Answer the question
In order to leave comments, you need to log in
How to protect your home network from hacking?
Question for the paranoid.
I have a friend with a desire to protect his PC and home network from hacking and theft of critical data.
Since the computer is at home, he uses the Internet on it, he does not play games. I offered him a number of measures:
1) a hypervisor on the main machine, two virtual machines on it - for working with critical data and for Internet users. It is also possible a third control virtual machine (monitoring, checking, etc.)
2) at the input from the provider, two serial routers of different models (with a packet filter or if there is enough statefull fw)
3) for the hypervisor, allow only updates, for a virtual machine with critical data - a white list, for a virtual machine with internetics - anything (well, of course, established for entry).
4) with one of the virtual machines or the hypervisor, we check the md5 crown for the firmware and configs of both routers, compare with the standard.
5) We also check the hashes of the hypervisor binaries.
What else would you recommend?
Answer the question
In order to leave comments, you need to log in
Ideally - a working machine, and a small home server with a hypervisor.
The most basic principle that is underestimated is not to work with full rights.
On critical machines, we set up a limited account, install the necessary software, set up a software restriction policy, nothing more - all ports are closed except those explicitly allowed, the machine is behind NAT. If round-the-clock work with this data is not required, we turn off the virtual machine when not needed. Access via RDP/VNC from a working machine with limited rights. It's secure, it's impenetrable. If the Internet is not needed when working with critical data, we generally prohibit access to the Internet.
at the input from the provider, two serial routers of different modelsWhat for? Enough of the same Mikrotik, the main thing is that it is controlled by you, and not by the provider.
You can't protect yourself from burglary. You can only reduce the risks. Security can be upgraded endlessly, down to an isolated island with machine gunners around the perimeter and weapons of mass destruction. Security costs should not exceed the value of the protected.
We need to figure out what we protect and what is the budget. Maybe it would be easier not to have protected data at all and / or not to use anything more complicated than a microwave oven? Or will a separate computer without an Internet connection and a network with an encrypted file system work?
You just offer some kind of severe case of paranoia :)
A separate hardware computer without access to tyrnet. Only RDP from a neighboring wheelbarrow with control over IP (only one account can enter from only one IP). An over-paranoid version (the level of the First Department of USSR factories) - a computer, without wires at all in network cards - work only at the local console, data transfer on flash drives.
critical crypto data?) maybe a hardware wallet is simpler, if for work)
1) a hypervisor on the main machine, it has two virtual machines - for working with critical data and for Internet users. Perhaps also a third control virtual machine (monitoring, verification, etc.)
As an OS, read about https://ru.wikipedia.org/wiki/Qubes_OS here https://www.qubes-os.org/ they write that there is a security-oriented desktop operating system that is designed to provide security through isolation. Virtualization is based on Xen. And for the network, try pfsense according to the "router on a stick" scheme with vlans and other things like antivirus and ids / ips.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question