[ / / / / / / / / / / / / / ] [ dir / bant / builders / doxdoxgo / evogames / jewess / orbg / rem / soyboys ]

/tech/ - Technology

September 2018 - 8chan Transparency Report
Name
Email
Subject
Comment *
File
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Flag
Oekaki
Show oekaki applet
(replaces files and can be used instead)
Options

Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf
Max filesize is 16 MB.
Max image dimensions are 15000 x 15000.
You may upload 3 per post.


File: 9d45e90ecab6bf9⋯.png (172.68 KB, 1280x820, 64:41, DMZ_network_diagram_2_fire….png)

 No.914720

Yes, I know this is ridiculous, overkill and borderline insane, but so am I and my paranoia won't let me sleep at night if I don't build something like this. I will also let you know I am no network guy, so if you hear something ridiculous there is that.

The situation:

>I have 7 devices at home: 3 wireless shits and wireless ones. I also have two routers and a ONT.

>I fear at least 5 of those devices could be compromised now (doubtful) or in the future (probable), including one of the routers, which is a shitty ISP-provided one full of backdoors

>Long story short, two of those devices are operated exclusively by me, the rest are operated by my family as well.

>My trusted devices are plugged onto my trusted router, and the others are connected to the other.

>When I am using my devices, I plug my trusted router onto the ONT, and then unplug the untrusted router. The trusted router and the untrusted router have never been in the same network.

<I suspect some hypotetical hyper potent strain of cyberAIDS the untrusted devices could be capable of attacking and compromising the sadly untimely updated trusted router, regardless of VLAN setups, strong passwords, etc.

<I also suspect some of the websites my family could be visiting (think fishy Facebook advanced clickbait trash) could attempt to scan my local network for possible holes to inject the digital gonorrhea in my beloved machines

<What I want to do is to completely isolate the untrusted devices (even between them, so they can't conspire against me) on a physical level via some sort of hardware firewall/router/layer 3 switch that is capable of routing their connections through Tor or some VPN

<This magic box should be connected to a trusted router for WAN access, and reject any and all direct connections to itself or the trusted router except if coming from a special administration network interface/port

What I am attempting to do isn't very hard. Networks like pic related or bastion hosts are very standard and similar to what I want to do. The real problem is implementation. Basically, I require some sort of computer capable of:

>Low energy consumption (probably some ARM shit) because electricity be expensive here yo

>Having two or more Ethernet ports, preferably Gigabit Ethernet, because otherwise isolation will be pure placebo

>Be capable of running a modern distro in it (thought about NixOS because I will probably end up adding more subnetworks with similar needs and being able to deploy changes to all devices at once will be a fucking godsend)

>Be able to VLAN tag packets because my ONT is a bitch

>Preferably cheap. I can blow up some hundreds in this setup but I am sure it can be achieved with way less so I had rather not to

>Obviously this excludes (((CISCO))) shit

Any hardware or software suggestions, or tips I should take into account in my most retarded yet summer venture?

Also, stupid overengineered setups general.

 No.914722

>>914720

>I have 7 devices at home: 3 wireless shits and wireless ones.

What?


 No.914731

>>914722

Yeah, I accidentally the sentence there. I meant "3 wireless shits and 4 wired ones".


 No.914749

That doesn't sound overengineered to me. Looks like you'd like stuff like soekris (expensive) or pcengines. Install OpenBSD on it. I'm not sure how easily available it is outside Europe and what the alternatives are.


 No.914773

install gentoo


 No.914783

>>914749

When I mentioned the setup to a network engineer friend of mine, he told me I was insane. Certainly not a conventional home network setup, but oh well.

