Part 3 | Ultimate Home Network 2021 | VPN, IPS, Port Security, and Port Forwarding on UniFi 6.0

today on the hookup it's part three of

my ultimate secure smart home network

series

in part one i walk you through hardware

selection using unifi equipment

in part two i covered vlans wireless

networks and firewall rules

and today we're going to look at port

security intrusion prevention systems

and vpns on the unifi 6.0 controller

in part two of this series i mentioned

that i made a questionable decision by

putting my most

untrusted devices which are my ip

security cameras

onto my main untagged vlan some of the

questions that i saw in the comments

indicate that you may need a crash

course in networking so here's a quick

and dirty overview of network

communication

this definitely won't be the most

in-depth look at the osi model that

you've ever seen

but it will hopefully be easy to

understand and give you enough

information to help you make the right

decisions for your network this video is

sponsored by pcbway.com

if you're a tinkerer inventor or maker

and you haven't checked out pcb way

you are seriously missing out they

obviously produce full featured printed

circuit boards with a ton of different

materials and options

but now they offer basically everything

you need to turn your ideas into a

physical reality

whether you need 3d printing injection

molding cnc machining

assembly or just plain old pcb

manufacturing pcbway can do it all for

highly competitive prices

check out pcboa's awesome services using

the link in the description to support

this channel

layer one in the osi model is called the

physical networking layer

whether your devices get connected with

radio waves coaxial cables

ethernet or fiber it's still layer one

layer two is called the data link layer

which is not a super helpful name

especially when it comes to vlans when

two devices are on the same

lan segment vlan or subnet meaning that

they share the same base part of their

ip address

they can communicate directly using a

network switch

you see a switch has a big table of

device mac addresses

and the corresponding port on the switch

that they're attached to

one device sends out a network frame

with a source mac address and a

destination mac address

and when that frame reaches the switch

the switch will look it up in its table

and send it out to the correct port

importantly

layer 2 communication doesn't require

any input from the router

and therefore can be done very quickly

and efficiently but since the router

isn't involved that also means that it

doesn't check any firewall rules

and therefore we can't deny

communication between devices on the

same vlan using firewall rules

layer 3 on the other hand is the network

layer which is a fancy way of saying

that it uses a router to determine the

correct path between devices that aren't

on the same subnet

if two devices are on different vlans

and therefore different subnets

they need to go through the router in

order to communicate and as i said

before

if they use the router they also get

checked for firewall rules

which then allows us to regulate their

traffic all right back to the problem at

hand i made a firewall rule to block my

security cameras from the internet

and from my other vlans but i can't

block them from communicating with

devices on the same vlan

because they don't need to use the

router to do that so as i mentioned

before the

easiest way to break into my network

would be to come to my house

tear down a security camera off the wall

and then plug your device into that

camera's ethernet cable

so to minimize that threat i'm going to

use a feature that's available on unifi

and most other managed switches called

mac

filtering to do this find the client

that you want to assign to that port in

this case it's a hikvision camera

in the right hand panel you can see the

device's mac address which you'll need

to copy

you can also see the port that it's

attached to which in this case is port 1

on my 16 port gen 2 switch clicking on

that link will bring up the switch

and then you can select the ports menu

at the top and click on the pencil icon

to edit the profile of that switch port

anytime i make a mac address isolation

i always name the switch port

accordingly so i don't end up pulling my

hair out later if i ever need to change

the device

attached to that port under mac filter

paste in the mac address that you copied

from the clients page and then hit add

then scroll down to the bottom and hit

apply you'll see your switch change to

provisioning and after it's done

the only device that will be able to

connect via that port is that specific

camera

now technically someone could grab the

mac address of the camera

and then use that mac address to spoof

the mac address of their own device

which would then allow them to have

access to other devices on my network

via layer 2.

