Announcement

Collapse
No announcement yet.

TCP/UDP port security and locking down my network

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Originally posted by Pete View Post
    Here relating to tweaking / modding Windows 10 to make it lighter ended up removing almost greater than 100 MS links built in to the software. That said the cloud connectivity would keep coming back sort of being built in to the OS.

    Personally here can but do not get in to detailed monitoring as I know it is there with whatever ISP I use. I see this mostly using T-Mobile. It is more transparent with CC.


    These days only solution is to use a VPN service or relating to browsing the internet using Tor.

    As mentioned earlier I only whitelisted 3 international update sites that HS was using for updates.
    Yeah, Win10 was a nightmare. I ended up finding a ect.host file that null-0 routed a bunch of Microsoft telemetry. Cleaned things up quite a bit as I use that server for my BlueIRIS box and don't need it making connections outbound. Here is the URL where I found the null host file.

    https://encrypt-the-planet.com/windo...spy-host-file/

    Comment


      #17
      Thank you Charles.

      Here using W10 mostly in virtual mode. Wife is getting used to using Ubuntu on the laptops and may switch her desktop to embedded W7 or Ubuntu with a W7 VB if she wants it.

      Using one cleansed W10 test client / multitouch screen with Kinect and Alexa plugin which is mostly in off mode these days.

      Base HSTouch clients are running on XPe (up to 20 these days and never have issues with these), one is running in W7E and W10 above. Playing with W8E and do not really like it. I do not utilize Android / iOS here for HSTouch (do have clients to play with). Testing wireless tabletops which work but prefer to connect them Gb / POE these days.

      I would today prefer to run HSTouch on Linux based hardware but that is still far away (guesstimate).

      While adopting to using the cloud I prefer today to keep my automation in house with no dependencies on the cloud (that is me).
      - Pete

      Auto mator
      Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
      Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
      HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

      HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
      HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

      X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

      Comment


        #18
        TCP/UDP port security and locking down my network

        Well, I use a PFsense firewall to protect my network from the outside. I locally serve NTP, radius, DHCP (IPv4/IPV6), VLANS, ACLs, VPN, and DNS from my firewall. I have also implemented active IDS and Pfblocker (on pete's recommendation) on the firewall to further protect myself from inbound attacks and unauthorized outbound communications. I also host DDNS synch from my firewall to the outside.
        My home network consists of 4 VLANS:
        1. infrastructure (ACL restricts access to only required for operation and management from my primary PC only, minimal Internet access (updates and licensing) consists of my firewall, managed switch, servers, NAS, and AP),
        2. internal (personal devices),
        3. guest (ACL allows internet access and printing to my printer on port 9100 only),
        4. IOT (local only, blocking peer to peer connections where possible, ACL blocks except where required from infrastructure and internal VLAN)
        My wifi is locked down pretty well. I host separate wifis for internal, guest and infrastructure devices. My internal wifi is locked down using a WPA2 Enterprise encryption using the radius services hosted on my PFsense firewall. My first network is locked down with WPA2 pre-shared key and runs during normal hours. My infrastructure wifi is locked down with a WPA2 pre-shared key.
        I was NATing and port forwarding to my specific services for a while. Currently, I am using a VPN service hosted on my PFsense firewall. I want to further simplify my connectivity and see if I can configure a reverse proxy, to force SSL encryption on anything I make available from my network to the outside world and force mutual authentication of my remote connecting device. This would make anything I NAT only acceptable to a device I have loaded a certificate onto.
        The other feature I am really interested in is direct access VPN. It is a proprietary VPN service for windows 10/ server essentials 2016. It is the most seamless remote access system I have seen in some time.


        Sent from my iPhone using Tapatalk
        Last edited by Kerat; April 18, 2017, 01:42 PM.

        Comment


          #19
          @Kerat,

          What are you using for the in house NTP stuff?

          Here switched from an old Trimble (that was meant for use in a tank) in the early 2000's to a Sure GPS with PPS and a serial connection over to the PFSense box.

          There is a work endeavor involved in my use of the GPS for time sync. Personally didn't like the accuracy of the routers / switches on the enterprise network at United Airlines such that I switched the time sync to an old Trimble GPS. The DNS folks liked the mechanism and then put the DNS servers on the same time syncing. I used an old antenna cable that went to the basement of HQ and climbed on the roof and put the GPS antenna on the elevator hut in the main building there. I had been working on a flight vectoring application update that used GPS's / time syncing at major global airline hubs. I was totally impressed with the GPS (used for Catia flight vectoring software) which had it's own room at an airport and looked much like a 1955 Cadillac with much chrome to it. (well and thousands of dollars at the time).
          Last edited by Pete; April 19, 2017, 08:36 AM.
          - Pete

          Auto mator
          Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
          Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
          HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

          HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
          HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

          X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

          Comment


            #20
            Originally posted by Pete View Post
            @Kerat,

            What are you using for the in house NTP stuff?

