[geeks] Firewall *needed* behind home (NAT) router

[Joshua Boyd]

On Mon, Feb 07, 2005 at 11:56:43PM +0000, Lionel Peterson wrote:

> I am re-thinking my home network, and I have a question for the list  do I
> need a firewall?
>
> My current home network consists of a Linksys home Cable/DSL
> Router/Wireless AP, and all my machines hang off this device attached
> either directly or via home switches. IP addresses for all machine
> are in the 192.168.*.* network, with Mac & WinXP machines getting
> addresses via DHCP (the servers have static IPs). I have one DMZ
> machine, but it is not directly connected to the Cable/DSL Router
> (network feed is in the upstairs den, the server is in the basement).

First, what is up with all the control characters?

Second, I found that Linksys "routers" have a major flaw in them.  If I
have my internal network configured to 192.168.0.*, and the external
network is whatever, traffic to 192.168.x.* (where x!=0) gets routed
upstream instead of dropped.  Maybe only some Linksys routers do this, I
don't know.  I, however, consider it a major issue.  I stopped using my
Linksys at home for other reasons (switched from cable to dialup
specifically), but I certainly am not going to go back now that I found
that out about that product (work is where I found it, and work has the
same model I do).

> All my machines are hiding behind NAT, and the only remote access
> I think I need is to my DMZ server  though I can see the value in
> being able to log in to my network over a VPN.
>
> While I plan to re-wire my network (and get rid of one 10base-2 coax line
to
> the second floor), and upgrade my wireless APs to 802.11g, I wonder if it
is
> worth adding a SunScreen firewall to my network. The only place the
firewall
> makes sense is behind my router, and since nothing can get in (in theory),
> what is the point of the firewall?

Well, things only can't get in if the Linksys router can't be breached.
I wouldn't want to make that assumption personally.

But, why doesn't it make sense to put the firewall in front of the
"router"?  From the way you describe it, I expect that outside
connection of the Linksys is just regular TCP/IP over ethernet rather
than something like PPPOE.  To my understanding, the Linksys would only
be considered a router if your outside connection was PPPOE or if the
Linksys was connecting to something other than ethernet.

If I was back on Comcast cable, I would go:
Comcast---->CableBox---->Firewall---->NAT.

If I had Verizon like my parents do it would have to be
DSL--->router->firewall->nat,
where router would be some appliance that
routes between the PPPOE DSL modem and ethernet.

However, at work we also have verizon, and the supplied Westel DSL modem
speak plain TCP/IP over Ethernet rather than PPPOE.

Err, I think in all of those configurations, you could keep the Linksys
as NAT if you wanted to, but the first verizon configuration would
require a second similar appliance.

> Does a firewall make sense? I dont see how a firewall adds protection
> *behind* a router providing NAT. Advice? Am I missing something?

What I would do is make each segment a different subnet (in my
apartment, 10baseT is 192.168.0.*, 100baseTX is .1.*, FDDI is .2.*, and
when I add wireless later this year it will be .3.*).  I would be highly
tempted to stick a firewall between the wireless segment and the rest to
make sure that any wireless people near by can't do anything on my
network without breaking through something heavier duty than the
security the wireless boxes offer.  Tentatively, web browsing might be
allowed through for my wifes convienience, but anything else would
require something like an ssh tunnel or some other sort of tunnel or
VPN.  But, those are just my ideas for the future.

Also, when I eventually get back to a non-dialup connection, I intend to
stick a firewall between the NAT and the actual connection.

A year ago or two ago I thought those Linksys boxes were perfectly
adequate, but experiences since then have convinced me otherwise.

On the other hand, doing it write isn't easy the first time.  But, if
you can do it, it is likely a valuable skill on the job market.

--
Joshua D. Boyd
jdboyd at jdboyd.net
http://www.jdboyd.net/
http://www.joshuaboyd.org/