but honestly this solution is plenty

secure for me

and unless you're storing government

secrets on your network it's probably

good enough for you too

as always i encourage you to test things

for yourself but as you can see in this

example

connecting my laptop to the restricted

port doesn't even give me an ip address

so not only can i not access the

internet but i also can't access any

other devices on the network

i also mentioned in my last video that i

wanted my daughter's pc to use the

content filtered network

so what i'll do is find her computer on

the client list and take note of which

port on the switch that it's connected

to

then click through that switch and under

ports hit the pencil icon to edit the

overrides

and then select the family network as

the available profile

this will force any traffic attached to

that specific port

onto the content filtered network this

is also how you would put an

entire unmanaged switch onto a specific

vlan

just make sure that the uplink port that

you're using is assigned to the correct

vlan in the override section

and then all of the ports on the

unmanaged switch will also be

on that vlan if you have unused ethernet

ports in public places it is best

practice to leave those ports completely

physically disconnected from the switch

this is a process called air gapping and

it probably applies to very few homes

but in the off chance that a business is

watching this guide

please don't leave public ethernet jacks

attached and connected to your main vlan

they are by far the easiest point of

entry for any attacker with physical

access to your building

and honestly it's just as bad or worse

than leaving the room with all of your

client records unlocked

even though firewall rules and port

security are the most

important tools for securing your

network there are a few other features

available in the dream machine pro

that can provide additional layers of

security specifically

ips and ids ibs stands for intrusion

detection system while

ips stands for intrusion prevention

system and they both have the same main

concept but different final outcomes

ids and ips work in the same general way

as

anti-virus software on your computer

which is oddly similar to your body's

own immune system

basically when a new virus is discovered

security researchers try to pinpoint a

part of that virus that's sufficiently

unique to identify without also falsely

identifying

non-virus files they call this part of

the file the viruses signature

these signatures get added to an

ever-growing and constantly updated

database that your antivirus program can

reference as it's examining each file on

your computer

if part of the file matches the

signature in the database it will be

flagged

quarantined or just outright deleted

depending on the preferences that you

set

ids and ips work in the same way in that

they reference a large database of

signatures related to malicious network

traffic if you have intrusion detection

enabled

any matches will generate an alert that

you'll have to deal with yourself

while intrusion prevention will block

that traffic automatically

the likelihood of false positives and

the impact on your network if legitimate

traffic

is blocked will determine whether ids or

ips is right for you

it's also worth noting that inspecting

each packet for malicious traffic

is pretty cpu intensive and while the

dream machine pro claims to have three

and a half

gigabits per second of throughput with

ips enabled

this metric is tested using very similar

traffic types

and packets and it's reasonable to

expect that real world throughput may be

less

i have actually been able to

successfully cap out my dream machine

pros cpu at 100 utilization

by downloading multiple very large

torrent files at the same time

this increase in cpu utilization is

likely due to the nature of torrent

files

where the data is being pulled from

hundreds or sometimes even

thousands of unique sources very quickly

under

non-torrent based heavy transfers the

cpu utilization never even gets close to

100

so i imagine that's got something to do

with it to that end you can actually

select categories in the ips menu

to refer to a specific subset of

signatures for malicious traffic

so if you want to use peer-to-peer

software on your network and you're

concerned that your traffic will be

blocked by ips

or that your network speeds will be

significantly slowed you can actually

just disable that whole subset of

malicious signatures

unify hasn't been particularly

transparent about where they're pulling

their signature database from

whether they're maintaining it on their

own or how often it's being updated

but most people who know more than me

seem to think that it's largely based on

a product called ciracata which is a

popular

open source ips and ids solution i also

can't find any information as to whether

the signature files are being

automatically pushed to the udm

or whether they're being pushed with

each new firmware upgrade but i

definitely hope they're going to offer

that option to upgrade signature files

without completely updating the firmware

of your device

because signature updates should be

happening significantly more than device

updates and you should be able to do

them without the fear of breaking

changes

alright so that covers the security of

the devices that we willingly attach to

our network

but one of the largest vulnerabilities

of any network comes when we override

the implicit deny rule for incoming

traffic

as i said in part two of this series

basically all networks are set up so

that internal traffic can leave and

returning traffic called established and

related is allowed

but external traffic shouldn't be

allowed to initiate a connection with

anything on your network

however if you're running a service on

your home network like a media server

camera system or a home automation hub

you may want to be able to access that

service from outside your network

and the way that you do this is by

forwarding requests made to your

external ip address to an internal ip

that runs that service

and if you imagine your firewall as a

giant building with hundreds of office

doors called ports

knocking on most of them will get no

answer but occasionally when you knock

on a door it will open and you'll be led

down a hallway to another door

which belongs to a specific device on

your network in the unifi controller you

can see all of your forwarded ports in

