Tier 2 — Executive Fortress

Your home network
deserves real
protection.

Digital Shield protects your online data. Executive Fortress goes further — protecting the physical home network where your work laptop, security cameras, smart TV, and personal devices share the same unprotected subnet. We deploy enterprise-grade hardware at your property and manage it for you. Real protection, not just software.

Book a Free Consultation → View Pricing

Before After Executive Fortress

⚠ Flat Network

ISP Router

💻 Work Laptop

📱 Personal Phone

📺 Smart TV

📷 IP Cameras

🏠 Smart Home

🔐 NAS Drive

All devices visible to each other. One breach reaches everything.

✓ SPG Executive Fortress

Ubiquiti UDM-SE VLAN Controller

↔

Firewalla Gold Pro Threat Intelligence

VLAN 10

PRIMARY

Laptop • Phone

VLAN 20

IoT

TV • Cameras • Smart Home

VLAN 30

GUEST

Internet only • Isolated

VLAN 40

WORK

VPN • Corp Devices

Breach in IoT cannot reach PRIMARY. Attack surface collapsed.

The Problem

What a flat network actually means.

The average home network is a single flat subnet. Every device — your work MacBook, your Ring cameras, your kid's tablet, your smart fridge, your NAS with client files — can communicate with every other device. Freely. Without restriction.

A flat network means a compromised Ring camera has a direct path to your work laptop. A malicious guest device can scan and reach your NAS. A hacked smart TV can pivot to your financial data. This isn't theoretical. It happens.

83%

of home networks audited by SPG had zero network segmentation

12+

average internet-connected devices in a professional household

compromised IoT device is all it takes to reach a flat network

Common attack vectors we eliminate

IoT Lateral Movement

Compromised smart device pivots to reach personal or work data

DNS Interception

Unencrypted DNS exposes every site visited to ISP and attackers

MFA Bypass

Software-based 2FA is vulnerable to SIM swap and phishing attacks

Open Guest Network

Visitor devices placed on same network as sensitive personal data

Unmonitored Traffic

No visibility into outbound connections from any device on the network

Default Firmware

Consumer routers running years-old firmware with known vulnerabilities

Hardware Deployment

The equipment manifest.

Every Executive Fortress engagement includes the following hardware, pre-configured by SPG and deployed at your location. You own every piece outright. Nothing is leased. Nothing is shared.

Core Gateway & VLAN Controller

Ubiquiti Dream Machine Special Edition

The UDM-SE is the command center of your hardened network. It handles enterprise-grade routing, firewall rules, intrusion prevention, and VLAN segmentation — the same technology used in corporate data centers, deployed in your home rack or utility closet. SPG pre-configures all VLAN policies, firewall rules, and traffic shaping before installation day.

Throughput10G / 3.5 Gbps with IPS active

Device Support100+ UniFi devices / 1,000+ clients

SecurityDeep packet inspection, IPS/IDS, threat feed updates

ManagementSPG-managed via Ubiquiti Site Manager

OwnershipClient-owned. Retail value ~$500.

Security Intelligence & Behavioral Analytics

Firewalla Gold Pro

The Firewalla Gold Pro adds a layer of active security intelligence that sits alongside the UDM-SE. It performs deep packet inspection on all network traffic, identifies behavioral anomalies (a device suddenly scanning your network at 3am), blocks malicious domains in real-time, encrypts all DNS traffic, and runs a built-in WireGuard VPN server so you can connect securely from anywhere in the world. SPG monitors your Firewalla dashboard continuously via the Firewalla MSP portal.

Throughput10 Gbps line rate

InspectionDeep packet inspection, behavioral analytics

BlockingGeo-IP filtering, malicious domain blocking, ad blocking

VPNWireGuard & OpenVPN server built-in, no monthly fee

DNSDNS-over-HTTPS, Unbound local resolver, DoH enforcement

OwnershipClient-owned. Retail value ~$389.

Hardware Multi-Factor Authentication

YubiKey 5C NFC ×2 (Primary + Backup)

Software-based two-factor authentication (SMS codes, authenticator apps) can be bypassed through SIM-swap attacks and sophisticated phishing. YubiKeys use hardware cryptography — the private key never leaves the device, making phishing mathematically impossible. SPG enrolls your YubiKeys across all critical accounts: email, password manager, financial accounts, and work SSO. Two keys are included: one for daily use, one stored securely as backup.

