391
Web Proxy Filtering and Caching / Re: Transparent HTTPS Proxy. Pros and cons
« on: November 15, 2023, 06:53:13 pm »
First off, it is always a good idea to segment your network into several VLANs / LANs or WLANs.
I decided to segregate them based on what they should be allowed to do. Currently, I have these zones:
All of them have a 1:1 mapping between VLANs and corresponding WLANs. Since the "zones" are defined by what they can do, why should this be different in ethernet and WLAN networks?
I also use 802.1x to protect my physical ports. "LAN -> IoT" and "MGMT -> all" traffic is allowed, anything else is forbidden (apart from specific holes).
My Guest network has internet access - I use a simple WLAN password protection, but that could be changed to time-based tickets with my Unifi APs by using the Guest portal on my Unifi Controller (which is a VM on Proxmox). Also, the Guest network has full unhindered internet access (i.e. no transparent HTTPS proxy). If I was to mistrust my Guests, I could use VPN provider and route all of the Guest network traffic over that provider. If anybody misuses this, the traffic does not originate from my "official" IPs.
I have no children, so I do not need a transparent proxy for my LAN and I do not use any fancy protection stuff like zenarmor, whitelists - but I could do that.
BTW: obviously, transparent proxies would probably not work for IoT devices, either.
I decided to segregate them based on what they should be allowed to do. Currently, I have these zones:
- LAN for my internal Clients and servers
- IoT for my devices that I do not fully trust (because they could "phone home" and pierce my firewall
- DMZ for any VMs or device that are in my network but belong to others (like a backup server)
- Guest (kinda self-explanatory)
- MGMT for device management (switches, APs, firewall, NAS)
All of them have a 1:1 mapping between VLANs and corresponding WLANs. Since the "zones" are defined by what they can do, why should this be different in ethernet and WLAN networks?
I also use 802.1x to protect my physical ports. "LAN -> IoT" and "MGMT -> all" traffic is allowed, anything else is forbidden (apart from specific holes).
My Guest network has internet access - I use a simple WLAN password protection, but that could be changed to time-based tickets with my Unifi APs by using the Guest portal on my Unifi Controller (which is a VM on Proxmox). Also, the Guest network has full unhindered internet access (i.e. no transparent HTTPS proxy). If I was to mistrust my Guests, I could use VPN provider and route all of the Guest network traffic over that provider. If anybody misuses this, the traffic does not originate from my "official" IPs.
I have no children, so I do not need a transparent proxy for my LAN and I do not use any fancy protection stuff like zenarmor, whitelists - but I could do that.
BTW: obviously, transparent proxies would probably not work for IoT devices, either.