Published June 2, 2023, 9:20 p.m. by Monica Louis
Is your network secure? Port forwarding is one of the largest vulnerabilites on any network, in this video learn to setup a VPN instead. Thank you https://www.pcbway.com/ for sponsoring this video.
Dream Machine Pro: https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro
UniFi AP-6-Lite: https://store.ui.com/collections/unifi-network-access-points/products/unifi-ap-6-lite
16 Port PoE Switch: https://store.ui.com/collections/unifi-network-routing-switching/products/unifi-switch-16-150w
WiFi6 Mesh System (Plug and Play): https://amzn.to/2NGOsUX
Visit my website: http://www.TheSmartHomeHookUp.com
Join me on Facebook: https://www.facebook.com/groups/473812443269387/?ref=share
You may also like to read about:
today on the hookup it's part three of
my ultimate secure smart home network
series
in part one i walk you through hardware
selection using unifi equipment
in part two i covered vlans wireless
networks and firewall rules
and today we're going to look at port
security intrusion prevention systems
and vpns on the unifi 6.0 controller
in part two of this series i mentioned
that i made a questionable decision by
putting my most
untrusted devices which are my ip
security cameras
onto my main untagged vlan some of the
questions that i saw in the comments
indicate that you may need a crash
course in networking so here's a quick
and dirty overview of network
communication
this definitely won't be the most
in-depth look at the osi model that
you've ever seen
but it will hopefully be easy to
understand and give you enough
information to help you make the right
decisions for your network this video is
sponsored by pcbway.com
if you're a tinkerer inventor or maker
and you haven't checked out pcb way
you are seriously missing out they
obviously produce full featured printed
circuit boards with a ton of different
materials and options
but now they offer basically everything
you need to turn your ideas into a
physical reality
whether you need 3d printing injection
molding cnc machining
assembly or just plain old pcb
manufacturing pcbway can do it all for
highly competitive prices
check out pcboa's awesome services using
the link in the description to support
this channel
layer one in the osi model is called the
physical networking layer
whether your devices get connected with
radio waves coaxial cables
ethernet or fiber it's still layer one
layer two is called the data link layer
which is not a super helpful name
especially when it comes to vlans when
two devices are on the same
lan segment vlan or subnet meaning that
they share the same base part of their
ip address
they can communicate directly using a
network switch
you see a switch has a big table of
device mac addresses
and the corresponding port on the switch
that they're attached to
one device sends out a network frame
with a source mac address and a
destination mac address
and when that frame reaches the switch
the switch will look it up in its table
and send it out to the correct port
importantly
layer 2 communication doesn't require
any input from the router
and therefore can be done very quickly
and efficiently but since the router
isn't involved that also means that it
doesn't check any firewall rules
and therefore we can't deny
communication between devices on the
same vlan using firewall rules
layer 3 on the other hand is the network
layer which is a fancy way of saying
that it uses a router to determine the
correct path between devices that aren't
on the same subnet
if two devices are on different vlans
and therefore different subnets
they need to go through the router in
order to communicate and as i said
before
if they use the router they also get
checked for firewall rules
which then allows us to regulate their
traffic all right back to the problem at
hand i made a firewall rule to block my
security cameras from the internet
and from my other vlans but i can't
block them from communicating with
devices on the same vlan
because they don't need to use the
router to do that so as i mentioned
before the
easiest way to break into my network
would be to come to my house
tear down a security camera off the wall
and then plug your device into that
camera's ethernet cable
so to minimize that threat i'm going to
use a feature that's available on unifi
and most other managed switches called
mac
filtering to do this find the client
that you want to assign to that port in
this case it's a hikvision camera
in the right hand panel you can see the
device's mac address which you'll need
to copy
you can also see the port that it's
attached to which in this case is port 1
on my 16 port gen 2 switch clicking on
that link will bring up the switch
and then you can select the ports menu
at the top and click on the pencil icon
to edit the profile of that switch port
anytime i make a mac address isolation
i always name the switch port
accordingly so i don't end up pulling my
hair out later if i ever need to change
the device
attached to that port under mac filter
paste in the mac address that you copied
from the clients page and then hit add
then scroll down to the bottom and hit
apply you'll see your switch change to
provisioning and after it's done
the only device that will be able to
connect via that port is that specific
camera
now technically someone could grab the
mac address of the camera
and then use that mac address to spoof
the mac address of their own device
which would then allow them to have
access to other devices on my network
via layer 2.
