Small Office Setup with PFSence and Snort
-
Hello everybody. Would you please comment/critique on the following setup for a small business from a PFsence new user?
The business is loosely divided to two parts: Office and Lab, both are served by a single DSL connection, both want Internet.
Office computers contain sensitive information; there is a server and workstations, and a network printer. All office computers are wired through a gigabit smart switch.
Lab network, on the other hand, is unsafe; engineers bring various computers that may have vulnerable software, open up team viewer connections, etc. All lab computers connect with WiFi.
Here are the plans for the network setup:
The DSL modem will be connected to the PFSense WAN interface. PFSense will be responsible for PPPoE authentication with the ISP.
The PFSense will run on a box with Intel i350-T4 adapter that has four physical ports. The rest of the system has not been decided yet, probably something i3-4130 or Xeon E3-1225 based, I can give it generous memory, if needed (for Snort).
The obvious choice is to put the Office and Lab on two separate PFSense LAN interfaces, each serving its own subnet. The Office LAN interface will connect to the gigabit smart switch. The Lab LAN interface will connect to a cheap WiFi router. The WiFi router will have NAT and DHCP turned off.
DHCP and NAT on both LAN subnets will be taken care of by the PFSense.
Now we get to the Snort part. I plan to run two Snorts–one on each LAN interface. That way the Snorts will pick up whatever packets have made from the Internet through the firewall, plus they could alert to computers on the LANs starting to send out something suspicious.
Fist question: would running Snort on the WAN interface, in addition to the LANs, be beneficial for protecting PFSense itself from Internet attacks, or PFSense does not need any extra protection when sitting on the perimeter?
Now the curveball: both Office and Lab clients want to be able to use the network printer. The Lab people only need to use the printer occasionally and do not care about speed. The office people print a lot. Where would you recommend connecting the printer?
With printer connected to the Office LAN the Office people would benefit from the most direct interface to the printer. But then the ‘unsafe’ Lab people would have the entry point to the Office subnet.
With printer connected to the Lab LAN, I am not sure how much of the slowdown the Office people would experience with print jobs traversing the PFSense and then the cheap WiFi router.
The third option is to put the printer on third PFSense LAN interface. In this case, do I want another Snort running on this separate interface?
What do you think about my setup? I appreciate your comments and suggestions.
-
I believe running Snort on just the two LAN interfaces should be sufficient so long as you don't have any open inbound ports (that is, you don't run any public-facing services like a web or mail server on one of the LANs). If everything coming into the WAN is simply reply traffic to previous outbound NAT requests, then pfSense is pretty well hardened on the WAN side.
As for the printer, unless we are talking about some super-duper expensive monster, why not just buy another printer for the less-secure Lab? If you can't do that, you can try putting the printer on its own subnet and interface.
Bill
-
I would suggest that unless you need ECC memory (which you shouldn't in a router imho) you should probably get a haswell i5 or xeon equivalent as it has features like turbo boost, rdrand, vt-d and tsx-ni which the i3 doesn't. You may not use these now, but you may use them in the future.
Please note that not all i5s have these features, so choose carefully (i5-4570 and i5-4570t have them, i5-4440 does not)
-
Actually there is a secondary mail server and secondary DNS server running, plus a network camera. With this, you think I should put a Snort on the WAN interface as well then?
Thanks for your help, fellows. I appreciate it.
-
@G.D.:
Actually there is a secondary mail server and secondary DNS server running, plus a network camera. With this, you think I should put a Snort on the WAN interface as well then?
Thanks for your help, fellows. I appreciate it.
Well, you could, but I would be more inclined to run Snort on the interface where those other servers are located (LAN, or better idea, a DMZ subnet). You could be selective about the enabled rules then.
Bill
-
What is the limit of hosts to be connected through pfsense or maximum bandwidth handling …......
