Network management and monitoring

[Saqr]

Greetings

I am looking for help to manage and monitor home network. My current network specification is :

Number of ethernet wall sockets : 16

Network device list :

• Telco modem : Huawei Fiber modem
• Switch : 16 port POE switch, with LAG and LACP functions
• Wireless Access Points : 3 on 2 floors
• Uninterruptible Power Supply connected to the NAS only
• NAS device, docker capable, running Surveillance Station at the moment
• Personal computer connected via ethernet to the network
• 4 IP Surveillance cameras wired to the switch
• 10+ mobile devices connected wirelessly

It is needed to manage user access and allow or suspend users. Also needed is a general basic monitoring ability so that I know of hardware or software faults or issues to solve for a functional network. Also one surveillance camera used to show on Surveillance Station but now it does not. It does not even show on Hikvision SADP tool on Windows !!

With regard to network security, theere is no security appliance or network-wide security software as of now. So a security appliance or software is also needed. At least a network-wide firewall if feasible.

 

[fredbert]

So you have no router or firewall in your network setup? Or is the Huawei modem also a router/firewall?

First: why do you want to do this? What are you trying to achieve (or prevent)?
Next: what is your user base like? Just you, a family, I don't trust my house mates and definitely not their friends?
Physical security: is the hardware generally lying about to be fiddled with, or is it locked away?
Wired security: are you looking for physical port security, such as using 802.1X?
Wireless security: do you use WPA2/3 Enterprise based on per user authentication?
Are your devices setup to send syslog to a server (e.g. Log Server on DSM)?

The sort of thing you are asking for is similar to what businesses want, but they have a bigger deployment and user base... and deeper pockets (I'm guessing).

Nothing by way of a solution, off the top of my head. Think about disabling unused switch ports and locking down those you do use (LAN isn't my area) by some needs (MAC, 802.1X...). Use a firewall that supports VLANs/physical interface isolation so that it is used to mediate connectivity between different device types/uses.

Using WPA2/3 Enterprise authentication for wireless devices will mean you can block one user while allowing others: it's not a shared password.

 

[Saqr]

Huawei modem also a router/firewall

Yes Huawei device provides both modem and router functions.

Next: what is your user base like? Just you, a family, I don't trust my house mates and definitely not their friends?

Family members. Count is maximum 10 users. Any special DSM accounts, say a user for cameras admin if needed is not included.

why do you want to do this?

To control network access, for both local and internet.

-- post merged: 12. Sep 2022 --

Physical security: is the hardware generally lying about to be fiddled with, or is it locked away?

NAS device is in a secure (locked) cabinet along with the switch and the UPS. Modem is adjacent outside the cabinet. What is the needed physical security level for such in-house and family use setup ?

-- post merged: 12. Sep 2022 --

Are your devices setup to send syslog to a server (e.g. Log Server on DSM)?

Looking to implement SNMP audit logging.

 

[Saqr]

Wired security: are you looking for physical port security, such as using 802.1X?

No I am not looking to implement 802.1X .

 

[jeyare]

• Telco modem : Huawei Fiber modem
• Switch : 16 port POE switch, with LAG and LACP functions
• Wireless Access Points : 3 on 2 floors

too generic description for an expected recommendations in case of management and monitoring of your network

so, generic answer:

• you can’t expect take ownership over ISP device - the device is managed by ISP
• you need your own router, then you need ISP router switch to bridge mode (when ISP will allow it)
• then you will get your own network w/o unwanted 3rd party assistance

 

[Saqr]

you can’t expect take ownership over ISP device - the device is managed by ISP

I do not expect nor want taking ownership of the telco device, the modem and router, I want to manage and monitor devices that are LAN-wise. All devices that are installed after the ISP modem router are my target.

 

[fredbert]

It's a bit of a "how long is a piece of string" question. Only you know what your exposed risk is in your home. But why not have the fibre modem/router/firewall in the locked cabinet as well? It sounds that this will have a physical port onto the switch and is probably more likely to be accessible than the cameras.

Is the PC in a secured area? If it is wired ethernet then probably it should be. Same for other wired devices.

Have you considered using VLANs on the switch and having a separate NAS interface for a camera VLAN, and the other interface for the general home LAN. I'm guessing the surveillance system is pretty important so should be isolated or harder to access.

Though it's possible to spoof MAC addresses you could use MAC filtering to limit those devices that are allowed on you wireless network. Then add WPA3 Enterprise linked to RADIUS Server, with either DSM local accounts, LDAP Server, or Directory Server. You should be able to see who is connecting (if your wireless system logs/reports this).

 

[Saqr]

Is the PC in a secured area? If it is wired ethernet then probably it should be. Same for other wired devices.

Pardon my style but, maybe I elevated the dialogue much than what I need ! What is needed here is management and monitoring in home setting and not institutional or enterprise setting.

Have you considered using VLANs on the switch and having a separate NAS interface for a camera VLAN, and the other interface for the general home LAN. I'm guessing the surveillance system is pretty important so should be isolated or harder to access.

I thought of this when I was planning my home network. So I have chosen a switch that supports VLANs. Now I need to grasp knowledge needed to implement network segregation and VLANs. Your help is much appreciated..

Though it's possible to spoof MAC addresses you could use MAC filtering to limit those devices that are allowed on you wireless network. Then add WPA3 Enterprise linked to RADIUS Server, with either DSM local accounts, LDAP Server, or Directory Server. You should be able to see who is connecting (if your wireless system logs/reports this).

I have done MAC filtering long time ago, before this new LAN, so MAC filtering now shall not be that hard. But RADIUS server setup and LDAP/Directory/Domain server setup is a new challenge. Shall I begin by, say, Domain server setup and buy or use a registered domain name since I have a few already ?

 

[jeyare]

I do not expect nor want taking ownership of the telco device, the modem and router, I want to manage and monitor devices that are LAN-wise. All devices that are installed after the ISP modem router are my target.

You can’t slice the ONU (fiber, FFTx) and LAN part of the router when 3rd party (ISP) is able to take ownership over your LAN settings.
Then you have a heavy security hole in your infrastructure. Any management of the LAN outside the router can’t save your better sleeping. This is the mandatory part of any useful and secure networking discussion.

 

[fredbert]

Setting up the switch with a separate VLAN for the surveillance system should be fairly easy, just follow the switch's user guide. Then configure the NAS's second LAN interface to be on this VLAN ID. I haven't looked into it but you could probably use the DSM DHCP Server for this VLAN.

As for WPA2/3 Enterprise the minimum you need is a RADIUS server. The DSM RADIUS Server will suffice and it supports authentication using one of: DSM local users; LDAP server (e.g. LDAP Server); a directory server (e.g. Synology Directory Server). Once using WPA2/3 Enterprise authentication your devices use username/password rather than the same shared password. You can use the RAIDUS Server block list to stop users authenticating using RADIUS (i.e. they could still access services and devices that don't use RADIUS).

Monitoring all this this depends on what your devices support by way of logging and management interfaces (e.g. APIs). Check out what apps and web interfaces your wired/wireless servers provide (they should detail things like current active clients/devices). You may find that there are time-based and access profiles for controlling different users (devices).

I would still use my own Internet router/firewall instead of the ISP supplied device. That's what I do and have the ISP's router in bridge/modem mode. This way I control my Internet security policy. This is the point being made by @jeyare.