[geeks] Firewall *needed* behind home (NAT) router

Ido Dubrawsky idubraws at dubrawsky.org
Tue Feb 8 15:36:08 CST 2005 

On Tue, Feb 08, 2005 at 01:44:27PM -0600, geeks-request at sunhelp.org wrote:
> 
> While I plan to re-wire my network (and get rid of one 10base-2 coax line to
> the second floor), and upgrade my wireless APs to 802.11g, I wonder if it is
> worth adding a SunScreen firewall to my network. The only place the firewall
> makes sense is behind my router, and since nothing can get in (in theory),
> what is the point of the firewall?
> 
First off I wouldn't go with SunScreen.  Yes, it's free and yes it's Solaris 
based but I would go with something that has better performance and is easier 
to configure.  IPFilter comes to mind.
> 
> On Mon, 7 Feb 2005 23:08:35 -0700 (MST)
> Dan Duncan <dand at pcisys.net> wrote:
> 
> > I have a second firewall protecting my wired LAN from my wireless LAN
> > because I just don't trust wireless.
> Seconded. In addition I run IPsec on the wireless LAN and the firewall
> does the IPsec de/encapsulation...

And I thought I was the only one who was that paranoid :-)

Just my .02 on the matter.  It never hurts to put a firewall behind the NAT
router.  I keep everything behind the firewall except for my DNS/WWW/SMTP/SSH
servers...and they use a different authentication method to get in to them
(SSH 2.0 accepting ONLY public/private key authentication) than the systems 
behind the firewall.  The wireless AP sits on a DMZ of its own and must use
an IPSec VPN to the firewall to access the internal network.  Finally, I have 
setup one of the ports on the DMZ switch for SPAN which allows my SNORT box to
watch all traffic coming in and out of the network.  Essentially it looks like
this:


                                   ------------
				   |DSL Modem |
                                   ------------
					|
					|
     NAT Addresses                 ------------
--------------------------	   |Cisco 2621|
       DMZ                         ------------
					|
					|
                                   ------------
				   |Cisco 2908|
                                   ------------
					|
					|
       DMZ                        ---------------	  -------
--------------------------	  |Cisco PIX 515|---------|AP350|
     Internal Network             ---------------         -------
					|
					|
                                   ------------
				   |Cisco 2924|
                                   ------------
			
It's worked great for the past two and a half years.  I firmly believe in a 
firewall behind a NAT router.

Ido
-- 
===============================================================================
Ido Dubrawsky, CISSP           		E-mail:          ido at dubrawsky.org
Network Security Architect			   idubraws at siliconsec.com
dubrawsky.org
500 Hermleigh Rd
Silver Spring, MD. 20902
(301) 651-5441 (cell)
===============================================================================

More information about the geeks mailing list