            Here switched from an old Trimble (that was meant for use in a tank) in the early 2000's to a Sure GPS with PPS and a serial connection over to the PFSense box.

            There is a work endeavor involved in my use of the GPS for time sync. Personally didn't like the accuracy of the routers / switches on the enterprise network at United Airlines such that I switched the time sync to an old Trimble GPS. The DNS folks liked the mechanism and then put the DNS servers on the same time syncing. I used an old antenna cable that went to the basement of HQ and climbed on the roof and put the GPS antenna on the elevator hut in the main building there. I had been working on a flight vectoring application update that used GPS's / time syncing at major global airline hubs. I was totally impressed with the GPS (used for Catia flight vectoring software) which had it's own room at an airport and looked much like a 1955 Cadillac with much chrome to it. (well and thousands of dollars at the time).


            That sounds very precise. I am nowhere near that accurate. I was wondering what I could do with the serial interface setting in the package UI. Currently, I run the NTP time package on PFSense. I reference 3 NIST NTP servers (Maryland, Boulder CO, and Oregon).
            I always host my own NTP service at home and at work. It all started when I first started in healthcare IT in FL. I worked in a rinky dink small hospital in the middle of nowhere. I had users that would complain about the time on their desktop task bars and wall clocks not being in synch. This caused problems for them because when they would try to chart times and note times for events. it was off computer to computer and application to application. Sometimes by more than 15 minutes. It was the first time I had ever seen the variance be that far off.
            Additionally, this affected my headaches when capturing log information, or performing diagnostics and access and activity tracking.
            I ended up standing up an NTP service on one of my monitoring servers, pointed it to NIST's public NTP servers and configured, our primary firewall, switches, domain controllers, APs, AP controller, NAS, member servers and client PCs to request time from my local NTP server instead. This made a big impact on the end users and their reliance on the systems for their charting. Additionally, I found it invaluable when performing activity logging, diagnostic work, managing AAA, and making automated changes to ACLs.
            Now all my network equipment and systems point to my local NTP server.


            Sent from my iPhone using Tapatalk

            Comment


              #21
              I was wondering what I could do with the serial interface setting in the package UI. Currently, I run the NTP time package on PFSense. I reference 3 NIST NTP servers (Maryland, Boulder CO, and Oregon).

              Yes here used WWV in Fort Collins, CO to sync up my radios in the 1960's. Only then I had to wait until the tubes were warm. Very antiquated and it all had to do with accurate time on the radios (transmitting and receiving).

              Fast forward to the 1990's started to tinker with GPS's. Read about time accuracy relating to using a GPS. I had a hand held device but always used it so I purchased surplus Trimble GPS devices that were used in tanks. These were totally sealed with just an antenna port and two RS-232 interfaces for two GPS's (more accurate at the time).

              Just DIY'd a home GPS / NTP server. I did put a large GPS antenna (boat style) on my roof at the time.

              Then for work in the early 2000's didn't like what I saw relating to using the internet for our global enterprise network. I was working on another project relating to Catia (sp?) flight vectoring software (unix) which used GPS for time and vector accuracy. I was in awe relating to the GPS which looked like a 1955 Cadillac with a lot of chrome and it had it's own room at the airports. (BTW also got involved in satellite air to air tracking and air to ground tracking stuff - testing some stuff).

              Concurrent to said endeavor I built an NTP server in the server room HQ at the time using old microwave antenna cable coming from the roof of a 3 story building down to the server room which was some 40 feet below ground level. I used an inline amplifier and the old Trimble GPS's. Worked great. I personally climbed on top of the elevator shaft on top of the building and installed the DIY'd (another boat style GPS) antenna in the middle of winter on a very cold day. Here all I wanted to see a good signal and I did with the amplifier in place.

              I already was using an NTP / GPS server at home and just moved it to the PFSense firewall serial port using a cat5e / serial balun from the attic to the basement.

              I wrote about it on Cocoontech a couple of years ago here ==>

              Anyone using PFSense as a firewall?


              [ATTACH]61203[/ATTACH]

              Best to use a GPS with a serial port and grab the PPS signal on the same serial wires for more accuracy. It is small and today Sure sells an updated GPS board. Testing it today in the basement instead of the attic with the little GPS antenna near a window and it works great!

              The Sure GPS has built in Bluetooth (which I shut off), USB and serial ports on it. USB is for power and connectivity to the board.

              Read about modifying the Sure Electronics GPS board here:

              Timekeeping with the Sure GPS evaluation board

              It is just one wire you have to solder in to place.




              I do look at internet NTP servers but do not utilize them with PFSense.

              When I click on the Google link; it is accurate to which window in the house the GPS antenna is at.

              [ATTACH]61204[/ATTACH]

              I also utilize one of these NTP servers (with another SMS card in it) - 2 of these (4 SMS cards)...used for my personal geotracking.

              Nexus Hawk

              Last edited by Pete; May 16, 2017, 10:07 AM.
              - Pete

              Auto mator
              Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
              Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
              HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

              HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
              HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

              X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

              Comment

              Working...
              X