I have heard of PC Engines. Pretty cool machines overall, but it seems they don't go down from 100 euros. I probably won't find anything else in that price range that isn't complicated as all fuck to install something in it and has 3 (!!!) RJ45 connectors and is basically a fully featured PC, but I was still hoping for something cheaper, like an Orange Pi R1 (maybe too cheap) or a Pine A64 with a USB network adapter; wouldn't be half as cool and powerful as an APU 2c2. Do you happen to know any trustworthy website in which I can order one of those? 2C2 seem to cost around 130 euros (and who knows how much does it cost shipping to my third world European country), but then there is this place where they sell the 2C2 for 100 euros, but then they also sell a 3C2 which doesn't even exist on PC Engines' website.

https://www.landashop.com/cmp-apu-3c2.html


 No.914803

>>914783

The 3c2 is an actual model, it's just not listed on the official website for some reason.

https://www.pcengines.ch/apu3c2.htm

Also, according to https://www.pcengines.ch/newshop.php?c=2 , 2c2 are shipping in a week, and that distributor is charging pretty much the amount it costs to them. It's the other distributors that charge almost half as much as it costs them. relly maeks u think


 No.914864

>>914783

>When I mentioned the setup to a network engineer friend of mine, he told me I was insane

He sounds like a filthy casual.

The PC Engines units look interesting, but you need to seriously question if you're going to be using it long enough to offset $100 or whatever of electricity, which is a lot. My fileserver is an ancient Core 2 system with a lot of spinning platters, and I've estimated it only eats $10/month of electricity, which makes replacing it not really worth it.

I'd recommend finding an old low-end desktop and using that to start, then upgrade to some dedicated hardware after you're satisfied with how it turns out. If electricity is really that expensive, or you don't have access to free hardware, consider the rock64 (https://www.pine64.org/?page_id=7147), since it has gigabit + 100Mb/s, and should do the trick.

My advice is to use pfsense, since it makes it easy to get started, and is just freebsd underneath, so you can do more advanced things as you need.


 No.914881

You should be using vlans.

Wireless on one, wired on another, server on both.

Let the upstream devices deal with firewalling and segmentation.

From there, the server can act as a secure mediator of wlan and lan, as well as host whatever the fuck you want.


 No.914938

>>914881

VLANs aren't really pointful here, because if you can't trust the device on the other end, you have to stick them on a dedicated tagged port, which means either you have to have a switch that supports VLANs, which is more expensive than bunch of random $5 NICs, or you need dedicated NICs on the firewall/router, at which point you might as well just use isolated LANs, skip the virtual.


 No.914943

File: 9a1e6566abf3d63⋯.png (32.1 KB, 800x600, 4:3, vlan.png)

>>914938

>VLAN

>Expensive

>Special hardware

2006 called to tell you you're a faggot.

DDWRT, OpenWRT, and Tomato support VLANs.

Consumer switches don't give a shit about VLAN tagged frames.

Linux and BSD can do software vlan tagging, and everyone under the sun supports vlan tagged frames, even relshit.

Because you're not doing any layer 3 routing, nearly anything can handle a network that size.

You only tag the frames on whatever port your sever occupies, which you already trust, everything else gets untagged traffic.

As for security, just block infrastructure access from whatever vlans you don't want.

If you want a service on your botnet vlan, spin it up in a vm and setup a firewall on the infrastructure and server to lock it down.

vlans are step #1 in securing a lan.


 No.914959

I once lived in a dorm for a few months. The shitty administrator there kept fucking up the wifi, so I ran a network cable from the modem to one of my laptops. But I also wanted to use my other laptop and I didn't have another network cable with me. So I made a hotspot on my android phone and connected both laptops to it. Then I SSHed into the one which was connected to internet and made a socks proxy (-D <port>), and then socksified my system with tsocks.

For some reason I still stick with this system even when I have a proper working wireless router. I guess I'm too lazy to remove all the shit I set up for it to all go through the SSH connection. Whenever I take my computer elsewhere, I replace the internal IP of the internet-connected laptop with its external IP and everything still works (it functions like a VPN then). It would work great with tor I think.


 No.914961

>>914943

>because if you can't trust the device on the other end, you have to stick them on a dedicated tagged port,

lrn2read. What's to stop the botnet in blue to decide to tag themselves into green's VLAN? VS for no real extra expense, stick a $5 broadcom NIC into the server, and you have a router.

>Because you're not doing any layer 3 routing, nearly anything can handle a network that size.

