.

network router opinions on (security)

<<

rvs

Jr. Member
Jr. Member

Posts: 94

Joined: Wed Jan 28, 2009 9:40 pm

Post Wed Apr 28, 2010 9:29 pm

network router opinions on (security)

I need opinions:
would you think a FVs318 Firewall VPN router is sufficient for a SOHO it has a logging capabilities of Public IP's that are scanning or attempting to break-in to a network? not full IDS /IPS correct me if I am wrong.

Would you opt to use a wrt54Gs with firmware of ddwrt with link logger installed on separate host.
Previous setup was BEFSR41 and every time internet is breaking up whole network is fct up. Its hard to convince management since IT investment is not really there focus. Would you say that hw is obsolete.

Honestly its rudeness that I don't like the  IT head itself wants no change... he just pulled out the plug without telling us. He is always out/ away.... but when he sees somethings.. he doesn't like boom no net.... fuck network cant argue if ur the son of the boss aight. I just want to share my frustration.

What is the best network set-up or any network diagrams or best practice for a network.

that's all I got I have to improvise if no budget ....

would you prefer other network box? 
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Apr 28, 2010 10:21 pm

Re: network router opinions on (security)

rvs

I haven't used the netgear before. But a little more information first. How are you getting your network connection? Is it a business DSL / Cable Modem, a Fractional T1 or full T1? Basically how is the office connected to the net?

Second, what is the Internet connection used for? when the network goes down, does it just cause problems with people doing non-work things (email, checking the weather, etc) or does it actually prevent customers from reaching you?

First thing I'd do would be get some kind of logging and metrics showing traffic and the possibly of lost revenue because the network is down. Point out that almost everything on the market today has a web page associated with it, used as a cheaper form of advertising than buying a commercial on tv.

Maybe not best practice, nor the best way to do it, but here is something I did in the past that might work for you.

I once supported a remote office in Ohio. Small College town, but the plant was too far from town to get any kind of real service. The best we were able to do was an over priced and slow ADSL connection. It had to support the computer network, VPNing in to our network with a client connection, the VOIP system, and their non-work related traffic that didn't go over the VPN. The network was the DSL endpoint, with a built in firewall and then our PIX firewall.

The person that set it up, could get client connections (pix to our ASA) with VPN, but not a site (Pix) to site (ASA). Problem turned out to be the port forwarding on the DSL device (I found it after he left).

Anyway about 2 years after it was set up, our business partner (company B) made a deal with a third company (company X) to be on site at that locaiton.

I ended up splitting the DSL connection off the modem, 1 line going to our Pix, the other line going to a BEFSR41. I had to set up some NATing in both the DSL device and the Linksys to make everything work. But it worked pretty well. I used the DSL as a firewall, and the firewall option on the router. Defense in layers.

So that was basically a long way of saying, check how the connection terminates to you (if dsl or cable, it might have a firewall built in, take advantage of that as a first layer). Then make other configuration changes to the Linksys behind it. I've found that when I had a linksys router (Comcast at home, no firewall on the comcast cable modem) it would freeze up at times due to being overwhelmed with traffic (usually port scans to my external static ip address).

Don't trust the switch in the linksys, put a work group switch behind it (I did that for company X) that way the internal network can at least stay up.

Getting the wireless or the VPN option wouldn't be worth it, if you're not going to use it. And having it will cause management to want to start pushing to use those features. Just a waste of money basically. I do like the idea of having a syslog server for centralized logging though.

If you don't mind using Used out dated equipment, you can get a decent cisco router and cisco 24 port switch used off Ebay for less than what either device you're looking getting would sell for. That's how I built my last CCNA lab, 3 cisco 2900 switches, and 3 cisco 2500 routers. Can't do VLANs, but might work for what you need.
Last edited by rattis on Wed Apr 28, 2010 10:27 pm, edited 1 time in total.
OSWP, Sec+
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed Apr 28, 2010 11:12 pm

Re: network router opinions on (security)

Has he bought and installed the Linksys already?

If he haven't, you may want look at Astaro http://www.astaro.com/ instead as it has more options for the monitoring you suggesting you need.

If you need more logging, use an old pc and install Snort. Connect the snort box up between the internal network and the firewall, that way you can monitor what's going in an out of the network.
So:

Firewall
    |
SNORT
    |
internal network
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Apr 28, 2010 11:20 pm

Re: network router opinions on (security)

@What90 the BEFSR41 is a linksys router, without wifi

I've had the WRT54G (wifi model), and saw some of the same problems with the external connection getting flooby when doing lots of traffic (downloading Linux DVD over torrent for example) or when getting port scanned by a bot net. Didn't have as much problem after I flashed the firmware to DD-WRT.

