Building a network for smaller businesses - Part 1: Hardware
Read Peter’s thesis on how to build, test, and secure networks with CrowdSec for small businesses so they can achieve a more affordable firewall and router combination.
This series of articles are written by Péter András Rakolcza, a student at Budapest University of Technology and Economics, for his BSc diploma thesis. Peter is a trainee in threat hunting and a full-time BSc Computer Engineer who took interest in CrowdSec’s community-based, open-source approach to cybersecurity.
This is the first thesis paper on CrowdSec published on our website, with many more to come. If you are interested in producing a project around CrowdSec, do not hesitate to contact us at email@example.com.
In our accelerated world, security is more important than ever. Whether you are a multi-million-dollar company or a small business serving local clients, you must protect the company’s employees and its valuable data.
“The year 2021 was a busy year for cybersecurity experts and IT professionals as businesses worldwide faced a barrage of cyberattacks. In fact, the last year has been a record-breaking year for cyberattacks.” – states a cybersecurity blog.
Cyberattacks are not just threats but could potentially cause revenue loss. This issue will be more and more serious as working from home becomes a standard. In my thesis, I would like to build, test, and present a much more affordable firewall, and router combination for smaller businesses than existing solutions on the market. In addition, I will propose future improvements to further upgrade this complete package and make it more user-friendly for nontechnical persons. My thesis contains useful information for network professionals and security experts who plan to design complex, cost-effective, secure, but usable networks for smaller businesses.
Developing such a complex device is not an easy job to do. It all starts with the hardware. After I had chosen an off-the-shelf computer for this build, I had to think about the internal structure of my home network. This required me to make modifications to my personal network to test all its features securely and privately. The lab environment came with some difficulties, and it added some complexity, but the advantages outweigh the disadvantages.
First, I would like to explain the thought process when I chose this specific system. When I did my research, I wanted something which is considered old for everyday use, but a complete package (like an office PC from a reputable vendor). I purposefully opted out mini-PCs and HTPCs, because they generally are hard to upgrade and hard to add PCIe devices which were inevitable for this project.
Mid-tower office PCs seemed a good compromise between upgradeability and size while having decently modern hardware. Therefore, I bought a Dell MT PC (Figure 12.) second-hand for around 10.000 HUF.
- Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz
- 1 x 4GB DDR3 Synchronous 1600 MHz
- Seagate BarraCuda 250GB 8MB 7200rpm SATA3
- Cisco Broadcom 5709 N12075 4-Port 1GbE Ethernet PCI-e Network Adapter
In my opinion, this computer is more than capable of handling gigabit traffic with line speed but leaving enough resources on the table for future expansion. Down the line, the bottleneck will be probably the CPU as it has only 2 cores, and 4 threads for processing packets. Regarding memory, 4GB of RAM should be plenty, mainly compared to MikroTik or Ubiquiti firewalls in this price range. Internal cold storage does not make a huge difference, because the OS only stores configuration and log files there. Despite having a 4 port ethernet card, I am only using one of the ports as software switching could be really taxing on the system. I am using the dedicated ethernet port for the WAN connection and the PCIe device for the internal LAN.
The chassis is a mid-tower design which means it has room for future PCIe cards or upgrades. Furthermore, none of the components are soldered, so changing the CPU or adding more should not be an issue. This flexibility comes with one drawback: size. This PC’s footprint is significantly larger than a mini-PC or consumer router.
My entire home network is complex by default. I have completely redesigned our home network from the ground up. I installed CAT5e cables in every room and created a centralized location for all the rack-mounted networking equipment in the attic. I configured everything from the router, modem, VLANs, and APs and created different SSIDs for IoT devices. I also added multiple servers for self-hosting services like Plex, Bitwarden, Blue Iris, and Nextcloud to back up our most important files to the cloud using Backblaze B2. Furthermore, I added a load of IoT devices to the household to monitor and control many aspects of our home.
For this reason, I had to plan where I want to add the lab network. I added a network diagram for easier understanding (see below).
My network consists of 3 VLANs with different purposes:
- VLAN 1: primary VLAN where all the trusted devices are, this VLAN can access all other VLANs and the internet – 192.168.1.0/24
- VLAN 2: IoT VLAN where all the IoT accessories are located, this VLAN can only access the internet – 192.168.2.0/24
- VLAN 69: Guest VLAN where all the guests’ smartphones and laptops can connect to, this VLAN can only access the internet and nothing else – 192.168.69.0/24
I have decided to add the firewall to VLAN 1 with a static IP address (192.168.1.115) for more convenient access and configuration. This is the firewall’s WAN address. I dedicated a /24 subnet for the test environment, so I am using the 192.168.100.0/24 network in the local network. Hence, the firewall’s LAN address is 192.168.100.1. This configuration made everything comfortable to use and configure while keeping everything out of reach for everybody else. The network structure could be the school example for a double NAT, yet it is not for production use.
I am using a Dell PowerEdge R610 server as a hypervisor (Proxmox) to run virtual machines. One of the server’s interfaces is connected directly to the firewall’s LAN port. However, this is not a realistic situation, in a real-world setup, both would be connected to a shared switch. I added a management interface to the hypervisor to get around the firewall when accessing the web interface for effortless configuration. The VMs are representing PCs or servers hosting basic services. Lastly, I installed Kali Linux on one of my PC located on VLAN 1 to perform attacks from “outside”.
Stay tuned for part 2!