Overview
This post aims to provide tips for addressing network security concerns when hosting a publicly accessible web server from your home network, specifically using Unifi networking equipment. While screenshots will feature the Unifi Dream Machine Pro (UDMP), the concepts explained can be adapted to other networking gear.
Disclosure: As an Amazon Associate, I earn from qualifying purchases. This does not affect pricing for you.
Strong Passwords/Encryption Keys
Using strong passwords and encryption keys for all services, operating systems, logins, databases, etc., is crucial. A password manager (like 1password.com) can simplify generating and securely storing these complex credentials. Strong passwords are essential as they can mitigate security risks even if a hacker breaches your network. For example, if your WordPress database has a strong encryption key, it will take an impractical amount of time for a hacker to brute-force it, rendering access to the network practically useless. This principle applies to operating system root user passwords, application login credentials, database encryption keys, and any resource secured with authentication. The goal is to prevent unauthorized network access, but if that happens, having strong, unique passwords and encryption keys acts as a significant line of defense.
Creating an Isolated “DMZ”-like Network
DMZ, which stands for “demilitarized zone,” is an older networking concept where less secure servers and resources are grouped, hoping to prevent hackers from pivoting to the internal network. Although not as common today, the term is still relevant, particularly in certifications like CompTIA Security+. This post utilizes a similar concept by creating isolated subnets with firewall rules on the router to prevent any traffic from the “DMZ” network to internal networks.
Note: The screenshots are from the older Unifi settings page, accessible by disabling the new interface in Settings > System Settings.
Start by creating a new Corporate LAN in Unifi (Settings > Networks) and name it (e.g., “DMZ”). Assign a VLAN to this subnet (e.g., VLAN 777). This process might differ slightly for other networking gear, but the objective is to establish an isolated subnet.
Next, assign devices to this new network. In Unifi, this is done by configuring the port profile for the specific port connected to your web host. Other networking devices should have similar settings.
Configuring Firewall Rules
To set firewall rules, navigate to Settings > Routing & Firewall > Firewall and select LAN IN. Create a new rule with a descriptive name (e.g., Block DMZ -> IoT) and ensure it is Enabled and applied “Before predefined rules”. Set the Action to “Drop” and choose “All” for the IPv4 Protocol. Under Advanced, select all states (New, Established, Invalid, Related) and leave the IPsec option unchanged. For the Source, choose “Network” as the “Source Type” and select your DMZ network. Similarly, for Destination, choose “Network” and select your internal network. This will block all IPv4 traffic from your DMZ network to your internal network, regardless of its state. Keep in mind this also blocks access to your WebHost from your internal networks, including SSH and RDP. If you need to allow specific protocols, see the next section.
Repeat this rule creation for each internal network defined as a Corporate LAN in Unifi if you have multiple internal networks.
Allowing Specific Traffic From DMZ to Internal Network
Proceed with caution as any adjustments here can introduce security risks. Explore all other options before making these changes to prioritize the protection of your internal resources.
Adding Firewall Rules
If specific protocols need to be open between your WebHost and internal network, modify the firewall rules. The changes include: Action = Accept, Invalid = Unchecked, Source = Address/Port Group.
For the Source, it’s recommended to specify the WebHost requiring access. Create an IPv4 Address Group with a descriptive name (e.g., WebHost) and add the static IP of the WebHost under “Address”. Your WebHost should have a static IP; configure it before proceeding if not already done.
Next, create a Port Group under Source and add the ports needing access from your internal network (e.g., SSH port 22 and RDP port 3389). Under Destination, you can either specify the networks/devices that require access or allow access from any internal network by leaving both boxes set to “Any”.
Enable IPS/IDS
The Unifi Dream Machine Pro offers excellent security features, including IPS/IDS found under Settings > Threat Management (old GUI) or Settings > Security > Internet Threat Management (new GUI). IPS (Intrusion Prevention System) actively monitors traffic and blocks potentially malicious activity based on defined rules, while IDS (Intrusion Detection System) passively monitors traffic and logs/alerts suspicious activity.
Consider IPS as an essential security measure for protecting your home network while web hosting. While other hardware or software options might provide this service, Unifi’s solution is explored here.
Within the IPS/IDS settings, choosing IPS for your Protection Mode is recommended. Be aware that enabling IPS might impact your overall download speed if you’re not using a Unifi Dream Machine Pro. The device will indicate the maximum throughput with IPS enabled. The Unifi Dream Machine Pro supports up to 3.5Gbps throughput with IPS enabled.
Wrapping Up
Network security, especially when hosting a web server on your home network, is paramount. Implementing the outlined security measures, including setting up an isolated network and enabling IPS on your Unifi Dream Machine Pro (or similar Unifi Gateway device), is highly recommended.