Tackling the quagmire that is selfhosting
Now that we have looked at the exposure of or network and services, it is time to take a deeper look at what parts that might pose a risk.
This becomes a problem now that we have an ever increasing amount of devices that wants to talk to the internet and we have no control over how these connect, where they connect and who gains access to the data they send.
These devices are part of the IoT (Internet of Things) “revolution”, and yes there are some benefits to have things like that connected, but does it need unfeathered and unfiltered access?
I does not and should be isolated from your trusted network without the ability to do lateral moves, as in access your workstation, laptop, iPad etc.
You should be able to access the IoT things from your TRUSTED network, not IoT things accessing your trusted network.
Unfortunately there are too many out there who trust their ISP’s to maintain their security and interests, which is a bad idea… The ISP’s only have their own interests at heart, not yours.
This is where after-market solutions comes into play, where you gain more flexibility and freedom to ensure your own security and ultimately peace of mind.
Walled gardens, when and how to use them
In all of this it is a good thing that we with some additional equipment and time can erect walled gardens where each fauna is allowed to thrive without crossing over the boundaries to the next walled garden over.
Our predatorily IoT devices will be confined to their nasty cesspool while our nice and dormant cattle are allowed to roam free in their pastures.
In my humble opinion, I would want to put up fences before I take any new devices I do not know about in my network.
I have 3 different networks defined where only one of them are allowed to have unrestricted access to the rest.
- Network 1 - Trusted
- Network 2 - IoT
- Network 3 - Guests
Network 2 and 3 are only allowed to talk to the DNS server that lives in Network 1, all other communication to Network 1 is not allowed, this creates a good first barrier to ensure that my walled gardens are not tainted.
This DNS server is running PiHole which uses a good few allow/deny lists for various tracking and privacy services that you would not want your data sent to.
Equipment considerations
As there are many different firewalls and routers out there, I will nat hazard I suggestion as to how to configure it to achieve the same kind of setup that I have, I run my network on UniFi with a UDM Pro with a few UniFi Switchesand Access Points.
Keep in mind that my configuration is a bit OTT but we also depend on this to remain functional as both me and my wife work remotely and need to not have a SPOF (Single Point of Failure).
There is also quite a bit of firewall configuration needed to get the walled gardens we want up along side VLAN configuration to ensure we have the appropriate separation we want.
At the same time where this is a recommended and so called best practices setup, I fully admit that it’s not for everyone and not everyone has the time to become capable of setting things up this way.
It can pose a great challenge for many to safeguard the network, and might needing to be depending on online resources to get it done, which often is presented in a way which was written about in the previous article.
For the sake of sanity, there is no need to go over the top with kit here, but rather have a few fundamental requirements that needs to be followed before you buy.
You can also get cheaper solutions, but I would myself steer clear of all the gamer gimmick gear out there and rather focus more towards pro-sumer and SMB (Small and Medium Business) gear as this often gives the best flexibility to configure it the way you want it.
This though, comes at the cost of spending more time to investigate, research and configure it, but in the end it is well worth it and you can have peace of mind which is something I at least value greatly!