ProtocolFIDO2/WebAuthn, U2F, Smart Card, OTP

ConnectivityUSB-C + NFC (works on desktop and mobile)

PhishingCryptographically phishing-proof by design

EnrollmentSPG enrolls all critical accounts on installation day

OwnershipClient-owned. Retail value ~$110/pair.

Wireless Infrastructure

UniFi U6 Lite Access Points ×2

Whole-home WiFi 6 coverage, VLAN-aware, managed entirely by SPG. Each access point broadcasts your four VLAN-segmented networks simultaneously — so your personal devices connect to the PRIMARY network, guest devices connect to GUEST, and IoT devices land on IoT — all automatically, all isolated from each other. SPG handles firmware updates, channel optimization, and monitoring through Ubiquiti Site Manager.

StandardWiFi 6 (802.11ax), dual-band

VLAN SupportFull multi-SSID / VLAN tagging

Coverage2 APs standard (up to ~2,500 sq ft)

ManagementSPG-managed via Ubiquiti Site Manager

OwnershipClient-owned. Retail value ~$200/pair.

Total Hardware Value Deployed

~$1,200

Included in Executive Fortress setup. Client-owned outright.

Network Architecture

What we actually build.

The Executive Fortress deployment creates four completely isolated network segments from a single internet connection. Devices on one segment cannot initiate communication with devices on another — by design, at the hardware level.

VLAN 10 — PRIMARY

Your Trusted Devices

Your personal laptop, work machine, iPhone, and iPad. Highest trust level. Full internet access. Can communicate internally only with other PRIMARY devices. No visibility to IoT, Guest, or Work segments.

MacBook • Windows Laptop • iPhone • iPad • Primary Mac desktop

VLAN 20 — IoT

Smart Home Devices

Every smart device in your home. Internet access only. Zero visibility to PRIMARY or WORK. A compromised Roomba, Ring camera, or Amazon Echo cannot reach anything that matters. Firewalla monitors all outbound traffic from this segment for behavioral anomalies.

Smart TV • Ring / Arlo cameras • Amazon Echo • Google Nest • Smart lights • Thermostat • Roomba

VLAN 30 — GUEST

Visitor Access

When guests connect to your WiFi, they land here. Internet access only — no visibility to any of your personal devices, drives, or data. New device quarantine rules can trigger automatic alerts to SPG when an unknown device appears on this segment.

Visitor phones • Contractor devices • Temporary access • Unknown / untrusted devices

VLAN 40 — WORK

Business & VPN Traffic

Employer-managed devices, VPN connections, and business-sensitive traffic. Policy-based routing sends all work traffic through your WireGuard VPN automatically. Isolated from personal devices — your employer's IT cannot see your personal network, and your personal devices cannot see your work data.

Corporate laptop • VPN-routed traffic • Business tools • Client management software

Additional hardening delivered on day one

✓

DNS-over-HTTPS Enforcement

All DNS queries encrypted. ISP cannot log your browsing. Unbound local resolver for privacy.

✓

WireGuard VPN Server

Connect securely from hotel WiFi, airports, or abroad. No monthly VPN subscription required.

✓

Geo-IP Filtering

Inbound connection attempts from high-risk countries blocked at the router level.

✓

New Device Quarantine

Unknown devices hitting the network trigger automatic alerts to SPG for review.

✓

Malicious Domain Blocking

Real-time threat feed blocks known malware, phishing, and C2 domains across all devices.

✓

Ad & Tracker Elimination

Network-level ad and tracker blocking. Works on every device including smart TVs and phones.

Deployment

From intake to operational in one week.

Executive Fortress deployments follow a structured four-phase process. We handle all configuration before arriving at your location — installation day is clean and efficient.

Phase 01

ASSESS

Day 1–2

We complete your intake, review your property layout and ISP configuration, and design your VLAN architecture. Hardware is ordered for your deployment.

