So in general I am a home user and want to completely secure my network or make it tight and harder to hack than standard home network even though when user done something stupid or got tricked for example to install malware or a reverse shell which for example could have been executed from a PDF file or Microsoft Office Suite like Word etc.
I have recently saw this type of a corporate network and think it is very secure:
(VLAN's with Private IP -> 10.0.X.X) ---> (Proxy/Different Servers) --> <--- (Internet)
It will be hard to explain as the network is kind of complex but here it goes:
The computers in such network have shared network resources which are File Shares as well as printers available to use and each computer have a private local IP address but can't touch each other and it's not possible or more like hard to even infect it. However, when the website is pinged, it only receives a DNS address back through hopping a different internal addresses (10.0.X.X) which I presume are the different machines in the local network setup with DNS Server and NAT to access outside world (?) but packets itself don't reach internet directly from a computer which tried to pinged a website. Now, when such computer with a local IP address and no internet access at all wants to access outside world, it goes through Proxy/Server which caches content for all the local computers and passes it back to them. Now when the Reverse Shell or in fact any type of virus/malware which needs to call home is executed it cannot spread across the network or even connect back to the C&C server (Command and Control Server) as there is no internet on such computers except the Proxy/Server which caches web content and pushes it back to a local network.
Is it possible to setup similar type of network with ClearOS or is it too complex to do it in a home environment and I should look for other solution ?
I have recently saw this type of a corporate network and think it is very secure:
(VLAN's with Private IP -> 10.0.X.X) ---> (Proxy/Different Servers) --> <--- (Internet)
It will be hard to explain as the network is kind of complex but here it goes:
The computers in such network have shared network resources which are File Shares as well as printers available to use and each computer have a private local IP address but can't touch each other and it's not possible or more like hard to even infect it. However, when the website is pinged, it only receives a DNS address back through hopping a different internal addresses (10.0.X.X) which I presume are the different machines in the local network setup with DNS Server and NAT to access outside world (?) but packets itself don't reach internet directly from a computer which tried to pinged a website. Now, when such computer with a local IP address and no internet access at all wants to access outside world, it goes through Proxy/Server which caches content for all the local computers and passes it back to them. Now when the Reverse Shell or in fact any type of virus/malware which needs to call home is executed it cannot spread across the network or even connect back to the C&C server (Command and Control Server) as there is no internet on such computers except the Proxy/Server which caches web content and pushes it back to a local network.
Is it possible to setup similar type of network with ClearOS or is it too complex to do it in a home environment and I should look for other solution ?
In Gateway
Share this post:
Responses (2)
-
Accepted Answer
There may be a slightly alternative solution to VLANs, I expect there would be a performance hit and I don't know how it plays with the proxy. OpenVPN can be configured to work in a LAN. More usually this would be to to secure wireless comms, but it can be used for wired comms as well. I believe you have to use the "redirect-gateway local" to the configs. See the manual here. By default OpenVPN does not allow communication between clients. You would have to test it out and there is probably quite an encryption overhead. It is just a thought.
Normally the users would have to log into OpenVPN, but this can be bypassed if you want automatic login. -
Accepted Answer
Presently that is hard to do with ClearOS unless you drop to the command line because ClearOS, by default, will trust routes from LAN networks to other LAN networks. I suppose you could set up a bunch of HotLAN interface (are they firewalled against each other?? gotta ask Darryl) but then services on ClearOS will be shutdown for the users unless your server is in front of this user conglomeration...Lots of command line stuff here because this isn't the security paradigm of ClearOS.
As for the proxy server, shared proxy servers usually mean that there are methods for surfing back along the channel, unless you secure that as well. Loads of work but sounds interesting.
You can shutdown all access to the internet already with ClearOS using the egress firewall and then force all users to use the proxy server. So that is how you would/could do that piece.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »