Enhancing Network Security with Ubiquiti and UniFI OS
In today’s world, network security is essential for protecting sensitive information and maintaining uninterrupted operations. The founder of Ubiquiti, Robert Para, previously worked for Apple, ensuring FCC compliance for the company’s Wi-Fi electromagnetic emissions. Para’s aim was to bridge infrastructure gaps in emerging markets that needed dependable internet access. Ubiquiti has since expanded its range of products, including switches, routers, access points, and security cameras. In this blog, I will share my experience of deploying my home network infrastructure, utilizing the power of Ubiquiti’s UniFi Dream Machine Pro, U6 Access Points, and UniFI's design center to improve security and efficiency.
Architecture
The UniFi Design Center offers a user-friendly platform for planning and deploying networks, allowing for meticulous control and optimization. By utilizing this tool, network architects can receive visual feedback when stacking Ubiquiti’s product suite within a facility using accurate floor plans.
Hardware
Part 1
In the original setup, my home network relied on the ASUS RT-AC86U as the sole router and access point. While this router performed adequately initially, I soon encountered issues with Asuswrt-Merlin firmware incompatibility when attempting to implement a more complex network topology. The limitations of the firmware hindered the smooth integration of additional devices and services, ultimately leading to a significant reduction in network uptime. To address these challenges and achieve better reliability and performance, I recognized the need to upgrade the hardware and explore more advanced router options that could accommodate my evolving network requirements.
Next, I tried building a custom router solution. I initially wanted to utilize a powerful open-source solution using an MSI A6200 laptop running pfSense. To ensure top-notch performance, I planned to address the USB 2.0 480MBs bottleneck by adding a 2-port USB 3.0 Express34 expansion card and incorporating two USB 3.0 to RJ45 adapters. For seamless connectivity and excellent Wi-Fi coverage, I included a Ubiquiti USW Flex mini POE switch and a Ubiquiti U6 Mesh access point.
As I delved into the project, I encountered some unexpected challenges with the MSI A6200 laptop. The Express34 slot proved to be unreliable, hindering the overall performance I had envisioned. Additionally, the laptop generated considerable heat, with little room for ventilation, and as the project progressed, I couldn’t help but yearn for a single pane of glass solution, where all the network components could work harmoniously under a centralized system. This would not only simplify management but also offer better scalability and efficiency.
Part 2
Network Hardware List:
Ubiquiti UniFI Dream Machine Pro,1 U6 Mesh w/POE injector,
2 U6 Extenders
I searched for a new solution to upgrade my home network and found the perfect option: the Ubiquiti UniFI Dream Machine Pro. This powerful hardware is the core of my new setup, providing excellent performance and security. For seamless Wi-Fi coverage, I also used the Ubiquiti U6 Mesh WiFi access point from my previous router project, which I placed in the center of the house for optimal coverage. For hardwired endpoints that require Gigabit speeds, I utilized CAT6a cables to ensure lightning-fast connections to support up to 10GBp/s if needed. To improve the signal strength in hard-to-reach areas, I added two Ubiquiti U6 Extenders as downlinks to the central access point, which improved signal reliability.
Engineering
DNSSEC
To strengthen the security and performance of my home network, I added two DNS servers: 9.9.9.9 and 142.112.112.112. These DNS servers are highly regarded for their reliability and dedication to protecting users like us in the vast world of the internet. The first DNS server, 9.9.9.9, is operated by Quad9, an exceptional organization committed to enhancing privacy and preventing malware threats. Quad9 uses threat intelligence data from multiple cybersecurity companies to keep users safe by blocking access to malicious domains. The second DNS server, 142.112.112.112, acts as a backup to Quad9’s primary DNS server 9.9.9.9, providing redundancy and additional support to users seeking secure and reliable DNS resolution.
Network Segmentation: VLANs
The implementation of VLANs (Virtual Local Area Networks) offers logical segmentation, effectively isolating different network components. This network is comprised of six VLANs, each with its own specific purpose, including security cameras, IoT devices, garage devices, guests, a SenseCAP Helium hotspot, and main users. This separation mitigates the risk of lateral movement and unauthorized access.