Network diagram review

ISP modem compatibility check

Hardware selection & order

VLAN policy design

Phase 02

CONFIGURE

Day 3–5

All hardware is pre-configured at SPG before installation day. Your VLAN policies, firewall rules, DNS settings, VPN, and YubiKey enrollments are tested and ready before we arrive.

UDM-SE VLAN policy config

Firewalla Gold Pro setup

WireGuard VPN configuration

YubiKey pre-enrollment

Phase 03

DEPLOY

Day 6–7

On-site installation at your property. We replace your existing router, install and position APs, verify all four VLANs, enroll your devices, complete YubiKey account setup, and walk you through operations. Typically 4–6 hours.

Physical hardware installation

AP placement & coverage test

Device migration to VLANs

YubiKey account enrollment

Client walkthrough & handoff

Phase 04

MONITOR

Ongoing / Monthly

SPG monitors your network 24/7 through the Firewalla MSP portal and Ubiquiti Site Manager. Alerts are triaged by SPG — you hear from us when something requires your attention, not for every routine event.

Continuous threat monitoring

Alert triage & response

Monthly health report

Firmware update management

Quarterly security review

Pricing

Straightforward. Nothing hidden.

Hardware is client-owned outright. Monthly retainer covers SPG monitoring, threat response, reporting, and management. No surprises.

Executive Fortress Standard

$4,500

One-time setup + $350 / month

Includes hardware

Ubiquiti Dream Machine SE
Firewalla Gold Pro
YubiKey 5C NFC ×2
UniFi U6 Lite AP ×2
All cabling & materials

Includes installation

On-site deployment (Washington County)
4-VLAN network segmentation
Full device migration & enrollment
YubiKey account setup
Client walkthrough & documentation

Monthly retainer ($350/mo) includes

24/7 Firewalla MSP monitoring
Threat alert triage (4-hr SLA)
Monthly network health report
Firmware update management
Quarterly security review call

Free Consultation →

Larger Properties

Executive Fortress Extended

$6,500

One-time setup + $350 / month

Everything in Standard, plus expanded coverage for larger properties, additional access points, and extended on-site time for complex installs.

Additional inclusions

2 additional UniFi U6 Lite APs (4 total)
Extended on-site deployment (up to 8 hrs)
Whole-home WiFi coverage survey
Additional device VLAN mapping

Multi-Property & Estate

Each additional property is scoped and quoted separately. Multi-property clients may qualify for Tier 3 — Estate Legacy pricing. Contact for a free consultation.

Book Consultation →

Hardware is purchased by SPG on behalf of the client and included in the setup fee. Client takes full ownership on installation day. SPG retains zero ownership of deployed hardware. All engagements include NDA and LPOA (data removal scope). Service agreement required prior to deployment.

Questions

Common questions about Executive Fortress.

Do I need to replace my existing router?

Yes. The Ubiquiti Dream Machine SE replaces your current router and takes over routing duties. Your ISP modem remains in bridge mode, passing the connection through to the UDM-SE. This is a required part of the deployment — the UDM-SE cannot function properly in double-NAT (router behind router) configuration for most features.

How disruptive is the installation?

Typically 4–6 hours for Standard, up to 8 hours for Extended. Your internet will be down for approximately 30–90 minutes during the router swap. We schedule installations at your convenience and complete the process in a single visit. After installation, all your devices work exactly as before — just on the correct VLAN.

What happens if I cancel the monthly retainer?

You own all the hardware outright, and it continues to function as configured. You'll lose SPG monitoring, threat alert triage, report delivery, and managed firmware updates — but your VLAN segmentation, firewall rules, and security configuration remain in place. The hardware doesn't stop working; the managed oversight does.

Do you offer deployments outside of Washington County?

Currently, Executive Fortress on-site deployments are available within Washington County and Cedar City, Utah. We are evaluating expanded coverage areas. If you're outside this range, contact us — we can discuss options including a pre-configured ship-and-assist deployment for the right client profile.

How does SPG access my network for monitoring?

SPG monitors your network through Ubiquiti's Site Manager cloud platform and Firewalla's MSP portal. Both use encrypted cloud connections — we do not have direct access to devices on your network, only to network-level telemetry (traffic flows, alerts, device counts, bandwidth). No content of your traffic is ever accessed or stored by SPG.

Your home networkdeserves realprotection.