A lot of us are working from home (WFH) now. There are long-established security best practices around remote access, such as the telework security guidelines published by NIST. With WFH becoming a dominant form of remote access during this special time, home network security is more important than ever. In this article we will consider protecting three common categories of devices on your network:
- Protecting your home network from your employer’s security checks which might feel intrusive in your home.
- Protecting your employer’s network from threats that might unknowingly be on your home network.
- Protecting kids’ from mature or age-inappropriate content.
The idea is to create as much separation between your work, home, and other devices as possible while still sharing the same internet connection.
Each of these areas we can only touch on in a short article. Please send feedback to email@example.com if you would like to see more detailed articles about these or other topics. Just tell us what would help you get more value out of your Firewalla.
Network Segmentation: Multiple LANs and VLANs
FIrewalla Gold has up to three ports that can be used for LAN (Local Area Network) connections. These are often bridged to create one simple, big network. In a simple case, say:
- Port 1: a laptop
- Port 2: an AP for IoT devices
- Port 3: a switch with ethernet to a couple of Kid's computers
- Port 4: WAN (Internet)
This is how simple home networks are often designed: one big flat network where every device can see every other device.
Firewalla Gold supports several powerful network segmentation scenarios which give you much greater flexibility and security.
In the picture above, we could also have made each of the three Firewalla ports a separate LAN network. One for work, one for IoT devices like smart assistants, and one for personal devices like kid's iPads or laptops.
Now you can choose to limit communication between devices on each of these separate networks to one direction only (e.g. A → B but not B → A) or block access between networks completely (e.g. C below cannot see A or B).
What does this get you? Let's say you have a smart assistant or smart smoke alarms. The app that controls these devices might need to talk to these devices, but the devices have no legitimate purpose in seeing all your network traffic. This is a great opportunity to secure them on a separate network where your app can talk to them, but they can't listen in on the rest of your network.
You can define the level of access you want to allow between networks and between each network and to the Internet.
Each Firewalla LAN port can be connected to a separate switch or Wi-Fi AP so all your IoT devices can be connected to that one network.
Using a VPN with PBR, the same laptop can be used for personal use and work securely and seamlessly connecting to a business office.
Port-based networks are very powerful, but are easy to understand and easy to set up even for those who are relatively new to networking. So this tends to be a great way to begin setting up a more secure network.
Another option for Firewalla Gold and Firewalla Purple (in development) is to use VLANs (Virtual Local Area Networks). These are more complex to set up but popular with network pros. So what is the difference between a port-based LAN like above and a VLAN? A VLAN allows you to create functionally separate networks, virtually, over common physical network connections like ethernet or wifi APs. Imagine your Firewalla is in an office and you run an ethernet cable to another bedroom. In that room, you have a smart assistant to play music and get the weather, a kid's computer, and a game console. You might want to separate these devices onto different networks, but you don't want to have to run multiple ethernet cables. A VLAN lets you share the physical ethernet connection but keep the devices on separate networks, virtually.
VLANs also allow you to create more than three networks and you can use VLANs and managed switches or AP/Wifi units that are VLAN aware.
- A VLAN for trusted computers and laptops
- A VLAN for IoT devices
- A VLAN for a Voice Over IP (VOIP) telephone
- A VLAN for security cameras
- A VLAN for a separate guest WiFi
Each connection to Firewalla can carry traffic to and from any or all VLANs at the same time without any risk that the devices on one VLAN can see the other VLANs unless you allow them to. To learn more about VLAN's see this article.
Smart Queue: Prioritize your Network
There is nothing worse than buffering or other technical issues during a video conference. It is frustrating to people on both ends of the call. It can ruin a presentation or waste time while people have to ask each other to repeat what they just said. We have all been there.
Yet, when multiple family members are at home there maybe video games in one room and an important work conference in another. Firewalla’s Smart Queue feature can help manage the chaos. Smart Queue allows you to prioritize an app (e.g. MS Teams, Zoom, or Google Meet) as a high priority while putting video games or streaming sites at a low priority. You can even set these Smart Queue Rules to activate on a schedule (e.g. during work or school hours) and have different rules that apply during the family social time when you want to enjoy those video games or video streams. You can further limit these rules to particular devices, network segments, or to all devices on your network. All of this allows you to tell Firewalla how to allocate the network resources you have, based on what is most important and when. You can even decide which devices are affected by All devices, a Network segment (VLAN), a group of devices, or ungrouped devices.
Access work via Virtual Private Network (VPN) from home
A VPN is essential in securing remote access to business assets. Many small businesses don’t have a VPN solution in place due to the complexity of setting it up and maintaining it. Firewalla’s VPN client feature, along with the VPN server feature, offers a very simple yet complete VPN solution, ideal for small businesses and people working from home.
If your company does not have a VPN server but has confidential data hosted on a local business network, you are at risk of compromising business assets from un-encrypted communications from home. You can easily deploy a VPN solution by installing a Firewalla box on the business network as a VPN server, and a Firewalla box on the employee’s home network as a VPN client. Any Firewalla box can serve either as a VPN server or client. See an example below:
Firewalla supports other VPN configurations including Site-to-Site (Bidirectional) (e.g. between two branch offices).
A VPN between home and work is excellent for making a secure connection to work. But people multitask (maybe you need to make a medical appointment online in between work meetings) and the whole family shouldn’t have access to your office network. Policy-Based Routing (PBR) allows access to a specific domain, list of domains, or IPs to be automatically routed through your VPN leaving all other traffic to travel directly from your network to its destination without passing through your business’s network. Because PBR Rules can be device-specific, you can limit access to your VPN connection and work assets to just the devices that should be allowed to access them.
Target list allows you to create a list using IP or domain address which can be used to create rules to block, allow, or prioritize a group of targets within a single Rule. For example, if you had a number of rules to limit access for some Nest Protects and a Nest Thermostat, you could reduce the number of rules substantially by using a Target list instead of creating separate rules for each domain. You can also share Target lists with people who have similar devices.
Target lists are powerful shortcuts that can be used and reused across Rules, Routes, Smart Queues.
Firewalla allows you to have two separate ISP (Internet Service Provider) connections to your network at the same time. This will ensure a working internet connection nearly 100% of the time even if one ISP has maintenance or a service outage. This feature is called, “multi-WAN”. You can set this up in one of two ways:
- Load balancing: This allows you to divide your traffic between two different ISPs. This is different from PBR in that you choose a percentage of all traffic to be sent over one internet provider and the rest goes to the other. If either connection goes down, Firewalla will automatically shift all traffic to the working connection. Load balancing distributes the bandwidth load across both ISP connections.
- Failover: In this configuration, all traffic goes to a selected ISP but if Firewalla detects that the connection is not functioning properly, it will shift all internet traffic to the backup ISP. This might be preferable if for example, you have an LTE modem with a limited data plan and you only want to use it when your primary internet connection is down to avoid maxing out your data plan.
Either configuration ensures that should either Internet connection go down, your video conference or gaming continues uninterrupted. When the problem with your connection is fixed, Firewalla will restore traffic back to the default configuration like nothing ever happened.