Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Is there a benefit to nested firewall/NAT? (defense in depth?)

    Firewalling
    5
    10
    6546
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rmorris49 last edited by

      For several years, I've used a Linux server as a NAT/firewall box. Originally, it was an energy hog. Over the years, it's been upgrade a couple times and is currently a more than capable C2D Dell optiplex box. When I learned of pfSense, I bought a small appliance with it pre-installed to see how I liked it. I set it up inside my LAN to make sure I could get it functional at first and it wasn't long that I moved it to the front of the line.
      e.g.
      Internet <–> ISP cable modem <--> pfSense box <--> Linux NAT/firewall box.

      I kind of felt a little better knowing I had 2 firewalls, though on occasion I open up a port for external access back into the LAN (all the way through to access one of my internal machines, thus, I had to put in a NAT/firewall rule allowing it at the pfSense box and at the Linux box.

      Lately, I've been contemplating setting up the VPN access, but going through some documentation, I would have given my 'calling home' laptop an IP address on the subnet of the pfSense box which in my case, wouldn't have been fully functional. At that point, I'd have access through the first firewall, but not into the 2nd layer where my actual machines were located (behind the Linux box).

      So, I wanted to ask the experts: which is more secure?
      Just get rid of the Linux box so I can VPN straight into the IP range of the pfSense box and have access to the systems that would be moved out of the 2nd internal firewall?
      or
      Keep a 2nd internal box and give up the idea of VPN into the internal firewall and only use a couple common protocols (e.g. SSH)?

      Is a 3rd option viable? Turn the Linux box into a pfSense box and setup external VPN access to 1st layer WAN, and have the LAN of that external box have a device-to-device VPN to the internal pfSense box and keep all the stuff inside the 2nd pfSense? (or, is this possible? redundant/useless time to configure, etc?)

      1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott last edited by

        I have a pfSense firewall and also run firewall software on my computers, for an extra layer of security.  However, while I used to run a VPN, I find I can do all I need with just SSH and SSL/TLS.  On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses.  So, if you were to try SSH, for example, just getting through the firewall wouldn't get you anywhere, as you'd still have to get through the firewall on the only computer you'd be allowed to reach.  Also, the 2 firewalls are different, so what works to break through one, might not work for the other.  My computers run iptables on Linux.

        Proper security is always defense in depth.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • R
          rmorris49 last edited by

          Thanks for the response. It firms up what I felt in my gut: dual layer firewall = better. Defense in depth is a mantra for a reason, right?

          However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

          I am able to configure my Linux box with iptables to allow specific ports to specific addresses (and use the same or different ports on the internal hosts, much like pfSense can do).

          For example, if I have 2 firewalls, I have to SSH to port on pfSense that accepts SSH connections, then forward that internally to the Linux box using either the same or different port. Once I hit that one, I can SSH internally to the Linux boxes through local access. The reason for my confusion is I don't see how that's any different than what you described above. e.g. I can go right to the destination as well, if I configure it to do so.

          1 Reply Last reply Reply Quote 0
          • P
            P3R last edited by

            I agree that two firewalls of different type will add a fraction of additional security, based on the idea that a bug in one is unlikely to be in the other. However I think that "…only use a couple common protocols..." rather than a VPN will probably add more insecurity than what's gained from the dual firewall setup.

            • Every service open to the outside in a firewall is an attack vector and multiple open services are more insecure than a single service (VPN).

            • The more complicated configuration with multiple open services and multiple firewalls with different administration increase the risk for administrative errors.

            • Once configured, a VPN is an easy to use do-it-all access path to the network in question which decreases the risk for user mistakes and stupid ideas caused by the fact that the access to the home network is more complicated and/or may have usage limitations.

            Defense in depth isn't just having serial perimeter firewalls. Defense in depth is about deploying security at every level possible. Like having a sane network design, not using any outdated and/or insecure clients, configuring all nodes as securely as possible, doing proper log management, keeping yourself updated on the security landscape, constantly educating the users and many many more things.

            With an updated firewall of good reputation (like pfSense) that's being well administered, I'd say that the risk for someone to break through it is a long way down on the list of threats to your network.

            1 Reply Last reply Reply Quote 0
            • JKnott
              JKnott last edited by

              However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

              What confuses you?  IPv4 has to go through NAT and requires port forwarding to reach the appropriate computer.  With IPv6, the firewall is configured to allow the packets through to the specified address.  In either case, the destination computer's firewall is configured to allow the specific protocol

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • R
                rmorris49 last edited by

                P3R: Just for clarity, only 1 port (not SSH) is opened to outside, but that is the price to pay if we want to be able to access a server remotely. Just having the port open only gains them a single vector with which to begin an attack. When I travel for extended time, I also occasionally open up an additional port (SSH) for a different service. This is in the event something happens I can remote back in and fix something for my wife. Although less secure to then have a 2nd port open vs. the 1st that's usually always open, makes my life easier than trying to explain/write instructions/create permissions for my wife to grant my remote access. e.g. if I could do that, I'd just explain to her how to fix the issues. :)

                I guess the purpose of my initial question was I thought it might be beneficial to have VPN access instead of that occasional SSH access - as I am nearly 100% positive I would want or need to leave my other port still open 24/7. (I should add the 1st port is application username/password protected as well for access), so it's not like it's a huge open door. It's a small, partially locked door. From what you and JKnott indicate, I think I was more secure in my previous position (layered 2 types of firewalls, plus all the hosts protections). Thus, I did take the time last night to reconfigure back to my original setup.

