We all know that over the last 12 months the U.K. has moved from a office based working approach to a working from home model. This has meant a shift in approach to day to day business life. However, something that has slipped through the gap is security, and more importantly what security looks like in a home or “untrusted” network.
I am aware that for many people they are going to instantly say we use a VPN. To that I say this is a great step but only deals with part of the overall security risk of having your users working from home on their 3rd Party WIFI network provided by their ISP provided combination router/modem/access point. Much of this tech will be out of date, unsecure and ultimately “fine” for your day to day home user but not suitable for your business.
I am more aware of this problem than many people and have been asked the question over the last 12 months numerous times; “What should we do doing to secure our users at home?”. For the most part I had the technical answer which is to install an enterprise firewall, dedicated wireless network and wired network. The stumbling block I always hit was how do we manage these as a business, and the honest answer I had was I am not sure I have the solution. As an IT professional I had a stupidly complex home network featuring a server, wireless access points multiple managed switches and enough complexity that when there was an issue my wife would simply wait for me to fix it rather than knowing what to turn on or off. So about 4 months ago I began a process to simplify this process down and working out what is the best business grade solution, which I would happily spend my money on.
After a few months of back and forth looking at Mesh WIFI systems (I will get on to why this is important for me) , home firewalls from security vendors and cloud managed switches. I came across a few solutions the first being Cisco Meraki Z3 , the second being Ubiquiti Dream Machine and the final being the Sophos XG86 all of these devices should have been able to solve the issue of how do I secure my home working environment as well as ensure that my family can safely use the network as the same time without too many issues.
I decided to go for the Ubiquiti Dream Machine for two reasons; there are no on going licence costs. Unlike the other two devices where they both require a licence to access most of the features with the Dream Machine once purchased you own it. This extends the longevity for me and the investment in the solution. The second reason was the ease of expansion.
Modern Homes and Mesh WiFi
Now, this leans into my Mesh WiFi issue, living in a modern build house steel has been used to reinforce the build, however this means that WIFI suffers when you step between the two sides of the house, this has always been an issue for me, so therefore a new solution had to support multi access points to essential have WIFI both sides of the steel. This was achievable with Ubiquiti with the deployment of a UAP-AC-LITE as part of a mesh set up.
From the point of the product some key points come to mind, the Dream Machine itself is a 4 port managed switch, an enterprise grade 4×4 MUMO 802.11ac Wave 2 access point with support for WIFI up to 1167Mbps and is a network protection device including a firewall, intrusion protection and attack mitigation. All of this is managed either locally or via the Ubiquiti cloud management platform (which is free) and can manage multiple devices from a single pain of glass. If you want to read more about the specification of the Dream Machine you can read here (https://eu.store.ui.com/collections/unifi-network-routing-switching/products/unifi-dream-machine) and for more information on the access point (https://eu.store.ui.com/collections/unifi-network-access-points/products/unifi-ac-lite)
When the unit arrived it ultimately was easy to set up and left me with a very basic working set up in less that 15 minutes, once this was done I spent an hour tweaking the set up to get me “work ready” before spending the rest of the afternoon moving devices on the SSID’s which I had set up for either work or personal depending on the device use, this is important as items like my Sky Q box need to be treated differently to the more intense set up I was deploying for my business devices.
The Techy Bit
If you don’t want to know the ins and outs of the solution feel free to jump over this paragraph.
My home broadband is provided by Sky and comes into a very standard router (which cannot be removed as its not supported by Sky) therefore the final solution for me was to disable the wireless on the Sky router, turn off IPv6 DHCP and turn the DHCP scope for IP4 down to a single address, this would be issued to the Dream Machine which would connect via 1Gbps connection. This connection leaves the Sky Router and connects to the WAN port of the Dream Machine. During the set up the unit creates an internal NAT which routes all connected traffic across to the Sky unit via it’s own address allowing me to publish two address pools from the Dream Machine a /24 for both home devices and work devices across two SSID’s which cannot see each other sit on separate VLANs and do not ever cross. For the second AP due to the layout of my house, I cheated and used a PowerLine unit rated a 1Gbps so connect from port 1 on the managed switch in the back of the Dream Machine to my upstairs via the house electrics. At the end of this I simply places the POE injector that came with the UAP-AC-LITE and wired it in, once the unit had an IP address I was able to adopt it with in the Dream Machines built in management system and deploy the same wireless networks. In testing across the house the blanket coverage is now a 800Mbps regardless of location and the hand off is seamless when you move around the building.
For a high-level design you can see the below layout of my network.
When all is said and done, this solution is robust, fast and ultimately secure and takes my existing VPN connection to the next level in security, now this is important because while VPN traffic is secure anything that is happening on your home network may not be, it might be your teenage child downloading content on their laptop from questionable sites a home smart device which has a known comprise or simply an unprotected device that your neighbour has (who has happened to get on your WIFI). Because of all of this risk exist and a set up like the one I have just deployed removes this risk as not only does it provide great intelligence on what is happening to my network it clearly separates the devices which are critical to my working day and deal with intellectual property, customer data and business data everyday.
The ultimate bonus to deploying a solution like this for myself is I can say, I know it works and is scalable for businesses of all sizes, whether it is to protect your CEO or key workers or if you need to ensure that as your business spends 2021 working from home that you have proper protection, it can all be deployed and managed remotely with little disruption to the end user and the aesthetics of the devices means it doesn’t look hideous, as well as easily being able to out perform any Mesh WIFI system that a home user may be looking at to resolve the dreaded Zoom dropouts.
If you want to talk to me about how you can deploy home security for your remote working staff then please call 01235 433900 or you can reach out to me via DM or at firstname.lastname@example.org.