0

I have a managed network with 40 users, 4 managed switches, Vlans, double wan, several access points. A Proliant HPE server is providing network services and even exposing a couple of websites to the open internet behind a revers proxy (Nginx). All clients-pc on the network are running on Linux or Mac. I have a static public IP. All together I would say a small business size network.

I do not have a firewall installed and I wonder if I need one. To date I got away implementing security on each of the VM exposed to internet locking down SSH (public keys and no passwords), some rule on UFW. I do not have high internal threads. So far, I have survived the wild internet.

I am not keen to install a firewall which would take away my router functions because I am used to it and because it offers nice tools to manage the network over the clouds (similar to Ubiquiti). I am considering installing a firewall between the router and the first switches in transparent mode as to avoid affecting the network management tools available on the router (Ruijie EG105G-V2).

enter image description here

My question is: Do I really need a firewall, and would it give me any benefit if installed in transparent mode between the router and the switch leaving the DHCP/Vlans and port forwarding management to the router? Finally, which Firewall?

I know there may be much more information needed to give me a direction, however your comments will be appreciated.

Improve this question

2 Answers 2

Reset to default
1

This question will attract opinion based answers.

I will therefor try to answer this without an opinion so you can form one of your own.

There are 2 type of firewalls.

  • Software firewalls that live on a computer
  • Hardware firewalls that filter traffic.

For both firewalls, traffic is inspected based on their destination and port, and often a firewall is configured to block all, except certain ports.

With software firewalls, there is also the option to select a program. If that program is running then a port is allowed, but if the program is not running, that port is blocked.

With hardware, the packet itself can be inspected and be blocked regardless of what port it wants to access.

That said, when you place a router in your network, incoming ports are blocked by default and require a NAT rule in the router to open the ports again. This is also a kind of a firewall.

It is possible with a router to use a DMZ (DeMilitarized Zone) which forwards all traffic to an IP address, effectively allowing all ports. If DMZ is used to a pc, not a router that has its own NAT, then it is highly recommended to use a firewall too.

If you don't use DMZ, then a firewall is often not necessary for traffic coming from the WAN.

That said, another form of attack can come from the LAN, and in that case a server should have their firewall setup.

For example a hacker could drive their car in close range of your building, attack the WiFi and gain access. From there, they could hack the server if it does not have a firewall.

So the best practice is: Use a router without DMZ to a server or PC and activate a software firewall on all servers. Only if your network needs top security, should you step up the usage of more or better firewalls.

Improve this answer
7
  • Thank you for your answer. Very clear and informative.
    – FeliceM
    Commented Jul 13, 2023 at 7:06
  • To further elaborate: An internet facing firewall (whether it is separate hardware OR a software firewall inside the router) sits logically speaking between the internet and the routing functionality of the router. So it doesn't affect your internal network at all, except (obviously) for traffic to/from the internet. Inside the LAN you can have per-device firewalls (usually software) to protect them from internal threats. If you have multiple subnets you can also firewall on the router between those to prevent traffic between them. (E.g to isolate guest and work subnets.)
    – Tonny
    Commented Jul 13, 2023 at 7:38
  • Continued.... A good security concept has "defense in depth". Multiple layers of defense. If one gets bypassed through malice, accident, negligence or mistake there is a 2nd (or 3rd) line of defense to put another hurdle in an attackers way. If an attacker gets past the internet facing gateway or manages to get on the guest wifi he still needs to get past the inter-vlan router/firewall and if he manages that there is the firewall on the server itself to deal with.
    – Tonny
    Commented Jul 13, 2023 at 7:48
  • @Tonny, thanks. My WiFi is encrypted with a strong WPA2 password. After reading your post, I'm curious about the potential benefits of implementing firewall rules in an inter-VLAN setup. I apologize if this post seems more suitable for a forum than for this context, but I haven't been able to find a forum with the same level of expertise as you all possess
    – FeliceM
    Commented Jul 13, 2023 at 8:34
  • 1
    @FeliceM WPA2 can be cracked easily even with a strong encryption if the hacker is skilled enough.
    – LPChip
    Commented Jul 13, 2023 at 9:11
1

Yes, you need a firewall because of people scanning for vulnerabilities across all IPv4 and IPv6 nearly daily especially IPv4 as there are only 4 billion of them.

I have been monitoring my incoming connections, and collecting a list of IPs that have scanned my IP.

In only 2-3 years I have collected 1.3 million unique IP addresses and this not counting repeat offenders.

Once hackers determine a port is open they will try and figure out what software is running on that port and they will try to exploit it.

For example:

My apache/web server receives dozens of probing attacks, and a lesser number of attempted exploits every day.

My mail server is subject to repeat offenders trying to guess my usernames and passwords. Dozens to hundreds of occurrences a day and my website isn't even popular. Virtually no one beside bots and myself see my website. The ratio is approx 99.8% bots, 0.1% me, and 0.1% random people who stumble onto my site.

If my humble, obscure IP attracts this much attention you can imagine how much attention a real companies IP attracts.

Install an encrypted VPN so you can still lock down your external facing IP, and get access to internal resources.

Then you need to monitor your VPN logs so no one exploits your VPN.

In linux you could install fail2ban

Improve this answer
1
  • Thanks. Out there its a jungle!
    – FeliceM
    Commented Jul 27, 2023 at 12:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .