SECURITY: Complete Valvaris Overkill Config Q4 2020

Last updated
Nov 13, 2020
About
Personal, primary device
Desktop OS
Windows 10
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Security updates
Default - allow security updates
Windows UAC
Maximum - always notify
Real-time protection
Checkpoint Sandblast Agent Advanced (Cloud - Infinity Portal)
Software firewall
Provided by a third-party security vendor. Refer to 'Real-time protection' for details.
Custom RTP, Firewall and OS settings
Policy Provided by Infinity Portal Checkpoint
Malware testing
No malware samples
Periodic security scanners
Weekly Scan - Sandblast Agent Advanced (Checkpoint)
Browsers, Search and Addons
Ublock-Origin Advanced Mode - 1Password - Checkpoint Sandblast Agent for Browser
Maintenance and Cleaning
Windows Build-In Storage Cleander and DISM Gui
Personal Files & Photos backup
Veeam Agent for Windows Free and Veeam Agent for Linux Free
Personal backup routine
Manual (maintained by self)
Device recovery & backup
USB Desaster Recovery Stick from Veeam with Driver Repository
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the web. 
  2. Emails. 
  3. Shopping. 
  4. Banking. 
  5. Downloading software. 
  6. Working from home. 
  7. Remote assistance. 
  8. PC and cloud gaming. 
  9. Streaming. 
Computer specs
Self-Build Desktop PC
CPU: Intel 8700K (No OC)
GPU: Nvidia RTX 2070 Super
RAM: 16GB DDR4 3200Mhz
SSD: 1TB Nvme
PSU: 850W
Personal changelog
Infrastructure change = Complete Network
Security Product change = Checkpoint
Underlying Communication change = Domain Controller - DNS Service Provider

valvaris

Level 5
Verified
Jul 26, 2015
215
Hello MalwareTips-Community,

finally I think I found my Config. that changes my whole Network thanks to a few Open-Source Projects and allot of time on my hand coz of COVID-19.

What has changed?
My goal was to recreate a Business Type Network with best practice in mind. That means that allot off things here are for "Advanced Users" that understand the fundamentals of IT-Administration.

Why is that?
I want to be fair! - and - Want to keep this as short as I can! - So to explain it all it will take hours to write it all down. ;)

How is the concept?
1. ISP function change with Cable Modem Box to Bridge-Mode (Zero Intelligence pure Switch with no NAT)
2. Network Side Security - it all starts from there! (Network Segmentation, Harsh Rules in the Firewall, Secure DNS Communication for all Devices)
3. Communication - Domain Controller (Samba for Raspberry Pi 3) - PBX (3CX for HomeUse License - Free)
4. Computer Security - Windows Configuration thru Policy and Tools - Business Grade Anti-Virus with only needed features (Deep-Learning - Signature - Behavior - Ransomware Protection - URL-Filter - Emulation/Sandboxing - Anti-Phishing Active Module)
5. Backup thru Veeam Agent for Windows and Co.
6. User separation (Admin is Admin and User is the User with almost no Privilege's)

At this Point I would drop down with the Details but as mentioned above I am too lazy for it. I just keep it simple:

My ISP Provided me with a Cable-Modem that was Bridge-Mode compatible like that no Ports coming IN or going OUT are not subject to change. (Example Port 443 remains port 443)

Now a Dilemma comes in to play now you need Network Layered Protection - Of to a Hardware Appliance Firewall - In my case a Open-Hardware Box with Pfsense Community Edition installed. Since I have allot of Devices on my Network I need to segment my Devices. (WAN (Internet) - LAN (HomeNet.) - TV/IoT - Servers (DC/PBX)) This I have done thru IP Segmentation and Rule Definition without VLAN.

Example:
192.168.0.96/28
192.168.100.96/28
192.168.200.96/28

The Firewall setup is a Default Deny on all Interfaces like that there have to be rules for communication. But since all the Networks are known by the Firewall it will route across all Networks by default that need to change and is easily done by Firewall Rules.

Example:
TV/IoT - only can go to the Internet with Ports 80 - 443
DNS and NTP is managed by the Firewall - DNS Traffic gets Forwarded to "NextDNS"
------
Servers - can go to LAN with Ports 88 (Kerberos) - 53 DNS (Domain Controller) - LDAP (389/636 in Future) and so on... This one has a few more Rules coz of the PBX
-----
LAN - Can go to Servers with Ports 88 (Kerberos) - 53 DNS (Domain Controller) - and so on...
HTTP - HTTPS Traffic towards WAN...

Of course there are NAT Rules as well but that has the primary function for the PBX and for a few Games on LAN!

How does your DNS look like traffic wise?! There are two DNS Servers why that?
Good question... :D -> Since all Networks have there own DHCP Settings I can manipulate what settings get Pushed to a Client per Network Segment!
LAN gets the Domain Controller
TV gets the Firewall
Servers get the Domain Controller
Just to mention you got to love DNS Zones and Reverse Lookup Zones ;)

In general all traffic must pass to the Firewall to get forwarded to NextDNS.
LAN -> DC on ServerNet -> Firewall -> NextDNS
Now experienced Admins will jump in and say that is not "best practice" since Pfsense and Co. can forward request to a Domain Controller if needed. (And that is true!) But since I did not use VLAN to disrupt routing between the networks I wanted to prevent conflicts like that all works just fine. :D

Now to the easy part Computer Security:
Since the Normal User Account has "NO" Install Privilege's and can not run Applications as Admin. the threat scope got a little slimmer just a little. So off to do some Windows 10 tuning...
W10Privacy does allot of the Hard work for you and there are allot of Settings to manage. (Bloatware from a Default Windows 10 install) - (Telemetry) - (Background Process) and allots more...
As a Firewall I use Netlimiter since it shows everything that wants to connect somewhere with IP and Ports makes it easy to manage Firewall Rules on the Windows and Pfsense Box.
Of course the Windows Installation is Domain Joined and has Policy's enforced.
CheckPoint Sandblast Agent Advanced (Engine is partial Kaspersky)
Since I have a Nvidia GPU I use NVCleanInstall to keep the junk out!
RSAT Tools installed to manage Samba AD, GPO and DNS
Total Process count: 76-100

All connections to manage the Servers or Firewall directly are done so with SSH Keys (ONLY) - Authentication on Webinterfaces is handled by the Domain Controller Kerberos. (Sync Pfsense and Sync PBX)

Backup is done Weekly with Veeam - since my important stuff is on my HiDrive on a GDPR compliant Provider!

I would love to go more in to detail but dang this will take forever! :D

If there are any questions Ill help out as much as I can. ^^

Best regards
Val.
 
Last edited:

LDogg

Level 33
Verified
May 4, 2018
2,196
While all of this is amazing, seen many businesses use this aspect for their own model. Don't you think it's a bit too much and over the top when you come out of the business user to being a home user? I think this has been over simplified, home users as you probably know are less susceptible to hacker attacks, network penetration etc. I would have had a changed opinion if you has concepts for Phishing, emails and Ransomware (which you have, I won't highlight further). Just my own opinion as someone whose worked in the IT Industry in many fields for 10 years with a further 5 before then as a hobby.

However above aside, love it. But maybe not entirely needed.

~LDogg
 

valvaris

Level 5
Verified
Jul 26, 2015
215
While all of this is amazing, seen many businesses use this aspect for their own model. Don't you think it's a bit too much and over the top when you come out of the business user to being a home user? I think this has been over simplified, home users as you probably know are less susceptible to hacker attacks, network penetration etc. I would have had a changed opinion if you has concepts for Phishing, emails and Ransomware (which you have, I won't highlight further). Just my own opinion as someone whose worked in the IT Industry in many fields for 10 years with a further 5 before then as a hobby.

