The draft of this blog post started in 2020, well before the Ubiquiti breach made the news, so it looks like I have to rewrite it with that in mind. You see, I had made the decision to go almost completely over to Ubiquiti’s UniFi for my home network makeover months ago. Even after this breach I am still satisfied, and I would have moved forward with UniFi anyway. But since it’s top of mind, I’ll cover why the breach didn’t make me freak out.

When I read the notice I got in January about the breach, I thought about what was possibly exposed, and password hashes seemed to be the worse. I already had 2FA on the two accounts I’d set up, but did I change their passwords, then disabled and re-enabled 2FA just in case those cryptographic seeds were exposed. After I downloaded a fresh set of reset codes, I felt fine. I had already turned off access from the Internet for remote login access, so I felt things were basically fine. The rest of the settings were local, so I felt reasonably safe. A reminder - I’ve worked at companies before that have had security releases and updates, including a few that really locked down the details, and Ubiquiti’s notice completely smelled like a carefully worded legalese statement that barely covered the facts without lying. In other words, I assumed the worse, ignored their assurances, and continued on. I do this with every breach from every vendor I deal with. The Krebs article revealed this - the breach appeared to be a compromised LastPass account, not a devastating zero day bug in UniFi gear. Truthfully, it kind of smells like a disgruntled ex-employee more than anything.

Back to the Overhaul

I had spent years doing the same thing - a piece of equipment on the home network would fail, and I would simply run to Fry’s and find the first and often cheapest piece of equipment that would solve the immediate issue. Later on I would need to do some “hacker research type thing” for work, and this new device may or may not support what I was trying to configure network-wise. Half the time I’d swap network equipment around to meet whatever need, then the whole thing would start over later on, probably because I was buying whatever was in stock and it was usually cheap.

Coupled with disconnecting cable TV to move to streaming services, the move away from landlines, the increasing list of IoT devices, and all the mismatched gear of dubious functionality, the network was struggling.

So I sat down to figure out what I wanted, such as all new gear, bang for my buck, and enterprise-like features. I made a list:

- Flexible wireless. I could set up a mesh-style network, but I could also set up individual and separate wireless networks as needed for odd cases.

- VLAN support. I had a bit of this, but it was limited as not every piece of networking gear that I owned supported it.

- Central management. A way to efficiently run the network. This would also need to be the way I could quickly reconfigure things on the fly as needed to perform some security experiment.

- Expandability. The ability to handle future expansions, such as networkable smart devices, smart doorbell, and so on.

- One time purchase. No monthly subscriptions.

- On prem only. No cloud requirements.

Separately I wanted a home surveillance system, with these requirements:

- PoE cameras. I’d prefer no Wi-Fi cameras, and PoE (Power over Ethernet) seemed like a logical choice. I also figured if they were hardlined, they’d support high resolution.

- Local video storage. On prem storage of video data at high resolution, none of this cloud-based stuff.

- Remote access monitoring. I wanted to be able to remotely monitor access if desired, preferably via an app so it could be handled via phone.

One of the few choices that met all of the above requirements as well as being under one vendor was UniFi, and after reading reviews and watching video tutorials on YouTube, it looked like best bang for the buck.

The only thing not supported was a replacement for my border NetGear switch, but that was the only downside. It will be replaced at some point, but there was a lack of the type of support I needed for public-facing servers with static IPs. Other than that I was set.

Phase I - Cabling

I was not looking forward to this, but I made the decision to buy decent Cat 6 Ethernet cabling and replace all of the existing cable I had installed over the years. Between old Ethernet, various cable TV runs, landline runs, and general miscellaneous wires that pre-dated our ownership of the house, there was plenty of old cabling in the attic that created a confusing rat’s nest of wires. So I removed about half a mile’s worth of old and unused cables from both inside and even the outside the house. 750 feet of new Ethernet (including runs for the cameras) was installed, and made sure the old network was up and running on new wiring before dismantling anything.