but honestly this solution is plenty
secure for me
and unless you're storing government
secrets on your network it's probably
good enough for you too
as always i encourage you to test things
for yourself but as you can see in this
example
connecting my laptop to the restricted
port doesn't even give me an ip address
so not only can i not access the
internet but i also can't access any
other devices on the network
i also mentioned in my last video that i
wanted my daughter's pc to use the
content filtered network
so what i'll do is find her computer on
the client list and take note of which
port on the switch that it's connected
to
then click through that switch and under
ports hit the pencil icon to edit the
overrides
and then select the family network as
the available profile
this will force any traffic attached to
that specific port
onto the content filtered network this
is also how you would put an
entire unmanaged switch onto a specific
vlan
just make sure that the uplink port that
you're using is assigned to the correct
vlan in the override section
and then all of the ports on the
unmanaged switch will also be
on that vlan if you have unused ethernet
ports in public places it is best
practice to leave those ports completely
physically disconnected from the switch
this is a process called air gapping and
it probably applies to very few homes
but in the off chance that a business is
watching this guide
please don't leave public ethernet jacks
attached and connected to your main vlan
they are by far the easiest point of
entry for any attacker with physical
access to your building
and honestly it's just as bad or worse
than leaving the room with all of your
client records unlocked
even though firewall rules and port
security are the most
important tools for securing your
network there are a few other features
available in the dream machine pro
that can provide additional layers of
security specifically
ips and ids ibs stands for intrusion
detection system while
ips stands for intrusion prevention
system and they both have the same main
concept but different final outcomes
ids and ips work in the same general way
as
anti-virus software on your computer
which is oddly similar to your body's
own immune system
basically when a new virus is discovered
security researchers try to pinpoint a
part of that virus that's sufficiently
unique to identify without also falsely
identifying
non-virus files they call this part of
the file the viruses signature
these signatures get added to an
ever-growing and constantly updated
database that your antivirus program can
reference as it's examining each file on
your computer
if part of the file matches the
signature in the database it will be
flagged
quarantined or just outright deleted
depending on the preferences that you
set
ids and ips work in the same way in that
they reference a large database of
signatures related to malicious network
traffic if you have intrusion detection
enabled
any matches will generate an alert that
you'll have to deal with yourself
while intrusion prevention will block
that traffic automatically
the likelihood of false positives and
the impact on your network if legitimate
traffic
is blocked will determine whether ids or
ips is right for you
it's also worth noting that inspecting
each packet for malicious traffic
is pretty cpu intensive and while the
dream machine pro claims to have three
and a half
gigabits per second of throughput with
ips enabled
this metric is tested using very similar
traffic types
and packets and it's reasonable to
expect that real world throughput may be
less
i have actually been able to
successfully cap out my dream machine
pros cpu at 100 utilization
by downloading multiple very large
torrent files at the same time
this increase in cpu utilization is
likely due to the nature of torrent
files
where the data is being pulled from
hundreds or sometimes even
thousands of unique sources very quickly
under
non-torrent based heavy transfers the
cpu utilization never even gets close to
100
so i imagine that's got something to do
with it to that end you can actually
select categories in the ips menu
to refer to a specific subset of
signatures for malicious traffic
so if you want to use peer-to-peer
software on your network and you're
concerned that your traffic will be
blocked by ips
or that your network speeds will be
significantly slowed you can actually
just disable that whole subset of
malicious signatures
unify hasn't been particularly
transparent about where they're pulling
their signature database from
whether they're maintaining it on their
own or how often it's being updated
but most people who know more than me
seem to think that it's largely based on
a product called ciracata which is a
popular
open source ips and ids solution i also
can't find any information as to whether
the signature files are being
automatically pushed to the udm
or whether they're being pushed with
each new firmware upgrade but i
definitely hope they're going to offer
that option to upgrade signature files
without completely updating the firmware
of your device
because signature updates should be
happening significantly more than device
updates and you should be able to do
them without the fear of breaking
changes
alright so that covers the security of
the devices that we willingly attach to
our network
but one of the largest vulnerabilities
of any network comes when we override
the implicit deny rule for incoming
traffic
as i said in part two of this series
basically all networks are set up so
that internal traffic can leave and
returning traffic called established and
related is allowed
but external traffic shouldn't be
allowed to initiate a connection with
anything on your network
however if you're running a service on
your home network like a media server
camera system or a home automation hub
you may want to be able to access that
service from outside your network
and the way that you do this is by
forwarding requests made to your
external ip address to an internal ip
that runs that service
and if you imagine your firewall as a
giant building with hundreds of office
doors called ports
knocking on most of them will get no
answer but occasionally when you knock
on a door it will open and you'll be led
down a hallway to another door
which belongs to a specific device on
your network in the unifi controller you
can see all of your forwarded ports in
the advanced features
advanced gateway settings and then port
forwarding
they also show up in your firewall rules
as ghosted texts that cannot be edited
if you have ports forwarded that you
don't remember doing you may have upnp
enabled which is a service that allows
devices on your network to request that
port be opened
there is almost no reason to have upnp
enabled on your network
so you should definitely disable that in
the advanced features menu
and then take a hard look at which
devices you actually want to have
exposed to the internet
the more devices on your network that
are exposed in this way the greater your
risk
in cyber security we refer to this as
your attack surface
and the best practice is to minimize
attack surface as much as possible
think about a castle a castle wall
doesn't have hundreds of exterior doors
it has one main door that's highly
fortified
basically instead of needing to ensure
that each machine and service on your
network is secure which is often
impossible with devices like security
cameras
and nvrs you put all of your services
behind a single door and then you
fortify
that one door as much as possible if
you're running a lot of services
for a lot of people then you might need
to set up something like a reverse proxy
for the store
but for most people with only a few
services and a few different people who
want to be able to connect to them
the best and most secure solution is to
use a virtual private network or
vpn vpn in this context is not like the
ones that you see advertised on youtube
all the time
a vpn is a secure tunnel between one
device and another
in the case of nordvpn or tunnelbear you
have a secure tunnel between your
computer
and a device at a remote location called
a vpn concentrator
this type of vpn allows you to securely
send your internet traffic to this
remote location through an encrypted
tunnel
and then your traffic leaves that remote
location exactly as if your computer was
located
inside of that site this is useful if
you're trying to hide your traffic
because you're doing something illegal
or if you want to access content that's
not normally available in your region
the vpn that we're going to set up works
in the same way but for a totally
different purpose
anytime that we're outside of our home
network we'll use a vpn tunnel to
connect
back to the dream machine pro and then
after that all of our traffic will
appear to be originating from
inside of our local network which allows
us to access all of our local services
just like we can when we're home
but without the risk of exposing those
services to the internet
to set up a vpn in the unifi 6.0
controller click on settings and then
advanced features
scroll down to where it says radius
server radius stands for remote
authentication dial in user service even
though dialing in really isn't a thing
anymore
in this default profile you'll want to
define a user for each person who's
going to log into your vpn
in this case me and my wife each user
has their own password to protect their
specific
account and the vpn itself has a
password to prevent unauthorized access
as you can imagine best practice is for
each of these passwords to be strong
and unique don't use the same password
for your vpn as you do for your users
next head back over to the network
section and add a new network
give it a descriptive name and then
under vpn settings you'll select
remote user the only protocol that's
supported by the unifi vpn is l2tp so
you can't change that
and then under pre-shared key you're
going to enter a secure password that
your users will need to know in order to
connect to your vpn
enter the gateway and subnet that you
want your vpn clients to connect to
and then remember to adjust your local
ip addresses firewall rule to include
this new subnet
for name server you can just leave it on
auto and then make sure your default
radius profile is selected
to use this vpn on your remote device
you'll add a vpn configuration using
l2tp then for server you'll put in your
external ip address for your dream
machine pro or use a dynamic dns service
like duct dns
for account you'll put in your name that
you define in your radius profile
and then the password for that user the
secret is the main password for the vpn
that you defined when you set up your
new network
if your device supports split tunneling
you can configure it so only individual
programs and services will use the vpn
but for the most part you should just
select send all traffic for the most
trouble-free configuration
a vpn solution isn't perfect and some
services aren't going to operate
properly without exposing them to the
internet
push notifications for example are a
service that typically requires port
forwarding
and it's difficult to change those
settings to set up push to work within a
local network as always
after you put a solution in place you
should test it to make sure it functions
as you expect it to
you can see for instance that when i try
to connect to my blue iris camera server
on the cellular network
i get the response no connection to the
server but
after connecting to my vpn the server
connects almost instantly allowing me to
remotely view my cameras
without needing to expose them to the
internet because the vpn makes it appear
as if the traffic is local
am i telling you that you absolutely
shouldn't do any port forwarding
no but for each service you're
considering exposing you should ask
yourself
these four questions number one how sure
can i be that the developers of this
service were both competent
and security conscious enough to
minimize vulnerabilities
number two how often is this service
being upgraded to provide security
patches for the ever-evolving cyber
security race
number three what data or privacy is at
stake if the service is compromised
and number four how likely is it that
other devices in the house could be
attacked as a result of this forwarded
service being compromised
in the future i may make a video about
reverse proxies and more robust vpn
solutions than the built-in unifi vpn
but for now this series has been long
enough so
thank you so much to my awesome patrons
over at patreon for continuing to
support this channel
if you're interested in supporting this
channel please check out the links down
in the description
if you enjoyed this video please hit
that thumbs up button and consider
subscribing
and as always thanks for watching the
hookup
you
2CUTURL
Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.
© 2CUTURL. All Rights Reserved.