Hello,
I bought a couple of Juniper EX2200-C switches and I am wondering how secure it would be if I had one of them configured as follows:
1) An "Internet" vlan
1a Port) My cable-modem connected to one port (ge-0/0/0) with an IP on that port so the NIC is the client according to my ISP,
1b Port) The WAN interface of a PFSense VM (ProxMox most likely)
1c Port) A honeypot possibly with SNORT or something (just curious what I would see)
2) A "Router" vlan
2a Port) The LAN interface of the PFSense VM (ProxMox)
2b Port) The WAN interface of my Asus RT-AC86U - Potentially shutting off the firewall to see if I can increase throughput to get closer to full 1Gb internet
2c Port) Occasional connection to verify if internet issues - bypass the Asus and pass only through the PFSense VM
3) Other vlans that would only be accessible by routing through the Asus and static routes to the vlan interface IPs on the EX2200-C
I'm not sure if exposing the EX2200-C to "the wild internet" could allow a hack to breach Junos and then bypass the PFSense VM firewall, etc. and then hack the Asus so my whole home network would be exposed.
I also have considered just using a "dumb" netgear 4-port switch to connect the Cable Modem and PFSense WAN interface so everything else is "air gapped" and they would have to hack the PFSense VM via the WAN interface. If the hack is that good, I'm not going to stop it anyway. Would the air-gap be SIGNIFICANTLY more secure? I can configure the EX2200-C port security to the extent possible but I don't know if that would still be easy enough that automated scans/hacks might identify it as a weak point, etc.
Sorry for the long post and thanks in advance for any input.
RichMD
I bought a couple of Juniper EX2200-C switches and I am wondering how secure it would be if I had one of them configured as follows:
1) An "Internet" vlan
1a Port) My cable-modem connected to one port (ge-0/0/0) with an IP on that port so the NIC is the client according to my ISP,
1b Port) The WAN interface of a PFSense VM (ProxMox most likely)
1c Port) A honeypot possibly with SNORT or something (just curious what I would see)
2) A "Router" vlan
2a Port) The LAN interface of the PFSense VM (ProxMox)
2b Port) The WAN interface of my Asus RT-AC86U - Potentially shutting off the firewall to see if I can increase throughput to get closer to full 1Gb internet
2c Port) Occasional connection to verify if internet issues - bypass the Asus and pass only through the PFSense VM
3) Other vlans that would only be accessible by routing through the Asus and static routes to the vlan interface IPs on the EX2200-C
I'm not sure if exposing the EX2200-C to "the wild internet" could allow a hack to breach Junos and then bypass the PFSense VM firewall, etc. and then hack the Asus so my whole home network would be exposed.
I also have considered just using a "dumb" netgear 4-port switch to connect the Cable Modem and PFSense WAN interface so everything else is "air gapped" and they would have to hack the PFSense VM via the WAN interface. If the hack is that good, I'm not going to stop it anyway. Would the air-gap be SIGNIFICANTLY more secure? I can configure the EX2200-C port security to the extent possible but I don't know if that would still be easy enough that automated scans/hacks might identify it as a weak point, etc.
Sorry for the long post and thanks in advance for any input.
RichMD