More Musings

๐Ÿ›ก๏ธ Small Business Network Hardening Guide (UniFi Ultra, One LAN, No Open Ports)

Anthony

Overview

This guide provides step-by-step instructions to secure a small business network with:

  • A single LAN
  • Ubiquiti UniFi Ultra as the gateway
  • No port forwarding or open inbound ports

Threat vectors addressed include phishing, lateral movement, internal misconfiguration, and remote exploitation.

๐Ÿ”ง 1. Edge Router & Firewall: Lock Down the Gateway

โœ… UniFi Ultra Firewall Rules

  • Deny by default all inbound WAN traffic
  • Allow only established/related connections
  • Explicitly drop all other WAN IN traffic

Recommended Rules (WAN IN):

Rule 1: Accept ESTABLISHED,RELATED โ†’ WAN IN
Rule 2: Drop All โ†’ WAN IN

WAN LOCAL (UI & service protection):

Rule 1: Allow DNS, DHCP (if hosted here)
Rule 2: Drop All โ†’ WAN LOCAL

Additional Router Hardening:

  • โŒ Disable UPnP
  • โŒ Disable IPv6 (unless used securely)
  • โœ… Disable UniFi Cloud Access (or restrict to admin IPs)
  • โœ… Restrict GUI management access to VLAN 10 (trusted)

๐Ÿงฑ 2. LAN Segmentation (Minimal VLAN Strategy)

VLAN Purpose Devices
10 Trusted LAN Admin PCs, Servers
20 IoT / Untrusted Smart TVs, IP Cams, Printers
30 Guest or BYOD Visitors, Staff Personal Devices

VLAN Rules:

  • ๐Ÿšซ Block inter-VLAN by default
  • โœ… Allow VLAN 10 โ†’ VLAN 20/30 (if needed)
  • โŒ VLAN 20/30 should not access VLAN 10

๐Ÿง‘โ€๐Ÿ’ป 3. Endpoint Hardening

Workstations:

  • โœ… OS auto-updates
  • โœ… EDR/AV (e.g. Defender with ASR or CrowdStrike)
  • โŒ No RDP unless secured internally
  • ๐Ÿ‘ค Daily users: non-admin accounts

Servers:

  • ๐Ÿ”ฅ Local firewall enabled
  • ๐Ÿงฑ Block all except trusted LAN IPs
  • ๐Ÿ”„ Scheduled, off-site backups
  • โŒ Disable unused remote protocols (e.g. WinRM, RDP)

๐Ÿ”’ 4. DNS & Outbound Filtering

DNS-Level Defence:

Use one of:

Features:

  • ๐Ÿšซ Malware & phishing domain block
  • ๐Ÿ“Š DNS logging and analytics

Outbound Rules (LAN โ†’ WAN):

  • โŒ Block:
  • TCP 445 (SMB)
  • TCP 3389 (RDP)
  • FTP, Telnet
  • ๐Ÿ” Optional: whitelist-only outbound for VLAN 20

๐Ÿ” 5. Authentication & Monitoring

  • ๐Ÿ” Enable MFA on all admin accounts
  • ๐Ÿ“‰ Enable UniFi Threat Management (IDS/IPS: Balanced mode)
  • ๐Ÿ“œ Log to Syslog or external collector
  • ๐Ÿ‘ฅ Disable unused users, rotate passwords periodically

๐Ÿ”„ 6. Backup & Recovery

  • ๐ŸงŠ Immutable, versioned backups (on NAS, PBS, or cloud)
  • ๐Ÿ“ Backup:
  • Router config
  • Servers & domain controller
  • Business data
  • ๐Ÿงช Test restores quarterly

๐Ÿšซ 7. Remote Access (Optional)

If required:

  • โœ… Use Tailscale or WireGuard
  • โŒ Do not expose RDP, UniFi GUI, NAS, or printers
  • ๐Ÿ” Device approval and 2FA for VPN accounts

๐Ÿงช 8. Security Audit Checklist

Item Frequency Status
OS & firmware patched Weekly โ˜
Open ports scan (nmap) Monthly โ˜
IDS/IPS alerts reviewed Weekly โ˜
Endpoint AV/EDR status Weekly โ˜
Backups tested Quarterly โ˜
VLAN rules audited Quarterly โ˜

Tip: For central visibility, consider using a self-hosted Grafana + Loki + Promtail or Graylog stack to aggregate firewall, system, and DNS logs.

National Cyber Security Centre certificates