Network security architecture help.

P

Phantum

[H]ard|Gawd
Joined
Jul 25, 2001
Messages
1,716
So I switched the placement of my Untangle server and my pfsense box but now when I do GRC's Shields Up test I get a failed in the category of ping reply (ICMP) but a pass or stealth on everything else. When I had the boxes in reverse order I got a complete pass...what gives?

I have an Actiontec GT704WG which is a modem/router/switch

My Actiontec modem acts as the NAT device so it goes.....

Modem: WAN (DHCP) -----> LAN (192.168.1.1) | Port 1 goes to Untangle

Untangle in transparent bridge mode: LAN (192.168.1.2) ----> LAN2 (bridge) to uplink on switch

Switch: Uplink to Untangle....port 1 to pfsense

pfsense: WAN (DHCP; 192.168.1.3) ------> LAN (192.168.10.1) The LAN connection goes into a netgear switch connecting all internal machines.

Is this the correct placement and setup? Everything connects and works and sees eachother but if I switch the placement of the pfsense & untangle boxes I get a full stealth analysis. so wtf? any suggestions or comments?
 
Hold, so it goes:

--- Modem ------ Untangle ------ Switch ------ pfsense ------ Switch (internal) ---

Well, if the ping reply test fails when you put the pfsense box on the outside that suggests that it's set up to respond to WAN pings whereas the Untangle isn't, no?
 
Just seems like Untangle is not blocking pings that's all. There is nothing worry about there and could even be useful for troubleshooting externally.
 
Concentric said:
Hold, so it goes:

--- Modem ------ Untangle ------ Switch ------ pfsense ------ Switch (internal) ---

Well, if the ping reply test fails when you put the pfsense box on the outside that suggests that it's set up to respond to WAN pings whereas the Untangle isn't, no?
Click to expand...

The configuration is correct but when pfsense is on the outside I get a perfect....when Untangle is on outside it fails only the ICMP reply....

So is this configuration correct in terms of addressing and whatnot?

xtox: Just seems like Untangle is not blocking pings that's all. There is nothing worry about there and could even be useful for troubleshooting externally.
Click to expand...

Ok so it's not a huge security hole or anything....?
 
Last edited:
Phantum said:
The configuration is correct but when pfsense is on the outside I get a perfect....when Untangle is on outside it fails only the ICMP reply....
Click to expand...

Oh right, just the other way around then? See if there's an option in Untangle to disable pings on the WAN interface?

Phantum said:
Ok so it's not a huge security hole or anything....?
Click to expand...

I believe it just means people can tell that your router is there, so might try portscanning you and such. AFAIK not much to worry about.
 
Is there a goal you have in this setup? IMO, double NAT'ing with a transparent bridge in between....I'd do everything I could to streamline that.

PFSense is a screaming performance champ, incredible QoS/Traffic Shaping...excellent for VoIP and online gaming 'n such.
Untangle is slow...really designed for business networks because of all its UTM features.

By having them both..you're losing the speed benefits of PFSense, if it matters to you. Actually having the ISP supplied gateway is the first bottleneck...I'd flip that to bridged mode so that your primary router (UT or PF) obtains the public IP on its WAN interface.
 
YeOldeStonecat said:
Is there a goal you have in this setup? IMO, double NAT'ing with a transparent bridge in between....I'd do everything I could to streamline that.

PFSense is a screaming performance champ, incredible QoS/Traffic Shaping...excellent for VoIP and online gaming 'n such.
Untangle is slow...really designed for business networks because of all its UTM features.

By having them both..you're losing the speed benefits of PFSense, if it matters to you. Actually having the ISP supplied gateway is the first bottleneck...I'd flip that to bridged mode so that your primary router (UT or PF) obtains the public IP on its WAN interface.
Click to expand...

So at home you don't really gain much by having a two perimeter network? I'm not paranoid but one could say that I have a narrow minded approach to security meaning that I want the whole 9 yards. I like the idea of a network inside another so as to have two lines of defense. Is it kosher to run just the pfsense box? I want to use snort and possibly both Squid & HAVP.

EDIT: so then my next question is this....being that Untangle is running in transparent bridge mode....and taking into account the fact that bridges only operate on layers 1 & 2.....its really not the best perimeter option? or am I whistling dixie?
 
Concentric said:
Oh right, just the other way around then? See if there's an option in Untangle to disable pings on the WAN interface?



I believe it just means people can tell that your router is there, so might try portscanning you and such. AFAIK not much to worry about.
Click to expand...

Thank you sir! After doing a little more fine tuning on my google'ing I found exactly what I was looking for.....however it didn't work! Whodda thought the "disable ping on all interfaces" option still replied with an echo?!?!
 
Correct me if I'm wrong, but the perimeter is designed for having servers and so forth on public IP addresses. There's absolutely nothing wrong with having ICMP echo enabled, most of the skiddies anyways are just going to be nmapping large subnets, so even with ICMP blocked, they'll still see you around. If you're not running any server processes accessible to the Internet you have nothing to worry about.
 
YeOldeStonecat said:
Is there a goal you have in this setup? IMO, double NAT'ing with a transparent bridge in between....I'd do everything I could to streamline that.

PFSense is a screaming performance champ, incredible QoS/Traffic Shaping...excellent for VoIP and online gaming 'n such.
Untangle is slow...really designed for business networks because of all its UTM features.

By having them both..you're losing the speed benefits of PFSense, if it matters to you. Actually having the ISP supplied gateway is the first bottleneck...I'd flip that to bridged mode so that your primary router (UT or PF) obtains the public IP on its WAN interface.
Click to expand...

Would 2nd this entire statement. I started out with Untangle at home. Slow and hated it. Pfsense is all I'm running now at home.

cymon said:
Correct me if I'm wrong, but the perimeter is designed for having servers and so forth on public IP addresses. There's absolutely nothing wrong with having ICMP echo enabled, most of the skiddies anyways are just going to be nmapping large subnets, so even with ICMP blocked, they'll still see you around. If you're not running any server processes accessible to the Internet you have nothing to worry about.
Click to expand...

nmap -sV -P0 ip address / domain. works every time.
 
Thanks to everyone!!! I've been up for 28hrs and working on this particular project for about 18 of those hours....so my current setup is as follows....

Modem--->pfSense---->internal network

pfSense runs Squid....hoping to setup HAVP and/or snort. Is (AV) scanning on HTTP traffic worth it for at home? I mean statistically speaking. Like I've stated previously, all these extra layers of security make me feel better about being connected but if they're unnecessary then...thats that I guess. Thanks fellow H|F'ers (like heffers).
 
You must log in or register to reply here.
Back
Top