• Status: Open
  • Priority: Low
  • Security: Public
  • Views: 32
  • Last Modified:

Home Network Security

Good Day,

I want to open up ports to my home network to run internal services but would like to put a filter so that only certain TCP-IP or Domains can use.

My router is a new ASUS and allows limited IP filtering but would like something better.

Does anyone know of a free/cheap solution to this? I run Linux and Windows systems and also a small VM server.
0
Julian Haines
Asked:
Julian Haines
3 Comments
 
Dr. KlahnPrincipal Software EngineerCommented:
so that only certain TCP-IP or Domains can use

Limit the IP addresses that will be accepted --  that's certainly possible and not difficult.  Limit the domains that will be accepted -- that's nearly impossible because it's not easy to go backward from an IP address (which is all you have on an incoming connection) to a domain name -- some IP addresses at hosting companies have several hundred domains sitting on them.

A cheap way to do this is to buy a used WRT54G off fleabay, install DD-WRT on it, then set up port forwarding on the WRT54G as desired.  Put the cable modem in bridge mode, install the WRT54G between the network modem and the LAN.
0
 
nociSoftware EngineerCommented:
The TCP/IP (or rather IP) network, only works with IP addresses, domain names are completely irrelevant.
The Domain names are a bolted on solution to help Humans to cope better with accessing servers. (We are better in using name tags for everything, then numbering them, possibly with the exception of Kurt Godel).

So filtering on names would be prohibitive (and to easy to defeat anyway) to many connections, from f.e. shared hosting services to outside services.

From previous advise: the WRT54G, only can do 100Mbps so if your internet connection is faster you need something different. look on the DD-WRT / LEDE website for a compatible router to your connection.
0
 
bbaoIT ConsultantCommented:
>  domain names are completely irrelevant.

agree with noci, though i guess it might be something like typo by the author.

nowadays, outgoing domain filtering is very common for home routers, but here the requirement is actually for incoming domain filtering which is very rare for home routers even for enterprise routers because it need reverse DNS looking up and sometimes the result might be inaccurate.

in reality, most common incoming domain filtering is for email services, such as SMTP Reverse Lookup and SPF.

your way of forwarding to internal services may work well but it does expose number of ports to the Internet, hence any host on the Internet can run a port scanner and discover the ports and even identify the services behind the ports. if could be a security risk if you do have valuable asset (e.g. banking documents) and sensitive private info (e.g. personal video footage) behind the services. more ports opened to the Internet, more chances at risk.

a common practice is to reduce the attach surface to the minimum level. Enabling VPN is one of the best practices as it only expose one or a few ports to the Internet and it also enforces peer-to-peer encryption so no one on the Internet can see your traffic content.

of course, you do need a VPN server enabled router for this. IPSec VPN is recommended.

hope it helps,
bbao
0

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now