Firewall for Network Security. . . Do you use it? Host or Network?

SGT Private RallyPoint Member — Wed, 12 Aug 2015 19:47:58 -0400

Response by LTC Stephen F. made Aug 12 at 2015 7:51 PM

LTC Stephen F. — Wed, 12 Aug 2015 19:51:42 -0400

I am currently using two Firewalls but it is for my home network SGT Private RallyPoint Member

Response by LCDR Rabbah Rona Matlow made Aug 12 at 2015 8:01 PM

LCDR Rabbah Rona Matlow — Wed, 12 Aug 2015 20:01:43 -0400

Router and software firewall both...

Response by Cpl Private RallyPoint Member made Aug 12 at 2015 8:17 PM

Cpl Private RallyPoint Member — Wed, 12 Aug 2015 20:17:49 -0400

There are several regulations, edicts, or industry practices that require firewalls between certain types of servers. For the client I develop for at the company I work, there are firewalls between front end, middle wear and database servers. Not to mention there are firewalls separating each client and on the core switch coming into our data-center. For PCI compliance we don't even store credit card information. We've outsourced it to a company that specializes in processing and storing credit card data.

Response by Sgt Ken Prescott made Aug 12 at 2015 9:09 PM

Sgt Ken Prescott — Wed, 12 Aug 2015 21:09:40 -0400

NMCI told me that my network settings are "too paranoid" to work with their laptops. F*** 'em if they can't take a joke!

Response by SSgt Alex Robinson made Aug 12 at 2015 9:32 PM

SSgt Alex Robinson — Wed, 12 Aug 2015 21:32:18 -0400

I have a hardware firewall and would never think of not having one

Response by SPC David S. made Aug 13 at 2015 12:45 AM

SPC David S. — Thu, 13 Aug 2015 00:45:56 -0400

Sonicwall device - between lan/wan. As well scheduled audits on PC's - any thing iffy it gets reimaged. Home as well.

Response by SSG Private RallyPoint Member made Aug 13 at 2015 7:24 AM

SSG Private RallyPoint Member — Thu, 13 Aug 2015 07:24:54 -0400

Having at least one, centrally located firewall, is a sound practice. A common architecture would be your entry point, then your IDS, your firewall, then your DMZ cluster, etc.
We all know that no one system, device, or technique is going to safeguard your system. A Defense in Depth approach (layered security) is the most sound and practical approach to safeguarding IT systems.

Response by PO1 John Miller made Aug 13 at 2015 7:53 AM

PO1 John Miller — Thu, 13 Aug 2015 07:53:09 -0400

At my last command we had a network based software Firewall, a NIPS, and HIPS clients installed on all hosts.

Response by PO3 Steven Sherrill made Aug 13 at 2015 8:45 AM

PO3 Steven Sherrill — Thu, 13 Aug 2015 08:45:54 -0400

My company handles sensitive personal information on a daily basis. We have to be locked down, in addition to meeting federal regulatory standards for our industry.

Response by SSG John Erny made Aug 13 at 2015 1:10 PM

SSG John Erny — Thu, 13 Aug 2015 13:10:33 -0400

We use sonci wall products that have served us very well, the only draw back Dell(hell) now owns them.

Response by PO1 Sojourner "Chancy" Phillips made Aug 17 at 2015 11:36 PM

PO1 Sojourner "Chancy" Phillips — Mon, 17 Aug 2015 23:36:33 -0400

Here is the bigger question.....is your firewall configured for "deny-all except for"?

Response by GySgt Carl Rumbolo made Aug 18 at 2015 9:50 AM

GySgt Carl Rumbolo — Tue, 18 Aug 2015 09:50:20 -0400

My home configuration consists of the following:

Ubiquiti Networks Edgerouter Pro-8 as internet facing router / firewall.
Cisco SG-300-10 LAN switch for my servers and NAS storage devices
Cisco SG-300-10 LAN switch for home LAN
Ubiquiti Networks ToughSwitch Pro-5 POE switch for Wireless LAN
Netgear 8 port switch for management LAN
3 NAS storage
2 WIndows Servers
1 Linux Server

The wireless network consists of 3 Ubiquiti UAP-Pro AP. Internet services is a Time Warner Ultimate and a Windstream DSL configured in a fail-over mode, most traffic goes through the TW link, except in an outage when it is routed through the DSL (6 mps) with QOS set on the Edgerouter to prioritize traffic. I also route the guest wireless access through the DSL and throttle that as necessary.