The Main Users VLAN (VLAN 10) is for our primary devices to ensure their privacy and separation from other network segments. IoT devices such as smart TVs and Zigbee devices are isolated in the IoT devices VLAN (VLAN 20) to reduce the security risks posed by sporadically supported firmware. My SenseCAP Helium hotspot is located at VLAN 30, while the Vivint Smart Home Security Access Point, which hosts the smart panel and perimeter cameras, is at VLAN 40. Additionally, the Garage VLAN (VLAN 50) is for static devices in the garage, including the door opener. Lastly, the Guest Network VLAN (VLAN 60) is for visitors to our home, creating a separate network environment to ensure their privacy and restrict access to our primary network.
Threat Mitigation: Firewall Rules & Port Security
Firewall rules serve as an additional layer of defense, enforcing security policies within the network. This setup includes rules for client isolation, VLAN isolation, and geo-filtering, effectively blocking suspicious traffic, limiting lateral movement, and preventing unauthorized access.
Click here to check out my VLAN and client isolation concept.
Since the UniFi Dream Machine Pro has an 8-port switch, disabling unused ports brings several significant benefits. For one, it can enhance network security by eliminating potential attack vectors. Unutilized ports may be exploited by unauthorized individuals or devices trying to gain access to the network. By disabling these ports, you can create a more secure environment, minimizing the chances of rogue devices connecting to the network and potential security breaches.
Another benefit of disabling unused ports is that it can improve network performance and efficiency. Having unnecessary active ports may lead to broadcast storms, which occur when excessive broadcast traffic floods a network, causing congestion and degrading overall performance. However, disabling any unused ports, can mitigate broadcast storms and optimize network resources for active connections, resulting in improved data transmission and reduced latency.
Network Administration: Automation & Monitoring
Proactive network administration is crucial for maintaining a secure and efficient network. Automated backups ensure that critical network configurations and settings are regularly saved, allowing for a swift recovery in case of a system failure or security incident. Automated firmware updates ensure that devices are equipped with the latest security patches, reducing vulnerabilities.
With UniFi OS, monitoring and managing assets is a piece of cake. The client dashboard provides a comprehensive overview of all network devices and their current status, allowing administrators to detect potential security threats, monitor network performance, and effectively manage network assets.
UniFi OS also comes with a solid security insights dashboard. This dashboard provides a comprehensive overview of all the network traffic occurring, from the protocols being used to the specific applications accessing the network.
Bonus: Secure Remote Access
While setting up my network, I found the UniFi iOS mobile app to be incredibly convenient. It allowed me to configure a significant portion of my network while moving around my home freely. I was able to access and adjust settings on the go, ensuring that all access points were functioning seamlessly and providing optimal Wi-Fi coverage throughout my house. With the app, I could monitor real-time performance and make any necessary adjustments effortlessly, whether I was in the living room, kitchen, or even outside in the backyard.
Note: While utilizing the UniFi iOS mobile app for remote access to the Ubiquiti console is incredibly convenient, it’s essential to be aware of potential vulnerabilities that can arise from remote access. When enabling remote access to the console, there is a heightened risk of unauthorized access if proper security measures are not in place. It’s crucial to implement strong passwords, enable two-factor authentication, and regularly update the app and device firmware to mitigate these vulnerabilities. Additionally, connecting to the console over public or unsecured networks can expose sensitive information to potential eavesdropping or man-in-the-middle attacks.
With the UniFi WiFiman app and its Teleport feature, I can easily access all of my UniFi devices, monitor, and optimize my network without any hassle. Teleport allows me to securely connect to my home network from anywhere in the world through a zero-configuration VPN used to encrypt remote console connections.
To summarize, my experience of upgrading my home network’s security and performance using Ubiquiti and UniFi OS has been truly transformative. By carefully selecting and deploying Ubiquiti’s innovative hardware, I now have a secure and reliable network infrastructure. Thanks to the UniFi Design Center and VLAN configurations, I have meticulous control over my Wi-Fi coverage and can maintain a logical network segmentation. Furthermore, implementing DNS servers at 9.9.9.9 and 142.112.112.112 has enhanced my network’s security, while firewall rules and port security measures have further minimized potential threats. Lastly, I can proactively manage my network with automated backups and firmware updates, ensuring a resilient environment.