                While much more technically savvy than the regular user, I also freely admit I do not have (or want to take?) the time away from family to (as often as one should) keep up on the latest and greatest attack vectors, how to mitigate them, or even comb through logs thoroughly enough. e.g. I'm just 1 guy and this is for a simple home network; I can do a lot, but I can't (or don't have the time) to do it all. Hence, my coming here to post a discussion about the topic.

                @JKnott:

                However, this portion confuses me: "On IPv4, I have to use port forwarding to the appropriate computer, but on IPv6, I go right to the destination.  PfSense is configured to allow specific ports to specific addresses."

                What confuses you?  IPv4 has to go through NAT and requires port forwarding to reach the appropriate computer.  With IPv6, the firewall is configured to allow the packets through to the specified address.  In either case, the destination computer's firewall is configured to allow the specific protocol

                The difference between IPv6 & IPv4. This is just a lack of my knowledge of the differences. So from my understanding of what you've stated, IPv6 effectively handles the NAT/routing back to the computer you want it go to go, where as with IPv4, it has a little more leg work to handle the NAT routing.

                Either way, thanks to both of you for the discussion, thought provoking questions and statements. I think I know the direction I'll continue to go/follow to (try to) keep my stuff more secure.

                1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott last edited by

                  The difference between IPv6 & IPv4. This is just a lack of my knowledge of the differences. So from my understanding of what you've stated, IPv6 effectively handles the NAT/routing back to the computer you want it go to go, where as with IPv4, it has a little more leg work to handle the NAT routing.

                  No NAT with IPv6.  NAT is a hack to get around the IPv4 address shortage.  However, it also breaks a few things, including being able to directly access a computer behind the firewall.  Since I have 18.2 billion, billion IPv6 addresses available¹, there's no shortage that requires NAT.

                  1. At the moment, I "only" have a /64 prefix, but shortly I'll be able to get a /56, which is about 4.7 billion, trillion addresses (4.7 x 10^21).

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    "which is about 4.7 billion, trillion addresses (4.7 x 10^21).  "

                    The number of address available in ipv6 really doesn't mean all that much - other than it making really impossible to do a scan of all IPs in a network looking for hosts… Since the number of hosts on a /64 is not going to be anywhere close to the number of ips... So you really don't know where in the haystack the hosts (needle) might be.  And the haystack is just too freaking been to sift though looking for that needle.

                    What is more important in IPv6 is the prefix the number of networks the prefix allows you to have with /64 you can have 1 network, with a /56 you can have 256 different network segments, with /48 you can have 65k, etc.

                    While yes the numbers are HUGE for the number of individual IPs - not really good for anything... Your never ever ever going to get even anywhere close to using the number of IPs available in a /64 on the same segment..

                    To the multiple vectors comment with only 1 port - depends do you have that 1 port open to multiple hosts?  If so then its multiple attack points.. You have to keep up each hosts ssh server updated, configured, etc.  The more hosts the more likely to make a mistake and not update 1 or bad config, etc.

                    I would vpn into the network, and then through the vpn ssh to your different hosts.  This way you have the security of the vpn on top of all of the ssh servers as a blanket if you will.. So even if you make a mistake on the sshd side, you still have it locked down to only vpn clients being able to access the ssh anyway.. Not every possible tom dick and harry bot on the internet hitting your sshd, etc.  Even if someone manages to get into the vpn - they would then have to get through the sshd security.  Public key I would hope, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                    1 Reply Last reply Reply Quote 0
                    • H
                      Harvy66 last edited by

                      Adding depth to security can be a good thing, but it also adds complexity and surface area, which are bad things. There is no rule of thumb, but I would be careful about having multiple layers of the same thing, like a firewall, assuming they're responsible for the same thing. If you have a firewall on the trunk, and each department has their own firewall, that's one thing. But if you effectively have two firewalls chained together and effectively configured the same, that's just one more area to make a mistake.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        also complexity adds overhead, overhead leads to shortcuts and work a rounds and mistakes..

                        You make users jump through to many hoops to access the resources, they will just find ways to work around the "extra" security because of the work it causes.

                        Screw accessing the vpn on my laptop from home to access my work… I have to log in here, I then have to put in the pin on my sec card, then I have to use the OTP password.. Then it times out in a minute, etc..

                        Screw that - will just download all the work onto my thumbdrive and take it home and read it on my home computer, etc.  Or I will just upload it to dropbox, or I will just run teamviewer on the machine and just teamviewer in from home to my work machine..

                        Security is good - but when you make it PITA to get work done - the user will blow all your layers of security away with stupid luser tricks ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post