The current state of a long-running 5712 project to lock things down in the face of ever-degrading Internet security is depicted below. I meant to do this a long time ago, but it was too easy and inexpensive to use the readily-available COTS tools. And it’s hard. That’s why it took so long, and also one reason top tier network and system security people command big dollars in the high tech job market. The ongoing Solarwinds fiasco finally drove home the need for me to get this done.
The long, broken line sweeping around the right side and top portion of the pic is the path anything other than Wifi takes in and out of our network. Incoming to the public-facing web, gets passed by the DSL modem firewall to start with. Then an enterprise class NIDS(k) continuously analyzes all traffic on the Wifi-Centurylink DMZ portion of the network in real-time for malicious content, while a true stateful firewall running on my personal workstation(f) routes everything in and out of the wired network on a different subnet.
The Synology NAS now sits powered down as a cold storage backup location. If the vendor installs updates, they have root on the box. That just doesn’t work in my environment any more after Solarwinds. I’ll take my chances with open source. The web site and everything else system-wise now hosts from the 2nd gen Ryzen(f) at the core including database, security cams, proxy, firewall and routing. The only data it will hold is the security cam video in the final stage of this project, coming soon as I save enough cash to spend a couple grand building a new workstation and buy some 10GbE parts for a high-speed edge between the data repositories.
Here’s what it looked like in the last iteration a couple years ago. This is what happens when a Systems Engineer retires too soon. 😉