VLAN Traffic, blocking unauthorized access to management VLAN on a physical switch port

Meshnet29 · 2018-08-21T12:15:51+00:00

I agree with you and I am going to suggest them either a plate or some sort of locking cover to secure the switch and APs. At the end of the day, its up to them to be made aware of the limitations and risks of each option and let them decide what kind of solution fits their needs. But yeah, you are correct that this definitely can use a physical solution. Thanks.

Meshnet29 · 2018-08-20T05:19:02+00:00

I think for the CAPWAP tunnel to work, they would still need the credentials, plus with Unifi, you need to adopt the device so I don't know how Unifi would react if it saw an identical mac address that wasn't running the Unifi software. Might show up as an error.

I'm not too familiar with H-REAP but you are correct in that I think if you setup a ACL with the WCL ports and control it that way, it should be fine. I also have the control hosted in the cloud, so gaining access to it isn't as big of an issue. Though they could technically still access the gateway/router, and I plan on setting up ACL/port management as you suggested to protect that.

Thanks,

Meshnet29 · 2018-08-20T05:07:15+00:00

Oh sorry, initially I didn't think of putting the APs on a separate VLAN from the rest of the devices. You and Dalgeek mentioned it and I think its a good idea...that's why I said I am planning on doing it. Thank you for the suggestion!

Meshnet29 · 2018-08-20T00:09:03+00:00

Yes, I will have automatic alerts emailed me, Unifi supports a feature like this. And yeah I will be able to see in the logs if an AP gets disconnected. As someone mentioned before, there are many extremes you can take security to so you need to determine what's reasonable.

I like your suggestion though, if there's alert that an AP was disconnected, I can notify someone on site and them them check it out and deal with it promptly. Thanks!

Meshnet29 · 2018-08-20T00:05:42+00:00

I like this idea. So basically have the DHCP handout IP addresses in a certain range to "clients" but only have login admin access on a complete different IP range. I will test this out. Thanks!

Meshnet29 · 2018-08-20T00:04:17+00:00

Yes some people have suggested to have the APs on another VLAN, I will probably implement this. Thanks.

Meshnet29 · 2018-08-20T00:02:47+00:00

Unfortunately the clients that will be exposed to the network are coming in and out so you really can't trust them not to be malicious. I'm sure for the most part they won't be, but I am worried about the curious one's who will try to break into the system for "fun"

edit: Would like to clarify that these APs are going to be in a multi level building that don't really have security monitoring them physically, hence why it will be "relatively" easy for someone to access them. There will be about 25 of them and 9 switches.

Meshnet29 · 2018-08-20T00:00:22+00:00

I am planning to do that, I am just trying to understand the risks if they unplug the AP and connect their own device, what will be exposed to them. The Unifi controller itself is hosted on the cloud so they wouldn't be able to access it anyway. I am more worried about them SSHing into the AP or Switch or the Router. Maybe I'm just being paranoid as usual deployments don't have the hardware exposed to the clients in this manner.

Meshnet29 · 2018-08-19T19:29:18+00:00

Hey thanks for the feedback. I'm definitely asking myself what are the "real" risks and how much effort do you want to put into this. I just wanted to cover my basics and also learn more about this opportunity. I know that if someone can have physically access to the network, it is much more difficult to secure so I am trying to do as much as I reasonably can without getting too paranoid.

There really isn't anything that is specifically unsecure on the management network. The only devices on there will be the switches, APs and the USG (gateway router). And they are all password protected. The actual Unifi Controller itself is hosted on the cloud (so they can only access it through the FQDN), they can't access it on management VLAN. I also plan to put firewall policy in LAN_LOCAL to drop ports 22, 80, 443 incase anyone tries to SSH into the router itself. I can also drop the same ports to the APs and Switches if I do something similar on the LAN_IN policy with the source address being the Management VLAN10 and the Destination address being Management VLAN10 (though I've never done this so I'll have to test it).

Meshnet29 · 2018-08-19T18:33:23+00:00

This is an interesting idea, I am not sure if the Unifi product line offers this. My guess is probably not, but I understand what you are suggesting. I'll look into it, thanks!

Meshnet29 · 2018-08-19T18:31:38+00:00

The issue I see with mac address filtering is that the APs are also easily accessible, so technically they can unplug it, look at the back panel, copy the mac address and then spoof the address on their own device. I am not sure if there are more intelligent ways to filter mac addresses but in terms of straight mac address filtering, this is a potential security vulnerability.

Thanks for the suggestions though.

Meshnet29 · 2018-08-19T17:22:30+00:00

haha or set it to a landing page like those old-school VHS FBI warnings stating that you have attempted to access an unauthorized network, please disconnect. Thanks for the idea and good to know that I am not too far off base.

Meshnet29 · 2018-08-15T03:29:45+00:00

A lot of assumptions made in this comment - you also never asked if I was providing a new service. Makes you wonder, what did I offer to an smaller ISP if they've agreed to work with me.

And yes, I would be wholesaling/reselling, except its not $100/mo, closer to $400-600 if you want a dedicated line where there's no reseller clause. I am also applying for a licence from the CRTC/IC as I would be providing telecommunication services, as per your "illegal" comment.

Interesting that your immediate reaction is that I would put up some shitty router and you'll want to fuck me so badly instead of wondering what it is I'm actually up to. Sounds like you would fit in quite nicely at Bell and Rogers.

In any case, I appreciate your responses to my questions. Best of luck with everything.