the advanced features

advanced gateway settings and then port

forwarding

they also show up in your firewall rules

as ghosted texts that cannot be edited

if you have ports forwarded that you

don't remember doing you may have upnp

enabled which is a service that allows

devices on your network to request that

port be opened

there is almost no reason to have upnp

enabled on your network

so you should definitely disable that in

the advanced features menu

and then take a hard look at which

devices you actually want to have

exposed to the internet

the more devices on your network that

are exposed in this way the greater your

risk

in cyber security we refer to this as

your attack surface

and the best practice is to minimize

attack surface as much as possible

think about a castle a castle wall

doesn't have hundreds of exterior doors

it has one main door that's highly

fortified

basically instead of needing to ensure

that each machine and service on your

network is secure which is often

impossible with devices like security

cameras

and nvrs you put all of your services

behind a single door and then you

fortify

that one door as much as possible if

you're running a lot of services

for a lot of people then you might need

to set up something like a reverse proxy

for the store

but for most people with only a few

services and a few different people who

want to be able to connect to them

the best and most secure solution is to

use a virtual private network or

vpn vpn in this context is not like the

ones that you see advertised on youtube

all the time

a vpn is a secure tunnel between one

device and another

in the case of nordvpn or tunnelbear you

have a secure tunnel between your

computer

and a device at a remote location called

a vpn concentrator

this type of vpn allows you to securely

send your internet traffic to this

remote location through an encrypted

tunnel

and then your traffic leaves that remote

location exactly as if your computer was

located

inside of that site this is useful if

you're trying to hide your traffic

because you're doing something illegal

or if you want to access content that's

not normally available in your region

the vpn that we're going to set up works

in the same way but for a totally

different purpose

anytime that we're outside of our home

network we'll use a vpn tunnel to

connect

back to the dream machine pro and then

after that all of our traffic will

appear to be originating from

inside of our local network which allows

us to access all of our local services

just like we can when we're home

but without the risk of exposing those

services to the internet

to set up a vpn in the unifi 6.0

controller click on settings and then

advanced features

scroll down to where it says radius

server radius stands for remote

authentication dial in user service even

though dialing in really isn't a thing

anymore

in this default profile you'll want to

define a user for each person who's

going to log into your vpn

in this case me and my wife each user

has their own password to protect their

specific

account and the vpn itself has a

password to prevent unauthorized access

as you can imagine best practice is for

each of these passwords to be strong

and unique don't use the same password

for your vpn as you do for your users

next head back over to the network

section and add a new network

give it a descriptive name and then

under vpn settings you'll select

remote user the only protocol that's

supported by the unifi vpn is l2tp so

you can't change that

and then under pre-shared key you're

going to enter a secure password that

your users will need to know in order to

connect to your vpn

enter the gateway and subnet that you

want your vpn clients to connect to

and then remember to adjust your local

ip addresses firewall rule to include

this new subnet

for name server you can just leave it on

auto and then make sure your default

radius profile is selected

to use this vpn on your remote device

you'll add a vpn configuration using

l2tp then for server you'll put in your

external ip address for your dream

machine pro or use a dynamic dns service

like duct dns

for account you'll put in your name that

you define in your radius profile

and then the password for that user the

secret is the main password for the vpn

that you defined when you set up your

new network

if your device supports split tunneling

you can configure it so only individual

programs and services will use the vpn

but for the most part you should just

select send all traffic for the most

trouble-free configuration

a vpn solution isn't perfect and some

services aren't going to operate

properly without exposing them to the

internet

push notifications for example are a

service that typically requires port

forwarding

and it's difficult to change those

settings to set up push to work within a

local network as always

after you put a solution in place you

should test it to make sure it functions

as you expect it to

you can see for instance that when i try

to connect to my blue iris camera server

on the cellular network

i get the response no connection to the

server but

after connecting to my vpn the server

connects almost instantly allowing me to

remotely view my cameras

without needing to expose them to the

internet because the vpn makes it appear

as if the traffic is local

am i telling you that you absolutely

shouldn't do any port forwarding

no but for each service you're

considering exposing you should ask

yourself

these four questions number one how sure

can i be that the developers of this

service were both competent

and security conscious enough to

minimize vulnerabilities

number two how often is this service

being upgraded to provide security

patches for the ever-evolving cyber

security race

number three what data or privacy is at

stake if the service is compromised

and number four how likely is it that

other devices in the house could be

attacked as a result of this forwarded

service being compromised

in the future i may make a video about

reverse proxies and more robust vpn

solutions than the built-in unifi vpn

but for now this series has been long

enough so

thank you so much to my awesome patrons

over at patreon for continuing to

support this channel

if you're interested in supporting this

channel please check out the links down

in the description

if you enjoyed this video please hit

that thumbs up button and consider

subscribing

and as always thanks for watching the

hookup

you