Looking for advice on securing business class fiber optic

[Lil'John]

Title basically states it but for more details:

Current setup is Comcast with the following:

• ARRIS CM820 cable modem (no wireless)
• Linksys E3000 running Tomato firmware (connects to cable modem, game machine, Ooma and switch)
• D-Link DGS-1024D switch (connects to Linksys above)
• File/Media server (not valuable except the amount of time I'd have to spend re-ripping my DVDs)
• Many machines and IP cameras (connects to switch)

With Tomato above, I've locked the wireless to the MAC address level... new house is so remote(15 minutes outside of a 2,300 person town), my current wireless concern is not valid.

I'm not looking for NSA or HIPPA secure but given the lack of any filtering on the business class fiber optic, I want to button it up. In essence, I want my network to be more of a pain than the neighbors so script kiddies keep moving on I do a bit of software consulting so leaving it free isn't a choice.

Should I replace the Tomato router? If so, with what?

pfSense has popped up. My high level understanding is pfSense is a software firewall... I can buy their hardware or provide my own. Should I consider a dedicated firewall box such as a SyXEL ZyWALL US50?

What about the "concept" of a honey pot machine on the network? Still viable/in use? It has been MANY years since I have heard the term

I've got plenty of hardware to setup security machine(s) as needed. I've got a NUC or three.

I've got a network/server closet with a 25U rack available so I'd love something to be rack mountable or small enough to fit on a rack shelf.

I won't say I don't have a budget but computer stuff is my hobby so I'm willing to spend a few hundred for learning/securing my network.

 

[Rifter]

Id just run pfsense or another firewall OS of your choice on dedicated hardware and call it a day.

 

[Ertaz]

It depends on how deep you want to go down the rabbit hole. I run a Zotac CI323 with pfsense on it. It works great. I wish it had intel NICS, but you can't have it all for $130. It takes some getting used to, but its great to learn on. I would put it in parallel to your home network and pay for a second IP if you have to. I did a lot of tinkering with mine to get it to the well oiled machine that it is. NTOPNG is pretty great. It's like a poor man's netflow dissector. For some fun reading on your options there's always http://reddit.com/r/pfsense

If you want a less roll-your-own option with some support, for a little more scratch you can run the ubiquiti edgrouter https://www.ubnt.com/edgemax/edgerouter/ , it rackmountable and pretty well received by the community as a whole.

 

[Lil'John]

I have no problem building/tinkering it myself. While network stuff isn't my favorite thing to do, learning/playing with it is entertainment.

From a hardware standpoint, I've got three Intel NUCs waiting for a purpose:

1. NUC6i7KYK - Skull Canyon, probably way overkill
   
2. NUC6i3SYH - Just a standard i3-6100U... was considering putting it into use as media player
   
3. NUC5PGYH - Similar to your Zotac

I do have a 1U rack system with a i5-4570S in it being used as a file/media server.

For a firewall setup, is it work getting a dual NIC setup? One for incoming traffic and one for onto WAN traffic? I might be able to get an Intel X550-T2 for a reasonable price

Also, from a network setup, would it be worth pulling all the camera stuff onto a separate 'WAN' that is maybe a little less secure? I'd like to be able to do some "light" monitoring of the cameras while out of house.

 

[Ertaz]

I have no problem building/tinkering it myself. While network stuff isn't my favorite thing to do, learning/playing with it is entertainment.

From a hardware standpoint, I've got three Intel NUCs waiting for a purpose:

1. NUC6i7KYK - Skull Canyon, probably way overkill
   
2. NUC6i3SYH - Just a standard i3-6100U... was considering putting it into use as media player
   
3. NUC5PGYH - Similar to your Zotac

I do have a 1U rack system with a i5-4570S in it being used as a file/media server.

For a firewall setup, is it work getting a dual NIC setup? One for incoming traffic and one for onto WAN traffic? I might be able to get an Intel X550-T2 for a reasonable price

Also, from a network setup, would it be worth pulling all the camera stuff onto a separate 'WAN' that is maybe a little less secure? I'd like to be able to do some "light" monitoring of the cameras while out of house.

Well it's not much work getting dual nics going. You want to check the HCL for Pfsense. As a poor person, I don't have any 10gig hardware just yet. You can put your cameras in a dmz of sorts, or put them in the internal network zone and openvpn back to your firewall to access them. Really up to you. Lots of good reading here as well: https://www.servethehome.com/category/networking/

My recommendation for you is to put your wants on sheet of paper then design the network around that.