Network Security Basics

Fundamentals of protecting your infrastructure from threats.

4 min read

The Zero Trust Mindset

Network security starts with a fundamental shift in thinking: assume the network is hostile. The old perimeter-based model -- "trust everything inside, block everything outside" -- no longer works when employees work remotely, cloud services blur network boundaries, and threats move laterally. Zero Trust means verify every connection, every time, regardless of where it originates.

In a home lab, this translates to segmenting your network, enforcing authentication on every service, and logging everything. These habits scale directly to enterprise environments.

Firewalls: Your First Line of Defense

OPNsense and pfSense are the two leading open-source firewall distributions. Both run on x86 hardware and provide enterprise-class routing, NAT, VPN, and firewall capabilities at no cost.

Key concepts every lab operator should understand:

Start by setting up your firewall with a default deny rule at the bottom, then add allow rules methodically. Watch the traffic logs to see what's actually hitting your rules -- this is where you learn what your network really does.

VLANs and Network Segmentation

Virtual LANs are the cheapest and most effective network segmentation tool available. By separating devices into logical networks, you limit lateral movement if a device gets compromised.

Practical VLAN strategy for a home lab:

Inter-VLAN routing should go through your firewall so you can apply rules to every cross-VLAN connection. This gives you visibility and control over all traffic flows.

VPNs for Secure Remote Access

When you need to access your lab or internal services from outside your network, a VPN is essential. Two approaches that work well:

WireGuard is the modern choice -- fast, simple to configure, and cryptographically clean. Setting up a WireGuard server on your OPNsense or Linux box gives you encrypted tunnel access with minimal overhead. The peer configuration is just a few lines in a config file.

OpenVPN remains the battle-tested option with wider client support and more configuration flexibility. It's heavier than WireGuard but has decades of real-world deployment history behind it.

Always pair VPN access with multi-factor authentication. A compromised VPN credential with no MFA is like leaving your front door wide open.

DNS Filtering and Pi-hole

DNS-level ad blocking and threat prevention is one of the highest-impact, lowest-effort security improvements you can make. Pi-hole runs as a DNS sinkhole on any Linux machine or Raspberry Pi and blocks ads and trackers by refusing to resolve known bad domains.

Beyond ad blocking, Pi-hole's gravity list includes thousands of known malware and phishing domains. When your devices try to connect to a C2 server or phishing site that's on the blocklist, the request never leaves your network.

Set up Pi-hole as your lab's primary DNS server and configure DHCP to hand out its address. Then watch the query logs -- you'll be surprised how many devices are phoning home to tracking services by default.

Network Monitoring and IDS

You can't secure what you can't see. Network monitoring gives you visibility into traffic patterns, anomalies, and potential threats.

Zeek (formerly Bro) is a powerful network analysis framework that generates detailed logs of every connection, DNS query, HTTP transaction, and TLS handshake on your network. It's not a signature-based IDS -- it's a behavioral analysis engine that tells you what's actually happening.

Suricata provides signature-based intrusion detection alongside traffic analysis. It can detect known attack patterns, malware signatures, and protocol anomalies.

For visualization, Elastic Stack (ELK) or Grafana + Loki can ingest Zeek and Suricata logs and present them in dashboards. Even a basic setup with grep and awk on Zeek logs reveals more about your network than most enterprise monitoring tools.

Security Best Practices

  1. Change all default credentials on every device
  2. Keep firmware and software updated -- automate this where possible
  3. Disable unused services and open ports
  4. Use SSH keys instead of passwords for remote access
  5. Implement network segmentation with VLANs
  6. Enable logging on all critical devices and centralize it
  7. Test your security with vulnerability scans (Nessus Essentials is free)
  8. Document your network topology and security rules