Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ben
New Contributor

Router compatability with 60D

I have a small business/home setup using the 60D directly connected to Xfinity using a DCP3010 Cisco modem.

While I like limiting Comcast updates to a dumb modem I get tons of unwanted intrusion attempts on the 60D firewall.

I'm thinking of adding a small router in front of the 60D to drop all that traffic but can't decide which router would best suit the job. I do not want to break or slow down the 60D's IPSec VPN.  Any one have experience with this and recommendations? 

Ben

 

Ben
Ben
5 REPLIES 5
emnoc
Esteemed Contributor III

Why add more pieces to the puzzle?

 

You have one of the best SOHO/SMB firewall on the market. Block the traffic at the firewall. if it's authentication intrusion such as ; brute-force or dictionary, denied the access via trusthost or by moving the management ( allowacess ) from  the untrusted  interface.

 

If it's an inside server that's being bashed, you can deploy a IPS and a simple custom rule.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ben
New Contributor

When there is daily outbound activity on LAN through the WAN interface the intrusion attempts are not a problem and get mixed in with all the other traffic on the WAN interface (it's about half of the logged traffic). When I leave for a week or 2 the intrusion traffic saturates the WAN interface. The 60D actually responds to some of that traffic - like dhcp relay and others so while I would like to say the  60D manages everything perfectly, I think I'd be more comfortable if I filtered (dropped) all that traffic before it hit my F/W which is the sole means of entry into my LAN. Maybe I'm just paranoid.

Ben
Ben
ede_pfau
SuperUser
SuperUser

Paranoid can be good if you take the right measures. Replacing a firewall with a router on the frontline is not one of them.

Chances are that either the router will reboot under heavy attack, compromising your internet access, or that it can be cracked as seen in the past (D-Link, AVM, ...).

I've got the impression that seeing all those log entries makes you nervous. It shouldn't. Cut down the amount of logging on the WAN interface. It's only natural that your gateway will be under attack, just like nearly all the others.

 

IMHO I cannot believe that IPS attacks will saturate your WAN link. If really so, you've got a huge problem which can only be solved at the next instance upstream, i.e. your ISP. Replacing the target with some unsafe device will not throttle the amount of unwanted traffic - how so?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Very wise words from Ede.

 

If you apply "BCP"s  and secure the WAN interface, your concerns should be minimized. I can't see any router providing you any additional security function imho.

 

ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ben
New Contributor

Understood, thanks guys,

Ben
Ben
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors