network that I was not aware of or did not want. The problem is that with HTTPS and other protocols things can be encrypted, so putting in something like a network tap to capture everything and record it is would not be as helpful. But then I remembered that large companies deal with this problem all the time. They deploy their own certificates on workers machines so that they can decrypt the traffic and inspect it if required. That might be call deep packet inspection, and for how I would use it, it would also be filtering.

That might be a good way to deal with the problem, setting up a network where my machines are only using certs than I can easily decrypt, that way I can just filter and record everything and inspect it. The only problem with that is that I am not sure how to set that up? I would need it for both Windows and Linux and then at the end point, like the router, I think the traffic would need to be changed to use my banks cert or amazon.com’s cert or whatever. Does anyone know of have a good guide as to how to do this? Does pfSense provide anything that is helpful for this kind of thing?

And of course the filtering part might be more difficult than I imagine, blocking anything that I do not know exactly what it is. Also, I am not sure much of this could be done in a freeware kind of thing or what I might need to buy. Currently I have a simple, somewhat highend tp-link router from wal mart. It might be nice to be behind a few layers.

Thanks.
Chad
 
This is what corporate networks do. They have a proxy at the border, all traffic is TLS 2 to the proxy using an installed cert, the proxy decrypts and inspects everything, then does TLS 3 out to the internet for approved traffic. They also block specific domains, and access to types of services as well.

I am not an expert, but there was some info Steve covered on this.

 
Well that is someone helpful, I have found these so far:

https://www.netresec.com/?page=PolarProxy (this looks more like a dev tool) (this organization has a good program called NetworkMiner too)

I am not sure what else is available and with these one must setup the proxy settings in the browser. I am not sure if is possible to do HTTPS interception without using the browser proxy settings. In reality I would be I am using my own cert so that I have a private key and can decrypt the traffic and block what I don’t want. So it is a man in the middle. Being able to log the traffic would also be import. The log would be what was blocked and what was allowed. I guess the HTTPS server I am trying to connect two is what specifies the encryption, for example Amazon uses DigiCert and when I look at the details, it lists the DNS Names that is the cert can be used for. I am not sure if some of these details is why I have to use a proxy server and cannot intercept the traffic at the gateway for some reason. I think the proxy is what is replacing Amazon’s original cert with the one I would create? The gateway should be able, at least, to block anything that is not HTTPS or HTTP. I guess I have to use a proxy if I want to decrypt it using my own cert?

As I said, multiple layers of network security would be best, so in fact it might be easier to have too networks and one where is it less secure and then be able to route certain protocols between the two networks, for example being able to route RDP traffic between two private networks would be helpful.

The other part that would be helpful would be to only have one WiFi signal and then based on something like MAC address or password used to connect it could then connect to different networks. In the past I have had two different WiFi signals for two different networks, which is annoying.
 
This is what corporate networks do. They have a proxy at the border, all traffic is TLS 2 to the proxy using an installed cert, the proxy decrypts and inspects everything, then does TLS 3 out to the internet for approved traffic. They also block specific domains, and access to types of services as well.

I am not an expert, but there was some info Steve covered on this.

Many corporate networks are on non-routable networks, without NAT. This is why the proxy is needed. The proxy also strictly controls who can access the Web and when.

Corporate networks break their network up into zones as well. Desktop computers cannot directly access high security systems, like database servers, except through virtual desktops in an intervening zone.

Corporate networks not only employ multiple firewalls separating network segments, they also employ IPS (Intrusion Prevention Systems) and IDS (Intrusion Detection Systems).

The most common vector of compromise is the employee clicking on some URL. Proxies that scrutinize and sanitize the HTTP/HTML (akin to mod_security2) help. Some proxies disallow file download. Proxies are usually authenticated proxies. This allows tracking of individual's activities.

There's much more than there is space here to discuss.
 
So here is a network security question. I've rolling around in my mind is how I could be 100% certain nothing was coming in or out of out of my home network that I was not aware of or did not want. The problem is that with HTTPS and other protocols things can be encrypted, so putting in something like a network tap to capture everything and record it is would not be as helpful. But then I remembered that large companies deal with this problem all the time. They deploy their own certificates on workers machines so that they can decrypt the traffic and inspect it if required. That might be call deep packet inspection, and for how I would use it, it would also be filtering.

That might be a good way to deal with the problem, setting up a network where my machines are only using certs than I can easily decrypt, that way I can just filter and record everything and inspect it. The only problem with that is that I am not sure how to set that up? I would need it for both Windows and Linux and then at the end point, like the router, I think the traffic would need to be changed to use my banks cert or amazon.com’s cert or whatever. Does anyone know of have a good guide as to how to do this? Does pfSense provide anything that is helpful for this kind of thing?

And of course the filtering part might be more difficult than I imagine, blocking anything that I do not know exactly what it is. Also, I am not sure much of this could be done in a freeware kind of thing or what I might need to buy. Currently I have a simple, somewhat highend tp-link router from wal mart. It might be nice to be behind a few layers.

Thanks.
Chad
You might be able to use pfSense for this. From what I understand, it can work, but it won't be as effective as a paid firewall with subscription services for IPS and URL Filter rules. Here's some more info:
 
I think you are aiming far too high when considering intercepting all HTTPS traffic.

If you are willing to settle for less, get a router that offers inbound and outbound firewall rules, supports VLANs and lets you set a secure DNS for the entire LAN. I like NextDNS as it has optional logging as well as allow/block lists. Or, any malware/ad/tracker blocking DNS service will do and you will be way ahead of the pack.

As to hardware I would get a Peplink B One for $300.
 
You should not do this. You are breaking TLS. Better is to run pihole it will log all the DNS lookups from your network and you can see if there something Barry there, and you also have the blocking built in.