Is a firewall required to secure a subnet?

Started by lukekenny, June 03, 2020, 09:45:05 AM

Previous topic - Next topic

lukekenny

First post  :)

I am looking for some general advice on security for a subnet.



This network is a Caravan / Camping park.  In the past, the Archer D9 was used to cordon off the Office LAN from the rest of the network using a NAT.  The owner has come along and set up a VoIP server on 192.168.1.3, which is fine, but the multiple phones in the office don't like the NAT.

So I'm doing the best with what I have.  I disabled the NAT on the Archer D9, which also forces its firewall to become unavailable.  I configured a static route on the USG (Unifi Security Gateway) to route traffic from 192.168.0.0/24 out to the Internet.  I then added some firewall rules on the USG to block traffic from 192.168.1.0/24 to 192.168.0.0/24, with an exception for the VoIP server. Works well.  And seemingly achieves what we were trying to do.

But I'm worried that someone, Joe Public, could come along and connect to the public wifi, and do some nefarious IP spoofing or masquerading, gaining access to the Office LAN.  Perhaps they could set their hosts default gateway to 192.168.1.4 and off they go.  I'm not sure.

So the question is, will a device configured to operate purely as a router, with no NAT and no firewall, only accept packets on its WAN port that have been routed by its default gateway?  Or is a firewall traditionally required in these circumstances?

Otanx

The first question I have is why put the VoIP server in 192.168.1.0/24 instead of 192.168.0.0/24 with the rest of the office stuff?

So a router routes, and it will accept any packets from anywhere not just its gateway any host on 192.168.1.0/24 can send it traffic if they know to do so. How would they know? If it is all hardwired they may not be able to just see it. They could do scans, and try things, but that is pretty determined for a random person sitting at your location. However, security through obscurity isn't really great so you should have a firewall to block stuff.

You could try flipping the design, and put the public behind the Archer, and turn NAT back on. Then set a rule on the Archer that the public space can't talk to the office space. Then connect the office stuff to the USG.

-Otanx

deanwebb

I like Otanx' ideas.

I like the one about putting the voice server on the 192.168.0.0 network the best. Least amount of messing things around that way.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

corporate and "guest" should never meet,  both should have their own infrastructure for security sake.
:professorcat:

My Moral Fibers have been cut.