I have been working on securing up my home network as tightly as possible for a while now, and would like some outside opinions on it. First off I will say that I have been working around having two types of PC connect to the network, secure and insecure. Secure would be anything I can and do control 100%, have AV and Windows Updates etc. all current. Insecure will be anything I am not certain about, for example a PC I am repairing for a client. The secure part of the network needs file sharing, tlenet access, and remote desktop capabilities in addition to internet. The insecure PCs will only require internet access.
I will start with the hardware I am running. I have a PC setup as a Smoothwall for routing and NAT. That is connected to a Cisco 2924 switch for VLANs and VLAN trunking capabilities. I also have a Cisco 1721 router using sub-interfaces to route between the VLANs as needed and to allow fine control through ACLs. I also have a Linksys WAP54G to allow wireless access. DHCP and DNS are provided by my Windows 2003 SBS machine.
I used the switch and router to create a secure and insecure VLAN. I also have an ACL that allows only internet bound traffic to cross over from the insecure VLAN. So basically if I am on an insecure PC I can connect to the internet no problem. I try to RDC to a secure PC or ping a secure PC, and it is denied, blocked at layer 3 by the router before ever leaving the VLAN.
Currently I have my WAP on the secure VLAN and use WPA-PSK and MAC filtering. My original intention was to use this as a part of the insecure VLAN, but I changed my mind as I wanted to be able to connect my laptop to the domain so I would work away from my desk when I feel like it. I changed all of the defaults on the WAP, and don't broadcast the SSID. Currently this is my biggest question as far as security goes.
On the secure VLAN I use the Windows 2003 server capabilites to set access and such to files and shared resources. Only users with valid accounts are able to access any shared resources. No simple file sharing or guest accounts, everything is done with NTFS permissions. All accounts are locked down with passwords.
On the insecure VLAN I am using a Linux based PDC server for DHCP and DNS. I also have some shares setup for more permanent PCs in that VLAN to store some files. Mostly just for machine I am messing around with and need to have some files easy at hand and don't want to download all the time. Most of the PCs connecting to this part of the network won't be joining that domain or anything, they will be independent PCs.
The few things I can do to make things more secure off the top of my head are adding port security on the switch so that nobody can switch around cables and get on different VLANs. I suppose I could also go and put the WiFi on the insecure VLAN as it is a bit of a vulnerability. I could also upgarade to a Cisco Aironet WAP, and RADIUS authentication, but think would be expensive. Any other things that come to mind I would love to hear any opinions.
Thanks in advance, and sorry for the long post.