How to secure my network

[antioch18]

I will be switching home ISPs soon and the new provider offers static IP addresses (as opposed to the dynamic NAT'ed one offered by my current) without any firewalling or NATs. I'm considering this option but first I'd like to understand what precautions I need to take if I were to go that route. I've always been behind ISP firewalls and NATs and as such am lacking in my knowledge of securing the gateway to my network beyond the basics.

I have the feeling that it will not be sufficient to simply: enable the firewall and DoS protection features on the router, and ensure that strong passwords are set on both the router and (for safety's sake) all services running on my local server. Note: I currently use a trusty ASUS RT-AC66U_B1 router running Asuswrt-Merlin firmware.

What more should I do and what additional precautions need to be taken?

Thank you for your recommendations!

 

[BlueLineSwinger]

I'd be really surprised if the ISP is giving you a large enough IPv4 subnet to support every device on your network. You're still going to have to run NAT on the router, it's just that its public IPv4 address will be fixed. Nothing really changes. Maybe you'll have a few more if you want to set up specific LAN devices with their own public IP (e.g., if you want to run some sort of server).

Anyways, if you were given a full IPv4 (or IPv6) subnet, it's generally enough to enable a firewall between it and the WAN on your router. Of course, any devices on your LAN that are capable of running their own firewall should as well. A Google search will bring up test sites to verify the firewall is working properly.

 

[antioch18]

Ah, I'm sorry for not being specific. I still have to put in a call to the customer service and see what exactly is promised in the brochure, but I agree, my reading of it looks like there will just be one one fixed public IP, and yes, I'll need to NAT with my router.

So, it really is as simple as ensuring that the firewall on the router beween WAN/LAN is enabled and configured correctly? (And to your note, I've already got firewalls enabled on the local devices that support them)

 

[RTM]

It all really depends on your ambition level and the type of network you are looking to protect.

If your ambition level is low and it is a home network, it is probably sufficient to use your home router, the biggest issue is that you have to ensure that you update the software, so vulnerabilities are patched. I have no idea about the quality of that firmware (other than the fact that it is based on Asus' own, which is not a positive thing IMO - but that is just my own subjective opinion, not based on hard facts), so I suggest you spend a bit of time looking into to get a feel for it.

If your ambition is to learn more or just play with something a bit more powerful, then I suggest you get something a bit more beefy than what you have. In fact if you use that connection for work/server stuff, I think that it something you should do. A way of accomplishing this could be to buy/build a x86 based machine and install a firewall distribution on it.

A fairly inexpensive (and thus popular) way of doing this in terms of hardware is to buy a "HP T620 plus" (it is a thin client computer that has a PCie slot) and install a 4 port gigabit NIC in it. If you look around the forum, there are plenty of posts about this solution (there are better options too). In terms of software pfSense (a firewall distribution based on freebsd) is also a popular choice.

At the end of the day, you have to make up your mind as to what you want

 

[newabc]

pfsense + pfblocker-ng + suricata IPS + snort rules(if you still have budget, you can subscribe snort rules other than its free rules which are 1 month older than the subscription version.)

 

[antioch18]

Thank you for your thoughts, you've given me a decent amount to read up on.

 

[RTM]

I should probably mention, that the setup with pfSense implies that you use a separate access point (such as your asus router in AP mode), pfSense is less than ideal for that so while it can be done it is not recommended. If you need to have a single all in one device, you will probably want to run something else software wise (opnsense is similar in this aspect).

 

[dandanio]

First of all, don't trust no software firewalls, they are mostly garbage. Second, don't trust no woman, (wait, no) hardware firewalls. Nowadays, try different solutions, one that you are comfortable with. Read about all those NAT implementations: full-cone, restricted-cone, port-restricted cone etc. and make an informed decision. pfsense is only one player in a huge market. Good luck.