Business & Technology
_Behind the Firewall is an ongoing series that explores the stories of individuals and organizations in their use of firewall technology. Recently, a user on twitter reached out to us and told us about his home networking story. _
Darin Cowan was a security consultant for nearly 20 years before taking a job as the manager of corporate security at a Canadian financial institution. Darin's experience in the industry has enabled him to build an impressive home network that seconds as a lab for testing and continued consulting purposes. His impressive set-up came to be mostly out of the need to live by his own motto:
"A computer is like a chainsaw: Highly useful if well maintained and handled by an operator that has taken the time to learn its proper use, or, if not maintained or taken for granted, it can be immensely dangerous."- Darin Cowan
"It is always nice to tell a client to 'Do as I do,' said Darin, who agreed to be interviewed by Fortinet for the purpose of this story. "One piece of advice I give to all of my small business owners; first and foremost, secure your customer and client data. Many small businesses are seen as easy targets for those with villainous intentions."
Aside from protecting his and his clients' data, Darin needs to protect his home network from his friends. As Darin recounts, "My guests, friends, and associates are all tech-savvy. Many of them are also security people. When they are here, I need to provide them access while still protecting my assets from their issues (i.e. I can't always trust 'comedians' not to run hacking tools). Preventing a tech-savvy 'comedian' from running amok on your network is a necessary precaution."
On a functional level, Darin finds great convenience in securely accessing his network remotely, and recommends this function to everyone. Speed is an important element in this, in addition to his and his wife's use of VoIP phones with a decent quality of service.
Darin tells us about his network:
I had tried a number of configurations of standard consumer-grade devices. You can see some of them in the network diagram. However, I was not happy with the performance or the trustworthiness of consumer-grade firewalls. I wanted more control. I originally looked at Cisco, since they sell some low-end firewalls in the price range I wanted but their licensing leaves a lot to be desired: 10 IP addresses in the basic licence, and then a considerable sum for each batch of 10 after that. As you can see from my diagram, that would add up very quickly. As it turns out, my employer uses Fortinet and we were upgrading. As the security manager, I sat in on the briefing for the upgrade and decided that I had to have one of these. After some discussion with a former co-worker, I decided on the FortiWiFi-60D. I ordered it online, had it in a few days, and got everything running in only a few hours. I use full UTM. The antivirus allows me to save money by not having to licence the service annually, so that actually offsets some of the cost. I get to experiment with IPS and IDS. I use the Web Filter - this is especially great when people come over with their kids and their kid's computers/iWhatevers.
Network-wise, I have IPv4 on WAN1, and IPv6 on WAN2, allowing me to experiment nicely in both of those domains. I have full IPSec VPN into my network from anywhere on the Internet, using FortiToken Mobile for authentication. I also set up SSL VPN (also with FortiToken Mobile) in the event that I don't have my own devices and still want to secure a connection.
I currently have five devices on endpoint control with FortiClient, although I expect I will ramp that up and use up my remaining five licences and probably have to get more. Just like at work, I have to roll some of this stuff out in stages in order not to upset other users (i.e. my wife).
As you can see in the diagram, I have a lot of WiFi. My plan is to actually get rid of some of the DLink and run up a FortiAP, probably a FortiAP-223B, but that is awaiting budget. I don't need that so much as I want to really understand it, and frankly, it's got to work better than these consumer-grade WiFi routers that I'm using as access points.
WiFi in my house is slightly problematic. I have neighbours on both sides whose WiFi traditionally interferes with mine - hence the arrangement of channels with an "East" and a "West" WiFi configuration. My house seems to have brutal RF attenuation inside - not just in WiFi... I'm a ham radio operator, and I see attenuation there too. As a result, I have granted myself excellent WiFi coverage in the house and yard at the expense of a lot of access points. Interestingly, changing my SSID on the one network to "Surveillance" put an immediate end to the local bozo that was poking at my network and generating interesting log entries. Seems that name change must have rattled him a bit.
Presently, the topology of my network makes all the "inside" WiFi and wired devices into a single, homogenous network, with a separate guest network (Surveillance) that hosts guests and a DMZ with a Minecraft server. If I deploy a FortiAP, I'll change that topology a bit since I'm 95% sure that I can't make the WiFi network look like part of the wired network in the same smooth way as I can cheat with a DLink. This would be a good thing because the way I'm doing it right now is not as secure as it should be.
Darin's network is a shining example of what is possible with Fortinet. In his final words on home networking, Darin stressed the importance of keeping your machines up-to-date and running anti-malware software.
He also stressed the importance of educating yourself on basic network security and taking the additional step of implementing some kind of firewall.
"Everyone with a computing device has to understand that security is their own responsibility - at home, at work, wherever."
To tell us about your network contact "experts" at fortinet.com