How secure is this?

[cyberspace]

we have recently got a new broadband connection so that the office laptops can use this line for internet and leave the leased line for the phones and for VPN traffic.

The leased line has a Symantec Enterprise Firewall sitting beind the router for the leased line.

However, the equipment I have been given is a Netgear ADSL router (DG834 I believe) and a 3Com Enterprise level 5012 router.

The Eth0 interface of the 3Com has an IP address on the internal lan scheme and this will be the new default gateway address issued by DHCP after testing. The Eth1 interface is running on 10.0.0.2 /30 which connects to the Netgear (10.0.0.1 /30). RIP2 is running.

The Netgear has NAT and SPI security features and can also be set up for port forwarding etc.

I'm wondering if there should be a proper firewall device on this link? Or will there be sufficient security from the 2 routers?

My thoughts are that there should be a firewall but I would be keen to hear about it.

PS - This is a small office, the load on the Netgear won't be an issue.

TIA

'When all else fails.......read the manual'

 

[cajuntank]

Does your Symantec firewall have an additional port for WAN failover? If so, I would "bridge" the Netgear to the WAN failover port so that it gets the public IP address and your doing only single natting at the firewall, then create some traffic policies to direct your VPN and phone traffic over interface X and your laptops over interface Y. You should also be able to setup failover should one of the external networks fail for redundancy.

What your doing now is double natting (once from Netgear and then second from 3COM) which is really not serving any purpose and adding non-standard complexity. Not quite sure about the 3COM, never used anything but their NIC(s) and switches, but most SOHO level routers like Netgear, Linksys, etc... have basic SPI(statefull packet inspection) level firewall protection, which isn't saying much now these days.

 

[cyberspace]

Thanks for the response.

The symantec used to have an additional port card but it was removed. It's funny you should mention that because I was thinking the same yesterday.

The double natting is currently being done because the 3Com 5012 does not have ADSL connectivity, ideally that would be the sole device in the equation but it isn't.

Personally I would have thought a Draytek Vigor ADSL security router would have been a better purchase as this would have taken care of it as it has some very good security features. It would be best not to have a third device I think.

You've given me something to think about though, so thanks. Any further suggestions would also be appreciated.

'When all else fails.......read the manual'

 

[cyberspace]

As a matter of interest....

If I was to get a proper ADSL Firewall router, would I not just be able to remove the 3Com from the equation altogether?

Essentially all it's doing is basic routing and it also has few static routes on there too, but that's nothing that a Vigor couldn't handle easily and this would also remove the double NATing....

Advice appreciated

'When all else fails.......read the manual'

 

[cajuntank]

You could get rid of the 3COM right now if you wanted... again the Netgear alone is probably doing basic SPI level firewalling. I would definitely check into getting that card back into your Symantec and if required, any additional licensing needed for WAN load balancing/failover and use it.

You need something that does deep level packet inspection and at least intrusion prevention. I never have touched a Symantec firewall before, but I would imagine it has at least these features if not a few more.

 

[cyberspace]

The symantec is fairly old so i'm not sure how advanced the features are. It seems to be mostly rule based. Getting licenses for it has proved to be somewhat of a nightmare to be honest - no resellers would come back to me!

I've done a bit more digging and i've found that the 3Com 512 has a built in firewall, which I am currently configuring. It seems to have several packet inspection features and i'm manually configuring advanced ACL's. I'm utilising a "default deny" policy.

Do you feel that this would be sufficient? The Netgear has a stealth mode feature which means it won't respond to pings (and i presume therefore ip/port scanners) from the net.



'When all else fails.......read the manual'

 

[cajuntank]

Except for NICs and switches, I don't know much else about the 3COM product. Looks like they have a ADSL card for that router, if you want to ditch the Netgear... I know 3COM had a try a few years back into the firewall market but they phased that out of their product line. I wouldn't put to much investmet into the 3COM. I would look at a current firewall solution that will give you access to both WAN connections along with some advanced security threat management. You mentioned that this was a small office; Sonicwall makes a great appliance in it's TZ180 series. You can get this with or without built in wireless and if you get the total security bundle/unlimited user model, this gives you the enhanced OS, access to both WAN ports for load balancing/failover, IPS, Anti-spyware, Anti-Virus (at the firewall), and basic content filtering. You renew the subscription every year which renews all of the features along with renewing the support/warranty on the box. I'm sure Watchguard and Nokia have something comparible; Cisco if you want to spend a lot more money.