Security with Bridge/DMZ before pfSense box, potential for vulnerability ?
-
Spoke to pfSense team, they told me DMZ mode from a modem/router combo to Pfsense box is a security risk.
-
Does there exist a potential vulnerability when running a modem/router combo in BRIDGE mode into a pfSense box ? Is Bridge this safe or a does it create a weak point in the network that can be exploited?
-
If DMZ and Bridge mode are not secure, is my best option to seek out a modem that has no capability other than BEING A MODEM to connect to pfsense box ?
-
-
Yes, something that is only a modem is what you should be aiming for. It passes the public IP directly to pfSense and has no further part in traffic routing. That means the modem device is not exposed to the internet since it has no public IP and cannot restrict traffic to/from pfSense.
Some sort of bidge mode is usually close to that but the modem/router may still have an IP that's accessible depending on what the ISP does.
In DMZ mode the router sends all traffic to pfSense but the public IP remains on the upstream router meaning it's own firmware must be maintained and secure. And in DMZ mode since it is basically running a 1:1 NAT it still has to pass all the traffic so yo are limited by it's routing and state tables which are usually far smaller than what can be configured in pfSense.
Steve
-
I am going to agree/disagree.
My ATT router only gives me the choice of DMZ mode for pfSense. Because I cannot stop it from having a routable address I have not increased my attack surface by using the DMZ mode. -
Indeed I would agree it's no less secure that running the upstream device in standard router mode.
But I would argue it's less secure than just having a modem that's not addressable.
What vulnerabilities exist in your modem/router. Do you have any way of finding out? And if you did is there anything you can do about it?Steve
-
@stephenw10 At this juncture I am looking for a simple ADSL modem, rather than a combo router device, to plug directly into pfSesnse; which is what is recommended.
Based on the previous comments it appears that I need to make sure it is not-addressable; now how you do that I do not understand at all. Would you please let me know what you mean?
-
Anything that is just a modem will not be addressable outside it's own segment.
It might have a management interface but it will be using a non-routable private IP address.What sort of DSL service are you connecting to?
Steve