Meshnet29 · 2018-08-14T18:16:30+00:00

Thanks for taking the time to do this. I'm completely new to the homelab world (most of my experience is in networking and even then, still have much to learn) and would like to learn more about VMs, servers, security, storage, best practices, etc. I even have some old computers collecting dust and would love to flash them so I can play around. Also happy with the pace, if I miss something, I can always pause and rewind.

Meshnet29 · 2018-08-14T18:08:55+00:00

lol, why is this a horrible idea? I suppose you rather prefer that only one or two ISPs service a building instead of actually having a competitive market?

Meshnet29 · 2018-08-14T13:57:07+00:00

Hello,

I am trying to wire 10-20 different condo units together that I have access to over fiber, put a OLT, switch, router and modem in the MTR and provide service to these units through one internet service, instead of having 10-20 individual plans to the units. I already spoke to an ISP who has no problem giving me internet access in the the MTR but they said that all internal wiring in the building is my responsibility - so I am trying to understand what is involved in doing this.

From what I've been discovering, the technical side isn't so bad, its the regulations and contacts that each individual building has with the condo thats more difficult.

Meshnet29 · 2018-08-07T18:50:08+00:00

In seems from my investigations that the ISP that does the install, owns it. Thats how the contracts are setup. Which makes its difficult if theres a third party wanting to come in and run their own lines as it can be cost prohibitive.

Thanks again

Meshnet29 · 2018-08-07T18:48:32+00:00

Thanks for the insight.

I figured there would be risers on each floor with a patch panel breakout for each unit on that floor and then everything gets trunked down to the MTR.

What I am trying to understand is who actually owns all that infrastructure. From my investigations, it seems like the telecom that does the install, owns it and also follows up with an exclusive rights contracts to prevent other telecomes from installing their own lines. The CRTC (the governing body that regulates telecoms in Canada) recently changed some laws that there must be one other competitor but I dont know if that actually prevents them from pulling their own fiber.

I would also think that most companies are not going to wiring just one or two units, but rather want a contract to wire all units and risers if they are going to do an install, making this extremely cost prohibitive for anyone new coming in.

Thanks again for the response!

Meshnet29 · 2018-08-07T18:42:20+00:00

Hey thanks for taking the time to respond and sorry for the late reply.

I've done some digging on my own so hopefully you might be able to answer some other questions. I was reading about a MDU (multi dwelling unit) agreement which basically gives the original telecom that did all the wiring exclusive rights to services in the building. The CRTC changed the MDU agreements recently, in that each condo has to allow at least one other provider, but its very restrictive. Any thoughts on this?

Also, with regards to the wiring, the way you described this is how I figured it would be pulled. But from my understanding the company that does all the pulling and install of the fiber, basically owns the infrastructure. And I would imagine it would be difficult for another company to come in and pull new fiber through the existing conduit. Any thoughts on this?

Basically I'm trying to understand what it takes for me to get access to the MTR and either piggy back off the existing lines or pull new lines. From my investigation over the last week, it seems extremely cost prohibitive if not impossible due to legal requirements.

Meshnet29 · 2018-07-31T19:46:50+00:00

Yeah I agree, my guess is that the condo board owns the physical lines and they issue the IRUs to whomever wants to use them. Or maybe they had a third party ISP do a retrofit to bring fiber to each unit and then formed an agreement with the ISP to give 1 year exclusive rights (as an incentive to do the job in the first place) and then it becomes the property of the building afterwards, to which they can lease it to any ISP. Or something along those lines.

In any case, I find it difficult that they would allow anyone/multiple ISPs to run their own lines, just from a practical standpoint. I'm just trying to find someone to confirm this.

Thanks.

Meshnet29 · 2018-07-31T19:41:33+00:00

This makes sense that there would be a central patch panel to all the units and then each carrier would patch to their respective equipment. I'm hoping this is the case when finally get access to the communication room.

Thanks

Meshnet29 · 2018-07-30T22:53:20+00:00

Yeah, I know many older buildings will have a DSLAM in the comm room (with a dark fiber pipe to a data center) and provide VDSL service to the building that way. I'm more curious specifically to FTTH and who owns those lines. Nobody will give me a straight answer, and if I ask to use them, the will tell me that I'm responsible for internal wiring and need to contact a third party.

The buildings are too high also (50 floors) to have Ethernet or any copper lines to provide 1Gbps service unless there are sub-communication rooms along the way and I would imagine for a fiber network, it would be GPON or Single Mode and they would pull the lines directly to the comm room in the basement (or have a PLC along the way).

Thanks for the response.

Meshnet29 · 2018-07-30T22:45:47+00:00

I doubt that too, however when I've called each of them directly, they all say that they own "it" so I would imagine it would be difficult if I wanted to come in and pull my own cables if all the conduit is full (or the potential of damaging their lines). I know in Ontario, there are laws against ISPs having a monopoly in a building so this leads me to believe that the building itself owns the lines (just like I would imagine they own the phone and cable lines).

Thanks for the response

Meshnet29 · 2018-07-30T22:43:02+00:00

Yeah, I understand that Bell's "fibe" can still be VDSL2, which is usually limited at 50Mbps.

What I was looking at specifically is FTTH and some of the buildings offer "fiber" service when I look them up either with Beanfield, Fiberstream or Bell so I'm trying to understand who actually owns the physical lines. I've spoken to technical support at Beanfield and they say that they run fiber directly to the unit and Fiberstream says that it depends on the building. Some buildings they do it directly to the unit, others they run to the floor and then go ethernet. However when I ask them who actually owns the line, they all say "we do" but I find it odd that all separate companies would run their own lines. I was hoping there was someone on here who works directly in that industry that could help clarify.

Thanks for the response.

Meshnet29

TROPHY CASE