However above aside, love it. But maybe not entirely needed.

~LDogg
Like you mentioned - "Not needed" - That is why its overkill! :D - For me this is great just love it and we both can shake our hands been in the IT field for over 15 years ;) - But that aside - This keeps me fit and the in terms of Tech. we always strive to learn more - That is why the Pfsense box will leave my Network for a test of a SMB Line Firewall also from Checkpoint. To see how it handles things and if it is interesting to report about it.

Just love this community so many different views - Keep it up @all!

Sincerely
Val.
 

LDogg

Level 33
Verified
May 4, 2018
2,196
Like you mentioned - "Not needed" - That is why its overkill! :D - For me this is great just love it and we both can shake our hands been in the IT field for over 15 years ;) - But that aside - This keeps me fit and the in terms of Tech. we always strive to learn more - That is why the Pfsense box will leave my Network for a test of a SMB Line Firewall also from Checkpoint. To see how it handles things and if it is interesting to report about it.

Just love this community so many different views - Keep it up @all!

Sincerely
Val.
Love the concept though. I think an advisory note for people not to copy what you have done because they inevitably get stuck and an average home user would destroy their computer in frustration. LOL

~LDogg
 

valvaris

Level 5
Verified
Jul 26, 2015
215
Love the concept though. I think an advisory note for people not to copy what you have done because they inevitably get stuck and an average home user would destroy their computer in frustration. LOL

~LDogg
Updated 1st Post to show that this is intended for "Advanced Users" - I mentioned that before but now its highlighted! ;)

Best regards
Val.
 

LDogg

Level 33
Verified
May 4, 2018
2,196
Updated 1st Post to show that this is intended for "Advanced Users" - I mentioned that before but now its highlighted! ;)

Best regards
Val.
Some people may skip through that mind ;), and be like "oh yeah a good config lemme choose it, oh damn my computer is like a snail now, I BLAME YOU" you know that type of thing. It's like WWE videos that show "don't do this type of thing of home".

~LDogg
 

LDogg

Level 33
Verified
May 4, 2018
2,196
I am sad now - My Config. is somehow a DANGER!!! - Forwarded a msg to MalwareTips Admin/Mods for clarification.
It would be "Danger" because of the way the setup up has been. I think maybe for you especially, a title change would be needed because I think the basis of the clarification as I said, would be people copying this setup regardless of any warning on the thread itself.

~LDogg
 

valvaris

Level 5
Verified
Jul 26, 2015
215
It would be "Danger" because of the way the setup up has been. I think maybe for you especially, a title change would be needed because I think the basis of the clarification as I said, would be people copying this setup regardless of any warning on the thread itself.

~LDogg
That is not the case! - It is in DANGER out of another reason - I will post a Update soon that explains the Szenario!
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,360
I am sad now - My Config. is somehow a DANGER!!! - Forwarded a msg to MalwareTips Admin/Mods for clarification.
No virtualized tool such VirtualBox or VMWare...
POSQTtmL_o.jpg


I tried to read all the posts and maybe missed something? :unsure:

Aha, now I see the update! That's better @valvaris , but I understand @harlan4096 as he judged and added the Danger tag from the first information that also is seen in the screenshot.
 

valvaris

Level 5
Verified
Jul 26, 2015
215
No criticism from my part and understand the: "Judgement completely!"

Thanks to all the Mod. Team here as MalwareTips to keep an eye on things and attention to detail. After a few clarifying words from @harlan4096 and as @upnorth mentioned - I was too enthusiastic on the Malware Samples part.

I did try out a Eicar Test Virus to see when and how the AV will kick in but that is not the case with True "Armed Malware" this is not tested on my productive machine!

To keep things short I changed that part and thanks to you for being super fast @harlan4096 for clarifying, having a open ear and @Jack for forwarding the case to the proper channels.

Keep up the great work all of you Admins / Mods you make MalwareTips "Complete" :D

Sincerely
Val.
 
Top