Soon to be moving to a new region, I took the opportunity to thoroughly review my internal network. Indeed, it had been designed during my studies, and modified afterwards. This architecture had reached its limits, and overlapping between VLANs prevented major modifications.
Having outsourced my website, and having decided to do without my Cloud server, and other application servers that I don’t use anymore, I was able to stop my ESX, as well as the NAS used for the NFS storage of the ESX (heavy and resource-efficient VMs).
Having no more servers opened to the outside, the reverse proxy services (which I provided by HAProxy) were useless, as well as the entire VLAN dedicated to servers accessible from the outside.
So I reinstalled a new firewall, I still won’t divulge the name, and I started reinstalling the services that were running on the old firewall: NAT, filtering policies, IDS and IPS, Squid , and VPN.
After some testing, I was able to switch between the old and the new firewall, which gave me a few headaches, but overall went well.
All the filtering rules having been rewritten from scratch, as well as the IPS rules, I am therefore restarting on a good basis. The VLANs of DMZ (catch everything) and external servers have been replaced by a new VLAN that I use for my home automation, and a separate, isolated, and protected VLAN for home working.
For the simplicity of home working, I also created a new SSID on my WiFi access points in order to connect profesionnal computers and telephones to this new network dedicated to home working, in addition to the possibility of connecting by wire. It goes without saying that, like my other WiFi networks, I use a diverse and varied panel of protections, depending on the possibilities of my access points.
At the same time, having recovered the NAS from the ESX, one of the projects to come in the following weeks, between two boxes to be prepared for the moving, will be to reinstall a more efficient and better maintained NAS system, in order to find an up-to-date NAS.
The old firewall will go on sale (and hopefully sold before I move), and the ESX will be reinstalled under the latest version of VMWare ESX to serve as my lab if needed. It will therefore be mostly off, but with the possibility of being restarted.
As you have seen, I tell a lot about what I can do, without giving too much detail, in order to ensure the security of my IS. Giving advanced information, such as the model of my firewall, or what IPS is used, etc., would be equivalent to giving the keys to the kingdom to a possible hacker, who could then use it. I do not pretend to have a network that is interesting for hackers, but in the world of computer security, the precautionary principle prevails, and you always have to find the right balance between too much information, and not enough.
If you’ve made it this far, thank you for reading, and I’ll see you very soon 🙂
