Text only | Text with Images

Networking-Forums.com

Professional Discussions => Security => Topic started by: lukekenny on June 03, 2020, 09:45:05 AM

Title: Is a firewall required to secure a subnet?
Post by: lukekenny on June 03, 2020, 09:45:05 AM
First post  :)

I am looking for some general advice on security for a subnet.

(https://i.imgur.com/4xMuK74.png)

This network is a Caravan / Camping park.  In the past, the Archer D9 was used to cordon off the Office LAN from the rest of the network using a NAT.  The owner has come along and set up a VoIP server on 192.168.1.3, which is fine, but the multiple phones in the office don't like the NAT.

So I'm doing the best with what I have.  I disabled the NAT on the Archer D9, which also forces its firewall to become unavailable.  I configured a static route on the USG (Unifi Security Gateway) to route traffic from 192.168.0.0/24 out to the Internet.  I then added some firewall rules on the USG to block traffic from 192.168.1.0/24 to 192.168.0.0/24, with an exception for the VoIP server. Works well.  And seemingly achieves what we were trying to do.

But I'm worried that someone, Joe Public, could come along and connect to the public wifi, and do some nefarious IP spoofing or masquerading, gaining access to the Office LAN.  Perhaps they could set their hosts default gateway to 192.168.1.4 and off they go.  I'm not sure.

So the question is, will a device configured to operate purely as a router, with no NAT and no firewall, only accept packets on its WAN port that have been routed by its default gateway?  Or is a firewall traditionally required in these circumstances?
Title: Re: Is a firewall required to secure a subnet?
Post by: Otanx on June 03, 2020, 10:50:00 AM
The first question I have is why put the VoIP server in 192.168.1.0/24 instead of 192.168.0.0/24 with the rest of the office stuff?

So a router routes, and it will accept any packets from anywhere not just its gateway any host on 192.168.1.0/24 can send it traffic if they know to do so. How would they know? If it is all hardwired they may not be able to just see it. They could do scans, and try things, but that is pretty determined for a random person sitting at your location. However, security through obscurity isn't really great so you should have a firewall to block stuff.

You could try flipping the design, and put the public behind the Archer, and turn NAT back on. Then set a rule on the Archer that the public space can't talk to the office space. Then connect the office stuff to the USG.

-Otanx
Title: Re: Is a firewall required to secure a subnet?
Post by: deanwebb on June 03, 2020, 02:28:12 PM
I like Otanx' ideas.

I like the one about putting the voice server on the 192.168.0.0 network the best. Least amount of messing things around that way.
Title: Re: Is a firewall required to secure a subnet?
Post by: icecream-guy on June 04, 2020, 02:54:34 PM
corporate and "guest" should never meet,  both should have their own infrastructure for security sake.
Text only | Text with Images