Wednesday, December 18, 2013

HOWTO : Build a Fortress for Your Home/SOHO Network

**** Content is updated for SmoothSec 3.4-1 on January 30, 2014 ****

Hardware

(A) Unified Threat Management System (UTM)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 2GB (DDR3-1066 SO-DIMM) 4GB
Hard Drive - 1 x 2.5-inch Hard Drive (80GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet

(B) Intrusion Detection/Prevention System (IDS/IPS)
Minix Mini HD PC (J&W) :
CPU - Intel ATOM D2550 (dual-core and 4 Hyper-Threading)
Chipset - Intel NM10
GPU - Intel GMA 3600 Series
RAM - 2 x 4GB (DDR3-1066 SO-DIMM) 8GB
Hard Drive - 1 x 2.5-inch Hard Drive (120GB or above)
Networking - Dual Broadcom 57788 Gigabit Ethernet
USB Networking - PCi USB 3.0 Gigabit LAN Adapter UE-1000T-G3 or Level One USB Gigabit Ethernet USB-0401

* A switch is also required for this setup if you have more than one computer.

I prefer the setup is as the following :

Internet - SmoothSec (Suricata) - Router (Untangle UTM) - Switch (any switch) - Computers

Software

(A) Untangle 10.0 (64-bit) as UTM
Make sure you install the Lite Package which is free of charge. If you want to purchase their services, such as Standard, you can install Standard Package. For home/SOHO, Lite Package is enough.

After the basic installation, you need to create an account to the untangle.com in order to install Lite Package (or Standard Package).

(B) SmoothSec 3.4-1 (64-bit) as IDS/IPS with Suricata
Before setting up your SmoothSec, you need to upgrade the SmoothSec scripts to 3.6 and follow the instruction at the link just provided.

To set up IDS/IPS with Suricata, you can follow this section. Make sure you select “suricata” as AF_ENGINE in the configure file. Meanwhile, you should follow this section to set up.

For rules handling, you can refer to this link.

To fully understand the setup, you can read this article even it is written for 3.6 (not yet released at the moment) and the concept is the same.

Conclusion

Due to the high performance of AF_PACKET of Suricata, Broadcom 57788 Gigabit Ethernet and the Intel ATOM D2550 CPU, the network can play 1440p Youtube video without problem. The QoS is set to Medium in the Untangle 10.0 is recommended.

Meanwhile, Minix Mini HD PC is around $120-US (barebone without RAM and Hard drive) and the hardware cost is not too expensive to setup a fortress to your home/SOHO network. The running cost of this setup is very low as the software are free of charge. The footprint of the Minix Mini HD PC is very small. Smaller than a standard ITX computer case.

If you do not know how to manage SmoothSec (Suricata), you can install Untangle only.