Phase II - Hardware

I got the UniFi Dream Machine Pro, several UniFi switches, a couple of wireless access points, and started to work. Setting up the hardware wasn’t bad at all. I did need to create a cloud-based account and I immediately turned on 2FA, but I disabled Internet-based account access to the UDM Pro as soon as I was able to.

Phase III - Cameras

The various cameras were acquired and installed. That sentence makes it seem so simple, although if I wanted mount a camera exactly where I wanted, I had to get quite creative with reinforcing a soffit or building something to mount a camera to. Also running the Ethernet cable out to the soffit from inside the attic was frustratingly hard, as there was very little room for maneuvering in the attic near its edges. But once those cameras were installed, they were a breeze to set up.

Since the UDM Pro supported UniFi Protect, I had purchased a 14 TB hard drive for capturing video, and installed it into the UDM Pro without much difficulty.

Phase IV - Advanced Configuration and Final Touches

As you might imagine, those three previous phases took place over a couple of months and certainly overlapped, but once everything was in place, the grand configuring could begin. Like the previous phases this started as I went along, but took off in earnest when everything was up and running.

The main thing was the VLANs. There was the main network, but the cameras, the shitty IoT solar equipment, and miscellaneous other IoT got their own VLANs. A “test” VLAN was set up for doing odd security testing, although frankly that doesn’t get used a lot as I often test against live gear.

To accommodate odd wireless IoT gear, I could create a specific SSID just for that device, get it communicating, hide the SSID, and assign that SSID to a specific VLAN.

With the 5 static IP addresses and the AT&T ISP setup, I kept that AT&T router just for the fact that it has two wireless networks, and I use those for work as it allows complete separation of the work laptop from the internal home network.

I should have mentioned I installed a “new” battery backup for the main components. It was actually over a year old but still in the box, and during this install process the old one died.

I had installed a new rack, and added a fan to help keep it cool, which it does. I even bought a large number of patch cables and everything is color coded - cameras are purple, things on the public side of the network like the static IP devices have white cables, and the rest of the internal network is basic black.

Issues

The main issues that have come up have been simple fixes. A firmware update to one of the switches failed, requiring it to be removed and re-added to the network. A squirrel chewed through the cable to a camera in the attic (squirrel chased out, nest removed, squirrel access hole was repaired/closed up) and it had to be repaired. The UniFi Doorbell required an upgrade to the doorbell circuit transformer to work properly.

The main security issue was a quick check for low-hanging fruit, which revealed several packages installed on the UDM Pro that were old and had security issues, and most of these are now fixed after reporting them.

Winning

Often as a researcher you have to configure systems to simulate networks, or two subsystems in different containers trying to talk in some odd way, and you’re trying to explore the security elements of this setup. Just duplicating the needed environment can be challenging, and sometimes not having complete access to the overall environment causes issues. As a remote employee, getting remote access to the home office “test lab” can be challenging, or even impossible. At an all-remote company like my current employer that scenario is cloud-based so a lot easier, but there are not ways to test security scenarios where you try and duplicate different “remote employee environments”. This new network overhaul solves that.

Most importantly, I can set up rather invasive and even lethal scenarios, and not endanger the rest of my network assets. This is especially dangerous when I have public-facing servers under near constant attack.

Next Steps

Eventually I’d like to replace my “border” NetGear switch with something that integrates with the UniFi gear. For right now it has to support my IDS in addition to handling static IPs. Right now I don’t have a piece of equipment in mind, but I am looking.

My AT&T business account with the static IPs is getting upgraded to fiber, as they finally decided to support business fiber accounts in residential neighborhood. On DSL I am paying for 50 down and 10 up (actual is higher), but the move to fiber will be 100 down and 50 up. It is taking a while to get this done, but I feel another blog post coming on just for that, so stay tuned.

I am considering moving away from my IDS setup, and am looking for something a bit more modern - something that will add EDR features to servers and workstations instead of traditional antivirus and network-based IDS. Again, separate blog post when that happens.

I hope helps if you’re considering a network upgrade - this works for me and hopefully will help you.