Following on from infrastructure post which sets out most of the physical side this will cover some of the software that powers the network. In general, a lot of these are not required but doing so will give a lot more control.
I will cover the services in general and maybe expand on them at a later date.
Most routers have some level of protection nowadays. Even Windows have a firewall built in. The biggest problem in my opinion is getting the settings right. For example, a consumer router has to balance convenience with security which rarely go hand in hand.
In my case, the Ubuiqiti Unifi Controller has basic rules which are configurable from port forwarding to inter-VLAN settings.
DNS converts a friendly named address to an IP address and then onwards to locate the resource like a server. This gives a lot of visibility and power given everything more or less use domain names. More details on what Pi-hole does can be found here.
A competitor I have looked into and discounted was Adguard but it does not support groups.
The benefit of Pi-hole which apply to the whole network includes:
I have posted more detail on Pi-hole here.
The ability to tie devices to users and manage their access is like having a password manager to your log ins. This means regardless of what the device it is, the network will know who is it is and provide required access. If the device changes, then provide it with the same credentials and all the access is already defined.
Ubiquiti doesn’t have anything near the level of detail and control for Network Access Control (NAC) that I would like but it does provide the basics including a built in RADIUS server. This allows things like a computer to apply relevant profiles depending on who logs into the computer. Whether it’s a guest, a child or someone else rather.
The ability to view data in a meaningful way across the IT estate to have a holistic view of what is going on. For example how do you know an intruder hasn’t tapped your electricity supply if you don’t know what is your normal usage? This is still a newer area I have started looking into and one key barrier is integration. Fortunately, Ubiquiti Unifi has API’s to give data in Grafana. This helped diagnose a connectivity issue where a device was roaming between access points more than usual causing connectivity and latency issues.
Automating the monitoring to allow alerts when certain events or thresholds are crossed are important. Done right, you will only be interrupted only when your attention is needed and with monitoring allows you to see and trace what has not gone the way it should.
First example of this is when your Internet goes down. If I was not at home (ah pre-2020) then I can tell if I can take work home before I left the office or not.
Second example is ensuring automated backups have run or not.
For the second example a “Dead mans switch” is required where if it has not received feedback in a given time then it will send an alert. I’m using Dead Man’s Snitch and Pushmon
Few improvements I would love to add to include:
Jotting all the above down seems like a lot. Maintaining all the services should be on my list of todos to make sure I get the value out of everything. I hope this gives some insights and set up some future content for this site as well.