network setup for security

Rifter

Lifer
Oct 9, 1999
11,522
751
126
Im setting up a linux server/firewall to learn about linux networking. Would it be more secure to set up the network with my Wireless router on the out side or inside? for example i have a cable modem and a router and a gigabit switch would it make more sense to do

1. Modem -> Router -> Server/firewall -> Switch -> network

2. Modem-> server/firewall -> Router -> Switch -> network

The router will be used for wireless only server will handle DHCP/DNS/NAT for wired connections.

I ask because it seems easy to hack into a wireless network so i thought having it on the outside connection would be better so that i can have more heavy security/rules on the firewall for the outside NIC port as opposed to having someone hack into it and be on the inside already.
 

kornphlake

Golden Member
Dec 30, 2003
1,567
9
81
You'll want to use the linux box as a firewall before your router, the linux box will become your dhcp server/router and the hardware router will only be used as a switch and wireless access point.

It would be possible to put the router behind the linux box on it's own subnet if you wanted network segregation but you'd be double nat'ing which is often not a good idea.

The guides for setting up a linux firewall often seem complete but I've found that all of them are missing one or two vital pieces of information, usually bridging your ethernet adapters is the part that isn't well documented. Good luck, I got my firewall setup by luck I think, I'm still not sure what exactly I did to get it going (too many changes before testing,) it took me about a month to figure it out.
 
Last edited:

Rifter

Lifer
Oct 9, 1999
11,522
751
126
yeah i guess you are right about having it on the inside, i can just set it up to only hand out IP's to my MAC addresses so it would be secure.
 

kornphlake

Golden Member
Dec 30, 2003
1,567
9
81
yeah i guess you are right about having it on the inside, i can just set it up to only hand out IP's to my MAC addresses so it would be secure.

You can use MAC filtering but a better security measure would be to use wireless security of some sort rather than leaving your access point wide open. Turn off SSID and use MAC filtering to slow people down a little, use WPA encryption to make accessing your network too difficult to be worth while.

If you want to have a wide open wireless access point that's fine, you can put your firewall behind the router and run a segregated network, just be aware that you will be double nat'ing and you may have issues with port forwarding if that is a concern.
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
You can use MAC filtering but a better security measure would be to use wireless security of some sort rather than leaving your access point wide open. Turn off SSID and use MAC filtering to slow people down a little, use WPA encryption to make accessing your network too difficult to be worth while.

If you want to have a wide open wireless access point that's fine, you can put your firewall behind the router and run a segregated network, just be aware that you will be double nat'ing and you may have issues with port forwarding if that is a concern.

Its not wide open, its not brodcasting and running WEP for security.

However a few days ago i had a buddy over with a laptop and he had some program that monitored wireless traffic and after 10 min of playing online with my PS3(connected with wireless) he had figured out my routers name and could try to connect, without the WEP though he could not, i would think in time you could also decode the encription of the security though.

Since it seems like wireless is a bigger security risk i thought keeping it on the outside might be better. But it seems having it on the inside will be better for network configuration.
 

her209

No Lifer
Oct 11, 2000
56,336
11
0
You'd want #1. Here's why:

- The router will have a smaller attack surface area, but use WPA/WPA2 with the wireless.
- You'll be opening and closing ports on the server/firewall. Why give hackers an opportunity to break into your box should you forget to close a port after opening it or exploiting some software vulnerability in the server?

My $0.02.
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
I would like to use WPA, i really would. However i also use wireless for my Nintendo DS as well as PS3 and the DS only supports WEP, no WPA support.
 

her209

No Lifer
Oct 11, 2000
56,336
11
0
I would like to use WPA, i really would. However i also use wireless for my Nintendo DS as well as PS3 and the DS only supports WEP, no WPA support.
#1 would still work best for you because if someone were to connect to your AP, they could not get at the hosts behind the router/firewall box.
 

Rifter

Lifer
Oct 9, 1999
11,522
751
126
yeah thats what im thinking too, im going to go that way and see how it works out.
 

Jeff7181

Lifer
Aug 21, 2002
18,368
11
81
It seems to me that if you can't properly secure your wireless access point/router, you need to treat it just like the Internet or any other insecure network. Meaning, set it up in a DMZ and require clients on this network to authenticate with your server/firewall before accessing resources on your LAN. If you're setting up a firewall, set up a VPN too.

This also means client security will be more important for your wireless clients.