Overview
This guide provides step-by-step instructions to secure a small business network with:
- A single LAN
- Ubiquiti UniFi Ultra as the gateway
- No port forwarding or open inbound ports
Threat vectors addressed include phishing, lateral movement, internal misconfiguration, and remote exploitation.
π§ 1. Edge Router & Firewall: Lock Down the Gateway
β UniFi Ultra Firewall Rules
- Deny by default all inbound WAN traffic
- Allow only established/related connections
- Explicitly drop all other WAN IN traffic
Recommended Rules (WAN IN):
Rule 1: Accept ESTABLISHED,RELATED β WAN IN
Rule 2: Drop All β WAN INWAN LOCAL (UI & service protection):
Rule 1: Allow DNS, DHCP (if hosted here)
Rule 2: Drop All β WAN LOCALAdditional Router Hardening:
- β Disable UPnP
- β Disable IPv6 (unless used securely)
- β Disable UniFi Cloud Access (or restrict to admin IPs)
- β Restrict GUI management access to VLAN 10 (trusted)
𧱠2. LAN Segmentation (Minimal VLAN Strategy)
| VLAN | Purpose | Devices |
|---|---|---|
| 10 | Trusted LAN | Admin PCs, Servers |
| 20 | IoTβ/βUntrusted | Smart TVs, IP Cams, Printers |
| 30 | Guest or BYOD | Visitors, Staff Personal Devices |
VLAN Rules:
- π« Block inter-VLAN by default
- β Allow VLAN 10 β VLAN 20/30 (if needed)
- β VLAN 20/30 should not access VLAN 10
π§βπ» 3. Endpoint Hardening
Workstations:
- β OS auto-updates
- β EDR/AV (e.g. Defender with ASR or CrowdStrike)
- β No RDP unless secured internally
- π€ Daily users: non-admin accounts
Servers:
- π₯ Local firewall enabled
- 𧱠Block all except trusted LAN IPs
- π Scheduled, off-site backups
- β Disable unused remote protocols (e.g. WinRM, RDP)
π 4. DNS & Outbound Filtering
DNS-Level Defence:
Use one of:
Features:
- π« Malware & phishing domain block
- π DNS logging and analytics
Outbound Rules (LAN β WAN):
- β Block:
- TCP 445 (SMB)
- TCP 3389 (RDP)
- FTP, Telnet
- π Optional: whitelist-only outbound for VLAN 20
π 5. Authentication & Monitoring
- π Enable MFA on all admin accounts
- π Enable UniFi Threat Management (IDS/IPS: Balanced mode)
- π Log to Syslog or external collector
- π₯ Disable unused users, rotate passwords periodically
π 6. Backup & Recovery
- π§ Immutable, versioned backups (on NAS, PBS, or cloud)
- π Backup:
- Router config
- Servers & domain controller
- Business data
- π§ͺ Test restores quarterly
π« 7. Remote Access (Optional)
If required:
- β Use Tailscale or WireGuard
- β Do not expose RDP, UniFi GUI, NAS, or printers
- π Device approval and 2FA for VPN accounts
π§ͺ 8. Security Audit Checklist
| Item | Frequency | Status |
|---|---|---|
| OS & firmware patched | Weekly | β |
Open ports scan (nmap) |
Monthly | β |
| IDS/IPS alerts reviewed | Weekly | β |
| Endpoint AV/EDR status | Weekly | β |
| Backups tested | Quarterly | β |
| VLAN rules audited | Quarterly | β |
Tip: For central visibility, consider using a self-hosted Grafana + Loki + Promtail or Graylog stack to aggregate firewall, system, and DNS logs.
National Cyber Security Centre certificates