DMZs and stuff

Following on a previous query, I am considering allowing incoming calls
from t'Internet to a proxy server.
Now this calls for a DMZ to segregate the system running the proxy server
from the 'green' internal network.
My security experience is old school corporate:
Firewall/Router (incoming/outgoing calls allowed)
DMZ with server(s) handling incoming calls
Firewall/Router (incoming calls from DMZ ONLY!)
Green (outgoing calls depending on role).
This calls for a minimum of two Firewall/Routers to allow physical
separation between t'Internet, DMZ, and Green.
Googling so far in the context of the Virgin Super Hub 2 has suggested that
(a) DMZ and stuff is not that good in SH2
(b) the solution is to run it in modem mode and buy a better router.
However the 'better router' seems to support DMZ, NAS storage and wired/
wireless LAN all in the same box.
Now I wouldn't mind a kick ass wireless router with USB NAS storage and
networked USB printer support but I am not at all sure about having that
all lumped in with the DMZ and also directly exposed to t'Internet.
Am I being too cautious, or does the physical separation strategy still
hold good?
As a slight aside, I have various older cable/ADSL routers which are fine
for routing but don't support Gigabit Ethernet or the latest and fastest
wireless protocols. Are there still third party firmware builds which can
turn older routers into decent firewalls? This could save me buying two
new devices.
Cheers
Dave R
Reply to
David.WE.Roberts
Loading thread data ...
Who knows? Only bad guys, I suspect. But I'm with you. I've heard too many stories of routers themselves being hacked.
This presentation from DEFCON is just one example
formatting link

When I do the same I'm going for two routers, of different makes.
--

Henry Law            Manchester, England
Reply to
Henry Law
You could:
Use the superhub in router mode, telling it that everything in is the DMZ. Then attach a second router to one of the downstream ethernet ports. That router is then treating the DMZ as untrustworthy 'internet'.
Or
Use the superhub in modem mode and get another router that supports VLANs. VLAN one of the ports to be DMZ, the others to be internal. You do trust the router, but it's enforced at the switch level rather than the router level. Many commercial routers do this - internally only one ethernet interface, but then a VLAN tagged switch to separate LAN from WAN ports.
'DMZ' is a slightly unhelpful concept here - ideally you'd want one VLAN per level of (un)trustworthiness.
I'd go with OpenWRT:
formatting link
Though it tends not to work as well on ADSL models than cable ones. OpenWRT is also good at exposing features like VLANs that are implemented in the hardware but not normally exposed to the router UI.
Theo
Reply to
Theo Markettos
Thanks.
I'm not that sure about VLANS - I would prefer to have both logical and physical separation of the trusted and untrusted LANS.
To me, DMZ is the correct term - a zone the outside (red) and the inside (green) can both see into but red cannot see green (hidden behind a barrier).
I could use the SuperHub in 'router' mode with wireless turned off and just hang another NAT router off one of the LAN ports; I could then (as I think you are suggesting) just open some incoming ports so any device on the 'DMZ' LAN can accept incoming calls. [But how would that work? An incoming call can only go to one IP address unless there is some serious decision making based on the origin and protocol of the incoming call. Or a 'hunting group' asking if anyone wants to take the call.] With the DMZ configuration of the Virgin SuperHub 2 (AFAICS) you can only nominate one IP address as the DMZ, and all incoming calls are directed to that IP.
My main concern is that the SuperHub 2 in DMZ mode shows all the ports as closed, not stealthed. There is a general lack of confidence in the SH2 firmware so I could be tempted by a more robust firewall/router.
All this is reminding me how much I have forgotten about IP routing and firewalls.
Cheers
Dave R
Reply to
David.WE.Roberts

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.