Initial Unifi Controller/Firewall Setup for Tiered Security Model

Hardware Used

  • UniFi Dream Machine
  • Unifi 24 Port Switch
  • Unifi AP
  • Windows 10 Client
  • Windows 10 Server

Premise and Setup

The first step in creating a secure homelab (or any envrionment for that matter) is to ensure proper physical and network controls between devices. We do not want to rely on local device firewalls, instead we should create secure virtual networks (VLANs) and subnets. We will be separating our networks to better abide a tiered privileged access model as described by Microsoft in the privileged access model documentation.

We begin with a very simple network layout. We have a single UDM firewall connecting us to the internet. The firewall is then connected to one Unifi 24 port managed switch, which is in turn connected to a Unifi Wireless Access Point. We only have two VLANs at this point, one for the networking equipment and one for any other device connected to the network. We have not yet enabled any internal network restrictions, so devices on VLAN 20 can communicate to VLAN 1 and vice versa.

A diagram of the existing setup can be seen below. (Network Diagram – Phase 1)

Network Diagram – Phase 1

The end goal is to split up the network such that we have VLANS configured to deny or allow traffic between networks as we see fit. We will be following a simple deployment where each network consists of a simple Class C subnet.

– Network Management (VLAN 1/VLAN ALL) [Example: Firewalls, Access Points]
– Tier 0 Devices (VLAN 100) [Example: Domain Controllers, Certificate Authorities]
– Tier 1 Devices (VLAN 110) [Example: Web Servers, Non-Identity App Servers)
– Tier 2 Devices (VLAN 120) [Example: Company owned Workstations/Laptops]
– Personal Devices (VLAN 20) [Example: Employee Smart Phones, Laptops]
– IoT Devices (VLAN 30) [Example: Network enabled televisions, digital signage]

As you may have noticed we do not currently have any Tier 0 devices on our network aside from the Network Management devices. It is important to note that we cannot simply deny all traffic to the Tier 0 VLAN. It is expected that there would be some services the Tier 0 servers need limited connectivity to provide such as responding to DNS and DHCP requests. We also need to allow a way to access the Tier 0 subnet. For this example we will assume there is a known clean device to serve as a dedicated RDP Jump Host/Tools Server. Any work we would need to perform in the Tier 0 environment should be done from this Tier 0 Tools Server. We will explain the process of allowing Remote Desktop connections to the Tier 0 Tools Server. Further security setup is highly recommended but outside of the scope for this guide.

We will begin configuration by implementing a Tier 0 network and adding our first Tier 0 client. We are looking to create a setup as seen in the following diagram. (Network Diagram – Phase 2)

Network Diagram – Phase 2

Begin Configuration of Tier 0 VLAN – Unifi WLAN Controller

Please note: this guide uses the classic Unifi Controller interface

Log in to your Unifi Controller and navigate to Settings > Networks.

Select + CREATE NEW NETWORK

Use the following fields for configuration of the Tier 0 VLAN

Name: Tier 0 Devices
Purpose: Corporate
Interface: LAN
VLAN: 100
Gateway Type: Default
Gateway IP/Subnet: 10.9.100.1/24
Gateway IP: 10.9.100.1
Network Broadcast IP: 10.9.100.255
Network IP Count: 254
Network IP Range: 10.9.100.1-10.9.100.254
Network Subnet Mask: 255.255.255.0
Domain Name: Your internal domain name. I am using labgrassa.com
DHCP Mode: DHCP Server
DHCP Range: 10.9.100.21-10.9.100.254
DHCP Name Server: Auto
DHCP Lease Time: 86400 seconds
DHCP Gateway IP: Auto
DHCP UniFi Controller: (undefined)

The rest of the items can be left as default. Click Save.

Configure a Switch Port to Access Tier 0 VLAN

We should now configure a switchport to allow access to VLAN 100.

In your UniFi Controller, select Devices
Select your UniFi Switch you are going to connect your Tier 0 device to
Select the port to be used for the Tier 0 device and click Edit
Under Name select a useful name for the port
Under Switch Port Profile select Tier 0 Devices
Click Apply

Wait for the Unifi Controller to push the new configuration automatically, then plug your Tier 0 device into the configured switchport.

For additional security you may want to enable the MAC filter such that only the device with the proper MAC address will be allowed to use the port. Failing to configure this would leave you vulnerable to allowing access to the Tier 0 network if someone were to gain physical control of your switch.