Something else to look into @rvs, see if there is a dd-wrt like image to install on it, or flash it with the latest linksys frimware available for that model. (flashing with the linksys firmwre helped for a while with my first wireless, but eventually upgraded it because the new model had more memory in it).
OSWP, Sec+
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed Apr 28, 2010 11:59 pm

Re: network router opinions on (security)

Whoops -swap FVs318 Firewall VPN router for Linksys :-)

Thanks chrisj for the pick up!

One other minor point for SOHO offices - I always like to have systems with helpdesk support and fit to industry standards, so even the fist line support folks can troubleshoot it.  Any funky firmware should be avoid unless you like support calls day and night :-)
<<

rvs

Jr. Member
Jr. Member

Posts: 94

Joined: Wed Jan 28, 2009 9:40 pm

Post Thu Apr 29, 2010 12:25 am

Re: network router opinions on (security)

It's on the slowest Business DSL Connection. Anyways enough with the internet slowness... He is not convince that we have to upgrade to any T1 connection. Internet is being use for email, sending/receiving nurses notes, vpn connection to govt sites.

site is off-site; email is off-site basically all sys ad jobs is handled by domain sellers something I forgot the term of. "Usually when you bought a domain here in US you get to have and an email with your domain on it right?". Without them realizing that we could do it for them using open source. We just do back-up like low end help desk  jobs in the office.

Metrics as it seems I get to run cacti and monitor the the ins and outs of the LAN/WAN I showed it to him. Hoping that he would be impress with us. Inventory we automated it as well so basically everything is configurable as long as you have the time to read and practice it.


For VPNing  2 remote branches... that I was thinking of implementing a RAS/VPN dial up. Old school just for the heck of getting internet connection and just for updating systems on other end. Well rather than  paying 50$ per month give it to us or give us training damn!  sorry for the language.


First router was BEFSR41. The problem with this one is that it does not have any logging capabilities. Since we are not in any active directory/domain I just do not know if it has something to do with hosts not seeing each other using the work group settings of windowz. Upgrading it to WRT54Gs with DDWRT was a big leap. seeing the spikes on LAN/WAN. and integrating it with Cacti was cool. Seeing entire hosts on the nw except the macs.


Then my colleague got the interest in updating the FVS318 Netgear Firewall router. He wants to make it run for logging purposes and it has an email capabilities to send over if there are any alarming things going on. Well what we found out was overwhelming I do not know for sure (attempts; attacks; scan) It always say that it was dropped but I really got jumpy when port 3389 was being scan and being logged by wee hours.... most scans or attempts came from CH and RS. All of the routers.... where open with that port ,ever since management allowed finance audits to check-in. Not my bad ,its there decision even though, I really tried my best to inform them.


I  want to ask for you guys since you guys brought up the switch. Prioritizing with specific port number would go with Managed switch right? I did consulted it to one my buddies  and he said to me that It would increase the whole network performance. My IT head bought a netgear 24 port 10/100/1000mbps managed switch. and other dept has 1Gb managed switch. Still when accessing to local server with that app it is still slow. I did escalate it with the software vendor and I am pointing it out that we already bench mark it from windows xp and windows vista with 100mbps switch with 100 Ethernet card over 1Gb switch / Ethernet card still sluggish on accessing it. A manage switch that would be less expensive and non cisco would be a good deal.
<<

rvs

Jr. Member
Jr. Member

Posts: 94

Joined: Wed Jan 28, 2009 9:40 pm

Post Fri May 07, 2010 11:13 am

Re: network router opinions on (security)

guys any feed back would do... need opinions on this one. users are really complaining....  ???
<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Fri May 07, 2010 12:57 pm

Re: network router opinions on (security)

Unless you are going to carve some VLANs I don't believe a managed switch would help speed up your network. It (sounds) like you are already running GB NICs and switches if I read your post correctly. The only advantage you are going to have from an unmanaged to a managed switch is the ability to VLAN. If you are looking to do that you may be able to pickup an HP Procurve for a lower cost than some of the other vendors out there.
When I've been tossed into Network App hell before it's usually been fixed by upgrading NICs to GB and implementing an unmanaged GB switch (most of our customers were CHEAP). Beyond that it has usually been on the software's end. If the program runs on hostnames rather than IP addresses you could try testing a custom HOSTS file mapped to the correct IPs per application server.
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri May 07, 2010 1:08 pm

Re: network router opinions on (security)

For the local LAN side, if you're seeing app slowness, you really need to get a good packet trace, and see what's going on.  Do you have routing loops going on in the internal network (like from ARP table corruption or simply misconfigured equipment)?  Do you have errors on the NIC on the server or workstation, or on the switch ports?  These are all pretty straightforward things to look at, for the folks that have network analysis experience.  But if you're saying a locally-run app, on a Gig-E network is running slow, then you either have a network issue, or your server is overworked, or you have other problems with the way the app runs.  Either way, well-placed packet captures (server-side simultaneously with workstation-side) should help you determine where the slowness actually occurs, and help you pinpoint your issue.  (This is something I do ALL the time, with my clients.)

