I have a small business/home setup using the 60D directly connected to Xfinity using a DCP3010 Cisco modem.
While I like limiting Comcast updates to a dumb modem I get tons of unwanted intrusion attempts on the 60D firewall.
I'm thinking of adding a small router in front of the 60D to drop all that traffic but can't decide which router would best suit the job. I do not want to break or slow down the 60D's IPSec VPN. Any one have experience with this and recommendations?
Ben
Why add more pieces to the puzzle?
You have one of the best SOHO/SMB firewall on the market. Block the traffic at the firewall. if it's authentication intrusion such as ; brute-force or dictionary, denied the access via trusthost or by moving the management ( allowacess ) from the untrusted interface.
If it's an inside server that's being bashed, you can deploy a IPS and a simple custom rule.
Ken
PCNSE
NSE
StrongSwan
When there is daily outbound activity on LAN through the WAN interface the intrusion attempts are not a problem and get mixed in with all the other traffic on the WAN interface (it's about half of the logged traffic). When I leave for a week or 2 the intrusion traffic saturates the WAN interface. The 60D actually responds to some of that traffic - like dhcp relay and others so while I would like to say the 60D manages everything perfectly, I think I'd be more comfortable if I filtered (dropped) all that traffic before it hit my F/W which is the sole means of entry into my LAN. Maybe I'm just paranoid.
Paranoid can be good if you take the right measures. Replacing a firewall with a router on the frontline is not one of them.
Chances are that either the router will reboot under heavy attack, compromising your internet access, or that it can be cracked as seen in the past (D-Link, AVM, ...).
I've got the impression that seeing all those log entries makes you nervous. It shouldn't. Cut down the amount of logging on the WAN interface. It's only natural that your gateway will be under attack, just like nearly all the others.
IMHO I cannot believe that IPS attacks will saturate your WAN link. If really so, you've got a huge problem which can only be solved at the next instance upstream, i.e. your ISP. Replacing the target with some unsafe device will not throttle the amount of unwanted traffic - how so?
Very wise words from Ede.
If you apply "BCP"s and secure the WAN interface, your concerns should be minimized. I can't see any router providing you any additional security function imho.
ken
PCNSE
NSE
StrongSwan
Understood, thanks guys,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.