Ensure Tier 0 Network Functionality

Power up your Tier 0 Device and ensure it has a proper network configuration. Make sure it has an IP Address in the 10.9.100.X range and that it is able to reach out to the internet. We can check this at a glance for a Windows device using ipconfig

Example proper ipconfig output. Note the address falls under the Tier 0 subnet

Test Network Connectivity through VLANs

On a device in the General Devices VLAN [20] we can use PowerShell to check for open or listening ports. For example we could test to see if our Tier 0 Server is listening for Remote Desktop Traffic using port 3389.

We can see that we are able to communicate with the Tier 0 device, but not for long!

We can confirm that the Tier 0 server is indeed listening to devices from the General Devices VLAN. This is not ideal. We now need to create internal firewall rules that will prevent the communication of these devices aside from a strict subnet of necessary ports.

Configure Internal Firewall Rules

In your UniFi Controller, select Settings > Routing & Firewall > Firewall > LAN IN
Select + CREATE NEW RULE

Use the following fields for configuration of the Deny Tier 0 Access rule

CREATE NEW RULE
Name: Deny Tier 0 Access
Enabled: On
Rule Applied: Before predefined rules
Action: Drop
IPv4 Protocol: All
ADVANCED
Logging: Enable logging
States: Do not select any states. No selection is interpreted as any state
IPsec: Don’t match on IPsec packets
SOURCE
Source Type: Address/Port Group
IPv4 Address Group: Any
Port Group: Any
MAC Address: Intentionally leave this blank
DESTINATION
Destination Type: Network
Network: Tier 0 Devices – IPv4 Subnet

Click Save

Test Network Connectivity through VLANs

On a device in the General Devices VLAN [20] we can use PowerShell to check to confirm the Tier 0 Device cannot be reached.

We can see communication to the Tier 0 VLAN is blocked

We have now confirmed that the Tier 0 Device is not accessible from the General Devices VLAN.

The next step is to allow only the traffic we want from specific sources into the Tier 0 VLAN. We will create a new firewall rule to explicitly allow Remote Desktop Protocol access to the specific server we want to access. Keep in mind this should be set to only a specific jump host, the entire point of the configuration is to disallow risky connection types. You can follow the next steps for whatever sort of traffic you deem necessary to network functionality.

Create Necessary Groups

In your UniFi Controller, select Settings > Routing & Firewall > Firewall > Groups

Select CREATE NEW GROUP

While it is possible to allow traffic based on the built-in RDP rule we are going to go through the process to enable an arbitrary TCP/UDP port so the process may be repeated for any necessary network configuration.

Use the following fields for the configuration of the OL-DC-01 group.

CREATE NEW GROUP
Name: OL-DC-01 (Enter the name of your Jump Host)
Type: Address IPv4
Address: 10.9.100.133 (Enter the IP of your Jump Host)

Click Save

Select CREATE NEW GROUP

Use the following fields for the configuration of the RDP Port group.

CREATE NEW GROUP
Name: RDP Port
Type: Port
Port: 3389

Click Save

Create Allow RDP Firewall Rule

In your UniFi Controller, select Settings > Routing & Firewall > Firewall > LAN IN
Select + CREATE NEW RULE

Use the following fields for configuration of the Allow RDP to OL-DC-01 rule

CREATE NEW RULE
Name: Allow RDP to OL-DC-01
Enabled: On
Rule Applied: Before predefined rules
Action: Accept
IPv4 Protocol: TCP and UDP
ADVANCED
Logging: Enable logging
States: Do not select any states. No selection is interpreted as any state
IPsec: Don’t match on IPsec packets
SOURCE
Source Type: Address/Port Group
IPv4 Address Group: Any
Port Group: Any
MAC Address: Intentionally leave this blank
DESTINATION
Destination Type: Address/Port Group
IPv4 Address Group: OL-DC-01
Port Group: RDP Port

Click Save

Ensure the Allow RDP to OL-DC-01 rule has a rule index lower than the Deny Tier 0 Access rule. This is because the rules are read from the lowest value first, unless the Allow RDP to OL-DC-01 rule is taken into account first, the connection will still be blocked.

Conclusion

In this guide we have configured a simple VLAN structure to create a secure Tier 0 network using a UniFi controller. We have denied traffic from our network at large to the Tier 0 VLAN, but allowed a specific address/port combination through the firewall to support a specific service. Similar rules will likely need to be made to allow things like DNS and DHCP requests as these services should reside within a Tier 0 network. Please note that leaving RDP or other exploitable ports to your Tier 0 network is inherently risky.

Next Steps

We will begin configuration of our first local Domain Controller and add the first computer to the domain, our Tier 0 Tools Server. We will update the UniFi configuration to ensure best security and enable features such as internal DNS through the Domain Controllers.

Leave a Reply

Your email address will not be published.