I think on the other questions you'd brought up, I'd have to agree with chrisj and What90's thoughts, and I too like the Astaro gateways, personally.
Last edited by hayabusa on Fri May 07, 2010 1:10 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri May 07, 2010 1:16 pm

Re: network router opinions on (security)

inf3kt1d wrote:Unless you are going to carve some VLANs I don't believe a managed switch would help speed up your network. It (sounds) like you are already running GB NICs and switches if I read your post correctly. The only advantage you are going to have from an unmanaged to a managed switch is the ability to VLAN. If you are looking to do that you may be able to pickup an HP Procurve for a lower cost than some of the other vendors out there.


There is more to a managed switch than setting up vlans. A proper managed switch will allow for logging, port spanning (port monitoring), port trunking (cisco calls it an etherchannel), spanning loop prevention, and speed configuration Auto/10/100/1000. (That's just off the top of my head).

As for the procurv, I wouldn't touch that if you paid me. I have several in my network right now, and as soon as I can afford to rip them out, I'm going to. They have been nothing but problems since we installed them in our network.
Last edited by rattis on Fri May 07, 2010 1:18 pm, edited 1 time in total.
OSWP, Sec+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri May 07, 2010 1:29 pm

Re: network router opinions on (security)

rvs wrote:It's on the slowest Business DSL Connection. Anyways enough with the internet slowness... He is not convince that we have to upgrade to any T1 connection. Internet is being use for email, sending/receiving nurses notes, vpn connection to govt sites.

For VPNing   2 remote branches... that I was thinking of implementing a RAS/VPN dial up. Old school just for the heck of getting internet connection and just for updating systems on other end. Well rather than  paying 50$ per month give it to us or give us training damn!  sorry for the language.


First router was BEFSR41. The problem with this one is that it does not have any logging capabilities. Since we are not in any active directory/domain I just do not know if it has something to do with hosts not seeing each other using the work group settings of windowz. Upgrading it to WRT54Gs with DDWRT was a big leap. seeing the spikes on LAN/WAN. and integrating it with Cacti was cool. Seeing entire hosts on the nw except the macs.



I'll probably end up spamming this thread.

You can get partial T1s at all the sites, and set it up that way with an MPLS Meshed network. Some providers are supplying that now. Sprint and Paetec (I don't recommend Paetec, not happy with their service) come to mind. AT&Ts Opt-E-Man is similar.

If the sites are vpn and always up / connected to your site, I'd suggest a site-to-site vpn connection.

I did some googling on BEFSR41 and logging. you can set it up. http://www.google.com/search?hl=en&q=BEFSR41%20logging

I still say stop using the router for a switch. Might help with some of the problems you're seeing with the network slowness. Only so much memory to go around...

As Hayabusa said, do some network traces to see what's going on with the server connection. If you have cacti set up still, and the right configuration on the equipment, you can how much traffic is going across the port. Might look into ntop and some similar tools to see what's going on too.
OSWP, Sec+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri May 07, 2010 2:06 pm

Re: network router opinions on (security)

I second what Chris said.  There is definitely more to managed switches than VLANs.  There is nothing more frustrating than a malfunctioning port or a network card.  These problem can be difficult to spot.  A managed switch can identify a port with excessive errors and collisions.  This certainly beats crawling around with a sniffer.  I never deploy unmanaged switches unless I absolutely have to. 

Also, not all gigabit switches are the same. 
~~~~~~~~~~~~~~
Ketchup
<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Fri May 07, 2010 2:24 pm

Re: network router opinions on (security)

Chrisj and Ketchup bring up some very good points. I don't have a lot of experience outside of a Sonicwall/Procurv/Linksys products because the company that I worked for was STUCK in that business model. I didn't like the Procurv series much either, but I was just excited to get to touch a managed switch as our sales guy usually undersold our customers to unmanaged. I knew that managed switches could do more, but I just don't have the experience with their other features to say much  :'(
The packet trace is a really good idea because I have had a customer that had a Dell GX270 with a bad MB (blown caps) that was crippling the network... (is that light supposed to STAY solid???)
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

rvs

Jr. Member
Jr. Member

Posts: 94

Joined: Wed Jan 28, 2009 9:40 pm

Post Fri May 07, 2010 2:50 pm

Re: network router opinions on (security)

Hey i have to read all your comments and thank you so much for that. I know its not to much of a security and all. I really appreciate your concern. Just one quick glance on what's happening. Server side only run the Advantage database its using a UDP connectionless so its more of reliability over performance. App could run server side and client side  I've been reading the packets for quite sometime and I believe we really have to over haul how the network should be implemented, there are a lot of things going on etc... Well I asked the software vendor and they said one of the agencies upgraded there db and performance was impressive. It is really hard what comes in to play ... what I mean is management. I'll review your advice on what happens... thanks guys.

really help me on this one.

Return to Opinions

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software