Phil’s Diary - [Blog @ http://www.philsdiary.net/]
I’ve made some changes to my network at home in an effort to improve security. Before any changes I was using a Belkin wireless firewall and router, which provided some limited firewalling and security. Unfortunately because I have a linux handheld that doesn’t like WPA, it’s wireless mode was WPA. Still, both give some security… unlike one of my neighbours who has a wireless router with no encryption, and providing DHCP too.
Anyway, the upgrade consists of the Belkin staying as my first line of defence, mainly as it has an ADSL modem built in. It also continues to provide a WEP wireless access. Sitting behind that is now a Sonicwall firewall appliance. This provides control between my LAN and the internet. It also has a seperate DMZ zone where my web and mailserver sits. The splitting into zones provides some finer control over access.
At this point if someone where to find out my WEP key, or force their way past the Belkin, they’d only have access to my internet connect outbound, and the same web, ssh, email inwards that the rest of the internet already has. Likewise if they can get onto the mail/web server, they’ve another firewall to get past. The sonicwall would stop the rest.
On the LAN also (though I’m in two minds to move it to the DMZ), is a second wireless access point router. This provides a WPA wireless route into the LAN, again with basic firewalling. The WPA should give a little more protection, though I’m still thinking of moving it to the DMZ.
I’ve also set the sonicwall to block the WPA Wireless access point from accessing anything (LAN, WAN and DMZ) overnight, to act as a little more deterent.
All in all the Sonicwall gives me more much control over my firewalling, and a nice split between LAN which isn’t accessible from the internet, and DMZ which is. And the two wireless zones give me the option of having WEP available but not exposing the crown jewels while I do.
Not that you couldn’t do all this with a linux box or two, some network cards and a copy of Smoothwall (something which I was going to do, and may still, but for now is on the back burner), but this was a bit easier and the boxes are a little smaller.
Posted by Phil on January 25, 2007 09:16 PM | Categories: Technology
| TrackBack
Hi Phil,
I like how you are creating a layered/zoned defense. It's sort of how I have the Seto Shack set up with three routers and two firewalls (Netgear and Linksys). That way, should the bad guys get into one of the zones, they are still blocked from getting into the others. Although no system is perfect, this is a good as I could implement.
As to using a linux box as a firewall, I used to do that using CoyoteLinux Personal Firewall. It worked fine but for me, it seemed to be overkill. By that I mean I was using up a bunch of space on my work desk that could be used for other uses. Even mini/micro-PC cases take up more space than most firewall appliances. So, eventually, I shut down the old firewall and switched.
By the way, after I logged into Typekey, I got an MT error message saying:
An error occurred
/tmp at /var/www/philsdiary/cgi-bin/mt/plugins/SCode/lib/SCode.pm line 100.
http://www.philsdiary.net/cgi-bin/mt/mt-comments.cgi?entry_id=4519
I have no idea what happened.
Aloha - Dan
Posted by: DanS at January 25, 2007 10:14 PM
Post a comment