Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread
Standard User Michael_Chare
(fountain of knowledge) Mon 08-Oct-18 22:42:06
Print Post

Network security devices


[link to this post]
 
Are there any security devices that you can put between your router and the rest of your network that don't leave you with double NAT?

Michael Chare
Standard User camieabz
(sensei) Tue 09-Oct-18 16:48:36
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
A hardware firewall perhaps?

Failing that, there's always some old school security - https://ibb.co/k0Gfyp

grin
Standard User tdw42
(regular) Tue 09-Oct-18 17:19:53
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
It is possible to do transparent layer2 (ethernet) firewalling/packet analysis, etc., but it is uncommon. More usually the device would operate at layer3 (IP) and rather than it doing NAT you would add a static route on your router to direct return traffic to the new "clean" network.

For example, if the WAN router had a LAN address of 192.168.1.1/255.255.255.0 you could set the security device input connection to 192.168.1.250/255.255.255.0, default gateway 192.168.1.1 and output connection to 192.168.2.1/255.255.255.0, then add a static route on the WAN router of 192.168.2.0/24 via 192.168.1.250 - all of your clients would have 192.168.2.x addresses and the single NAT is still carried out on the WAN router.

Note that some of the ISP supplied routers have crippled user interfaces so you can't do this, and if they have inbuilt wireless that traffic wouldn't be handled by the device.


Register (or login) on our website and you will not see this ad.

Standard User Michael_Chare
(fountain of knowledge) Tue 09-Oct-18 22:24:39
Print Post

Re: Network security devices


[re: tdw42] [link to this post]
 
Thank you for the reply. Unfortunately the Gigaclear router, which I have to use, does not support static routes.

What I would like is a box that inspects and checks the packets that I send to and receive from the Internet. The box would be updated with the deails of new threats much like anit virus software on a pc.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Tue 09-Oct-18 23:13:33
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
You could look for a WatchGuard firewall secondhand and use that in 'drop in mode' which uses the same IP address and range on internal and external interfaces and gives full firewall features. Drop in mode is designed to do exactly what you want.

What speed connection are you on? I ask about the speed because if you want higher than about 500Mbps you'd probably need a model with a fan (to be affordable) and that could be an issue for you.

Up to 540Mbps you could use a secondhand XTM 26 (no fan). They can be found on eBay for about £30-40. The XTM 33 (no fan) is similar (about £40-60) and runs out of steam at 850Mbps. A T50 (no fan) would set you back a lot more secondhand but does cope with full Gigabit throughput.

If a fan is no issue, an old XTM 5 series model would cope or the XTM 330.

Avoid anything called Edge or Core, and anything called Xsomething that isn't XTM.

You can look at comparisons of specs at https://www.watchguard.com/wgrd-products/appliances-...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Rolandrat
(committed) Wed 10-Oct-18 08:05:14
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
Untangle or Pfsense in bridge mode should do what you want, there are many free or home license versions of UTM's available.
You would need the hardware to install them on which Amazon sell many multi network mini pc type boxes, some even have pfsense already installed.

I note you have gigaclear, if thats the full fat 1Gb connection, the choice of hardware will be important as with all the feature turned on that 1Gb could end up at a tenth of that after all the inspection has been done. Check out their forums for advice.
I use untangle which costs $50 a year for home license as I found it easier to understand.

Edited by Rolandrat (Wed 10-Oct-18 08:27:47)

Standard User Michael_Chare
(fountain of knowledge) Wed 10-Oct-18 09:53:45
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Wed 10-Oct-18 10:59:23
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
In reply to a post by Michael_Chare:
Thank you very much for a very useful and interesting post. So it is possible to buy something that would do what I am looking for.
Indeed it is. Other enterprise firewalls may offer the same functionality too but I'm most familiar with WatchGuard.

WatchGuard's drop-in mode is not the same as bridge mode, you can see what the differences are here

One word of caution; after placing the firewall between the router and the LAN you will need to reboot the router to clear it's ARP cache otherwise computers on the LAN won't see the internet.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Standard User Michael_Chare
(fountain of knowledge) Wed 10-Oct-18 15:28:18
Print Post

Re: Network security devices


[re: caffn8me] [link to this post]
 
How useful would a Watchguard device be if one does not also subscribe to the security suite software? The software is quite expensive just for home use!

Michael Chare
Standard User caffn8me
(eat-sleep-adslguide) Wed 10-Oct-18 18:29:34
Print Post

Re: Network security devices


[re: Michael_Chare] [link to this post]
 
It will come with fully functional firewall software - this never expires. You only need a subscription to be able to update it to the latest firmware or add subscription only features such as virus scanning.

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
Pages in this thread: 1 | 2 | 3 | 4 | 5 | (show all)   Print Thread

Jump to