Not a typical home set up, but i work full time from home and need redundant access. The storage may seem excessive but my other hobby is digital photography, and I shoot in RAW mode, so the data builds up. (and yes I do off-site backups )

Response by GySgt Carl Rumbolo made Aug 18 at 2015 9:56 AM

GySgt Carl Rumbolo — Tue, 18 Aug 2015 09:56:28 -0400

The real question is not if someone uses a firewall - the question is what version and how is it configured. A SOHO firewall router with known unpatched vulnerabilities or one that is poorly configured is just bad if not worse than no firewall at all (probably worse since the the user has a false sense of security)

Also firewalls are not the be all,end all of security. Solid best practices, good passwords frequently changed, as well as intrusion detection and deep packet inspection are all parts of a good security implementation.

Some things to think about (there are alot more)

Are you enforcing end-point security for desktop clients with robust authentication schemes?
Do you practice AAA - Authentication, Authorization and Accounting?
Are you using role based security - locking down administrative privilege and access?
Secure backups of data ?
End user training around best practices?
Application security - do you know what the traffic flow pattern is for all your applications?
Audit policies , penetration testing?

Response by GySgt Carl Rumbolo made Jan 4 at 2016 11:34 PM

GySgt Carl Rumbolo — Mon, 04 Jan 2016 23:34:20 -0500

For my personal home network I use a Ubiquiti EdgeRouter Pro as a border gateway. Most of my internal network is Ubiquiti product. I have 2 (soon to be 3) EdgeRouter POE in homes of family for point to point vpn, giving them access to a NAS with 11 TB of family archives (photos, documents, some video)

Response by GySgt Carl Rumbolo made Apr 17 at 2020 12:45 PM

GySgt Carl Rumbolo — Fri, 17 Apr 2020 12:45:07 -0400

It has been a while since i visited this thread - reading over the responses there are a variety of solutions and ideas. However it is important to remember that firewalls are only one portion of a secure network design.
Firewalls can provide protection against some forms of unauthorized access to network and computing resources but they are in no way a complete security solution.

There are numerous attack vectors that need to be considered, some of which can be mitigated by IDS and/or IPS, others require application level protections and there are also malware detection and removal - including inbound and outbound email scanning.

Single point firewall solutions offer limited defenses, however most well configured (and regularly patched) SOHO 'routers' will provide the basic protections for a typical home environment. Note however none of the typical consumer (and few 'prosumer') routers provide much, if any protection against DOS attacks. Simple DOS attack will often crash a SOHO router and if that router is also the wireless access point (as many are) the entire network crashes.

Professionally, I do not recommend, nor would allow to be deployed any solution that is based on a single point firewall - it should be a layered DMZ configuration. Similarly wireless access points should be separate from a firewall-router.

It should be noted that typical SOHO router-wireless access point devices do not have either the memory or processing power to handle routing, DHCP, DNS relay, wireless management and security. Particularly once you get above more than 10 or 15 client devices. Even leaving out the design needs to ensure quality signal, a single central wireless access point is not a good design.

DNS and DHCP are also things that should be considered. A good secure DHCP plan should set aside a relatively small pool for unregistered devices, and a larger 'reserved' pool for known clients - the known clients are given DHCP reserved addresses. Certain devices should have fixed static address - network devices for example, printers, etc. If possible I recommend 802.1x authentication for clients connecting to switch ports (unmanaged switches are not particularly recommended here).

I generally do not recommend using the ISP provided DNS - a public DNS like Google (8.8.8.8 / 8.8.4.4) is a better choice - you can easily set your DHCP to provide those. Similarly, if you are running any sort of home VPN, getting a DynDNS service (or similar product) and using your OWN registered domain is a good best practice.

Regards!