Richard Gunstone - Blog

Back to main page


Home firewall optimisation for WFH (Misc)

As I am currently a home worker due to Covid-19, I’ve become increasingly interested in how I can create a rock-solid networking environment for my corporate ICT equipment – free from interference, network contention, and similar. The idea of everything co-existing on a relatively flat network provided by a fairly cheap ISP broadband router quickly lost its appeal, and I started to think about how I could create a more enterprise-class network.

I've achieved this using fairly standard kit:

Now that my Broadband appears to be stable (it’s been stable since lunch time using the Draytek 130 I talked about in my previous blog post – very pleased to say the least), my time working in my Juniper firewall’s configuration pages reminded me that I wanted to write up about how I’ve approached configuring my home firewall, in case it is of use to others, and also reflect on some broader home network desirables.

In a typical home there are lots of device types, and from my point of view they can be lumped together into broad types.

In common with other firewalls, Junipers can isolate individual ports, creating security zones. This is easily achievable from the Juniper configuration wizard. On top of that, the inter-zone communication policy can also be defined, both between the zones defined for an internal network and for the Internet (WAN) zone.

In the above scheme, my approach has been to fan-out as many IoT ports as possible, and then divide the other groups into ports for each type (PERS and CORP) and then to switch downstream of those ports. No ports on the Juniper can communicate between one another, and the only communications paths supported are between the zones defined and the WAN.

IoT devices are connected on a 1-2-1 basis into the corresponding IoT port. The rationale here is that IoT devices have significantly weaker security regimes as a generalised observation, and in the event of compromise or malfunction they are each siloed away from one another. Additionally, I segment VOIP telephony onto its own port to avoid contention/performance issues.

Segmentation obviously has benefits in preventing traffic from reaching other parts of the network, which can help contain malicious code or threat actors. A flat network provides all the incentive needed for an actor to move laterally across a wide range of devices. By using segmentation, an additional benefit is enhanced performance. Rather than heap all the home network traffic onto a consumer-grade broadband router, including broadcast traffic spilling across all devices, it’s possible to distribute load across a variety of devices, reduce broadcast traffic, and improve performance overall.

The final benefit from segmenting ports at the firewall in this way is the opportunity to create traffic management policies to cap data rates and potentially introduce a level of Quality of Service (QoS). It is fairly easy to rate cap ports on enterprise firewalls, and this provides a useful way of controlling contention for the Broadband connection itself.

Other benefits are the ability to segment DMZ services to the outer world, port mirroring for IDS, and redirecting DNS requests to a security-filtering DNS server, to name a few.

I’ll try to write some more in the future about specific Junos configuration settings.

The take home messages from this and my previous blog post are along the following lines:

The downside is that all of the above involves a not-insignificant amount of technical knowledge and interest.

November 25, 2020