2 problems with that statement. First, if you're not doing layer 3, the VLANs aren't going to be able to communicate. Second, nearly everything can do a gigabit of routing. You can do ~4Gb/s per thread on any decent hardware from this decade.

>vlans are step #1 in securing a lan.

Lol. Step 1 is starting from the bottom and understanding what you're doing, not jumping straight to some cargo-cult security of "VLANs will fix everything". Start with the basics, like setting up a meaningful firewall, organizing your network and getting control of DHCP, and locking down your server. VLANs come much later.

There's plenty of purposes for VLANs, but for security, a config error doesn't accidentally bridge 2 separate ethernet cables, but it will knock out your VLANs, so for the beginner, buy a $5 NIC and skip the pitfalls.

t. my job title is senior systems administrator


 No.915032

File: e38cc95d3cd668a⋯.png (Spoiler Image, 273.14 KB, 946x657, 946:657, e38cc95d3cd668ac2bd1fbee96….png)

File: 40a0f1a39dc83a0⋯.jpg (Spoiler Image, 21.69 KB, 474x473, 474:473, a079ed27eb7ea9e1ccb3591d14….jpg)

File: db39f32d5bf72df⋯.png (Spoiler Image, 247 KB, 346x427, 346:427, dr kekyll.png)

>>914961

>What's to stop the botnet in blue to decide to tag themselves into green's VLAN?

<First, if you're not doing layer 3, the VLANs aren't going to be able to communicate.

>t. my job title is senior systems administrator

>t. I can't even read what I write

>t. my dad works at nintendo

Go buy a $5 NIC and skip the pitfalls.

so for the beginner, buy a $5 NIC and skip the pitfalls.


 No.915040

>>914961

>t. my job title is senior systems administrator

if that's true then you need to relearn some networking dude.

Layer 2 can still talk between each other, you just need a router to do so.

> What's to stop the botnet in blue to decide to tag themselves into green's VLAN?

I don't even get this, do you setup VLANS where all ports are tagged with all VLANs?

An elcheapo computer running 2 NICs plus a L2 switch will do what you want WITH more control.


 No.915070

>>915040

Routers are Layer 3 by definition. Fuck, there are Layer 3 switches and most network guys will tell you that's just a fancy name for a stripped down router.


 No.915088

>>915070

What does this have to do with the core network concept that anything on the same VLAN can communicate with each other without a piece of Layer 3 hardware?

>>915040 was saying:

>talk between each other

Educate us on the difference between 192.168.1.33/24 and 393.129.2.69, then apply that same concept to VLANs.

I'll save you some time and post the answer:

A transmission crossing networks requires an intermediary, like a server connected to both networks, or a route between the networks.

Data can't cross a VLAN unless there's an intermediary in the form of a server connected to both networks, or a route between the networks.


 No.915095

>>915040

>Layer 2 can still talk between each other, you just need a router to do so.

Thus defeating the entire point of having the VLANs in the first place. Put the server between the networks, and you have the exact same logical layout, but is much simpler for a beginner, which is what I've been saying from the beginning.

>>915032

>>What's to stop the botnet in blue to decide to tag themselves into green's VLAN?

><First, if you're not doing layer 3, the VLANs aren't going to be able to communicate.

Think before you post. First, re-read your post. You did nothing to isolate the secure side of the network from the insecure, and I'm not sure what tagging a single port to a single computer is supposed to accomplish. Second, while yes you can just bridge the VLANs, you just joined the broadcasts domains and all the computers now have the same subnet, which makes ARP hijacking possible, means there's no easy way to differentiate between the secure and insecure sides in your NAT and firewall configs. So you're going to want to route between the subnets.

>>915040

>I don't even get this, do you setup VLANS where all ports are tagged with all VLANs?

I think I read the other guy's tagging plans backwards, but, if your plan is to use an old router as a switch that can do VLANs, most only passively support it IIRC, so frame tagging has to be done in software, and that's going to drop your throughput to a crawl. If your plan is to rely on random devices supporting VLANs, I'm just going to sit here and laugh at you. Also, you're relying on a random shitty consumer router being secure, which is pretty silly.


 No.915099

>>915095

So for OP's situation, I'd suggest the following:

Split the secure and insecure sides of the network and have each on a separate port on the server.

If your internet is DSL, you can have it come into the secure side and set the modem/router combo into bridged mode and pass the PPP traffic to the server and run pppd there.

If not, you just have the ISP supplied modem on a third port of your server.

Now all you need to do is to set the server as the gateway for both subnets, set up NAT and a firewall on the server, and lock it down.

You can get all this started with an old desktop and a couple of cheap NICs. Power consumption will be a bit high, but that's offset by the low capital cost (would be $10 in my country's monopoly money). From there, once you're satisfied with how it works, find yourself a nice cheap low powered miniITX board and a couple SSDs and you should be able to do this in < 20W


 No.915113

File: 3dd8c5f71634c43⋯.jpg (69.75 KB, 553x559, 553:559, 3dd8c5f71634c43d23677fdf2d….jpg)

File: db39f32d5bf72df⋯.png (247 KB, 346x427, 346:427, dr kekyll.png)

File: 626e2be916431a2⋯.jpg (648.1 KB, 675x900, 3:4, 1462064515253.jpg)

>>915095

>so frame tagging has to be done in software, and that's going to drop your throughput to a crawl.

Nope

>You did nothing to isolate the secure side of the network from the insecure

<data can magically transverse vlans that have no route to each other, where hosts have no way of accessing tagged traffic

>tagging a single port to a single computer is supposed to accomplish

<you have to tag all frames on wire to use vlans

<you can't use anything other than hosts on vlan designated ports

<vlans can't span multiple ports

>I think I read the other guy's tagging plans backwards, but,

THANKS FOR LETTING US KNOW YOU DIDN'T NEED TO POST AGAIN

>Also, you're relying on a random shitty consumer router being secure, which is pretty silly.

<Open source software isn't secure even when locked down and thoroughly tested for 10+ years in production on known hardware

<Business Class

>Hive is a multi-platform CIA malware suite that can be specifically utilized against states. “The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.”

>>915099

>listening to pajeet

>believing pajeet

Keep posting, I need someone to keep making a fool of themselves so I can post more laughing sluts.

The infrastructure portion of my network example can be implemented for < $50 with no loss of network performance using commodity hardware, or if you want, old data center surplus.

>>>/g/

>>>/4chan/

>>>/india/

>>>/designated/


 No.915119

>>915113

>Nope

Care to back that with something that doesn't smell like your down syndrome ass? Most consumer switching hardware can barely handle a gigabit of throughput, and now you're saying that a router-on-a-stick arrangement + passing half the frames to the processor for tagging is going to have no performance impact? Try the fuck again.

>you have to tag all frames on wire to use vlans

Yeah you fucking do, unless you plan on either trusting the untrusted devices to do their own vlans (or even support vlans for that matter), so you're stuck tagging everything to in one of the 2 nets to the appropriate VLAN.

>inb4 hurr just leave the insecure devices untagged so they can access all the switchports and are indistinguishable from traffic that hasn't yet been tagged.

This is supposed to be a secure network setup, not a kafkaesque autism simulator. What I said was not that it's impossible to do this with VLANs, but that it's needlessly complicated to do so, and here you are proving me right.

>>I think I read the other guy's tagging plans backwards, but,

>THANKS FOR LETTING US KNOW YOU DIDN'T NEED TO POST AGAIN

>Look mom, he admitted making a minor mistake, therefore everything I said is right!

I almost had to take your post seriously, but then I saw that you recycled a reaction image. Better luck next time kiddo.

><Open source software isn't secure even when locked down and thoroughly tested for 10+ years in production on known hardware

>DDWrt can totally paper over hardware security flaws/backdoors in random chinese routers

>And if you think otherwise, you must be a cisco shill

What the fuck. The Party is displeased with your work Zhang, next time don't be so obvious to the western devils. You get plastic rice in your ration today.

Also, I find this doubly ironic, since you promote surplus business grade hardware a few lines down in your post. At least attempt some consistency you cock gargling moron.

And last but not least:

>OP mentions having expensive euro electricity

>datacenter surplus

Go find an imageboard that's in whatever 3rd world bark-speak your brain operates in, and come back when you're literate in english. Or just not at all preferably.


 No.915382

File: 4139c7b75d9273e⋯.jpg (132.16 KB, 1000x667, 1000:667, poo.jpg)

>>915119

>Most consumer switching hardware can barely handle a gigabit of throughput

What century are you from? You can max out gigE on 4 year old netgear or dlink unmanaged switches.

5 year old asus and linksys routers can do the tagging just fine with plenty of room to do actual routing.

You shit talking software tagging reeks of "industry" retards attempting to shut down software raid.

>and now you're saying that a router-on-a-stick arrangement + passing half the frames to the processor for tagging is going to have no performance impact?

Correct.

Just a few lines later:

>Yeah you fucking do tag all frames on wire to use vlans

More self contradiction.

No you don't.

Search: VLAN access port

Search: VLAN trunk port

You only tag trunks.

You put a switch on your access port, or add in more access ports.

Furthermore, if you do what >>915040 suggested, you don't have to tag anything on wire.

>tagging traffic on untrusted ports

>tagging traffic on non-infrastructure ports

>so you're stuck

VLANs make it so you don't have to be stuck.

>DDWrt can totally paper over hardware security flaws/backdoors in random chinese routers

<libreboot that strips intel me can't paper over hardware security flaws/backdoors in random chinese computers

Give a list of non-chinese, uncompromised vendors you pajeet "sysadmin"

>datacenter surplus

<power efficient hardware doesn't exist in a datacenter

You can even do this on a low end laptop with an express card slot.

Have a picture of your mom so I can get some more laughs.


 No.915436

File: 8f7e724c5bed465⋯.png (158.9 KB, 816x1056, 17:22, APU pajeetnet.png)

Why not do it like pic related?


 No.915443

>>915382

Ok, since you clearly don't understand how VLANs/switching/routing/english works, here's a breakdown of what you're proposing: (assumption is that this is all consumer hardware)

A frame comes in on the access port from one of the isolated segments, and is destined for the router (this is probably 90% of traffic)

It needs a VLAN tag added so it can go out the trunk to the router, so it makes one trip through the switch to go to the management plane, gets a tag added

It then goes through the switch again to go from the management plane to the trunk port and is sent to the router

So it has to make twice as many trips through the switching hardware.

Additionally, if the internet connection comes into the switch in question, it has to make 2 more trips through the switch to get the VLAN tag removed

>You can max out gigE on 4 year old netgear or dlink unmanaged switches.

Yes, that's what a gigabit of throughput means. The problems start when you have 2 or more streams trying to use that gigabit of throughput, you're not going to get a gigabit on each port. Hell, mid-range commercial switches will only have ~5Gb/s of throughput for a 12 port gigabit switch. Or less if you're enough of a sucker to buy HP

So once you get the amplification effect of having to pass frames to the management plane and/or making a round trip out to the router, you start to eat up the throughput rather quickly.

><libreboot that strips intel me can't paper over hardware security flaws/backdoors in random chinese computers

You have options, like using discrete NICs, removing the ME, using an AMD CPU that predates the PSP, or the raspberry pi, since broadcom can't into following the GPL.

Explain what you're going to do about the vendor-provided stage 1 bootloader that can talk to the NICs on your consumer router.

><power efficient hardware doesn't exist in a datacenter

>t. have never bought datacenter surplus.

It's efficient, yes, but it also has a very long service life, so what you're buying surplus was considered power efficient in 2010. It's also large scale, so while you can get systems with a good perf/watt, the power consumption is still high. So it's efficient if you need all that performance, not so much if your performance needs can be met with an 5 year old embedded celery.




[Return][Go to top][Catalog][Nerve Center][Cancer][Post a Reply]
Delete Post [ ]
[]
[ / / / / / / / / / / / / / ] [ dir / bant / builders / doxdoxgo / evogames / jewess / orbg / rem / soyboys ]