Question Managed Switch Vs Router/Firewall

[deepan88]

Hi all,

So VM have just sent me their SH3 due to wifi drop-outs with their SH2AC.

I need some more ethernet(RJ45) ports8 minimum, 16/24 perferred, for IoT items and stuff, but need to retain my wireless capabilities. I would also like to set up some Vlans for separating certain bits of traffic, enable remote access to my QNAP with it's personal cloud, but block incoming traffic to port 8080 (ideally set up a loop that goes back on itself - to ward of ddos, or phishing attacks). I also have a paid VPN service that will need to be configured on the router end of the kit, so not sure if the SH3 lets me do that, as their previous bits of kit didn't. would a cheap asa5505 do the job or is there an equivalent that also has wifi capability?

whats the best option?

If it's all BS and i need to just by a dumb switch and the SH3 itself can handle everything then please say so.

Thanks
Deepan

 

[lonsdale50]

Can't comment on VM as use BT fibre here however all I would say is that using managed switches is fine for the vlans but I would recommend against using ACLs on the managed switches for security (unless security requirements are very basic). Instead use firewalls to secure the traffic between vlans (eg as you've suggested Cisco ASA or linux iptables or pfsense etc).

 

[Chester]

Separating certain bits of traffic? That's pretty vague.

Does the VM SH3 support VLANs and SSIDs? I doubt it but thought I'd ask as this could be key to your decision making.

However, if you want 'proper' security at the network perimeter then I'd suggest you'd have no choice but to put the router in modem mode and use a firewall as @lonsdale50 suggests. This would necessitate other WiFi APs as well but would provide control and visibility of your traffic.

If you have a layer 7 firewall, there's no need for anything more than a layer 2 switch unless you want some of the layer 3 functions to be performed by the switch instead, but this will come at increased costs. It will need to be a layer 2 managed switch unless you plan on using multiple interfaces on your firewall to separate unmanaged switches for each network.

 

[mickevh]

As others have suggested I think we need to tease out the details of your requirements a little more, of which, more later.

The basic question posed in the thread title "switch versus router/firewall" is a false dichotomy - you will need both (or at least the functionality of both) and there's a few variation on how it can be done. The options are confused, not least because there's "function creep" between devices - e.g. there are "switches that can route" and "routers that can switch."

"Routers" are not necessary to "do Wi-Fi." Wi-Fi is availed by something called Access Points (AP,) sometimes called Wi-Fi Access Points (WAP's.) There's a basic AP built in to the SOHO get-you-on-the-Internet omni-box often (somewhat erroneously) called a "router."

If both your networks (known as "sub-nets" in IP jargon) are going to require Wi-Fi it may be that you need multiple AP's to serve each LAN (VLAN) or AP's that can advertise multiple SSIDs bound to separate VLAN (rare in SOHO routers as Chester indicates) or possible you'll need some inter-LAN routing with ACL's (though I wouldn't do it that way.) Again, depends on the details of your requirements.

By default SOHO routers (or at least the firewalls in such devices) block all inbound connections on all ports, so you don't need to worry about doing anything "special" to avert Internet attacks. Indeed, to allow inbound connections you have to go out of your way to allow traffic in which is what "port forwarding" rules are about.

Sadly there's not much you can do about DDOS attacks as by definitions, they work by flooding the connection to you router with traffic preventing anything else "getting through." By the time DDOS traffic has reached your router, it's already "too late" to do anything about it.

Phishing works by a different "attack vector" and SOHO routers usually aren't sophisticated enough to spot it.

I submit it's bad idea to try and "reflect" attack vectors back to the originator (even if you could as it's often masqueraded to prevent detection) and instead do what you do with cold callers and the like - do nothing say nothing and just put the phone down. In data networking terms, that means silently discarding the traffic, and your (SOHO) router almost certainly does that already out of the box.

We need to understand what traffic flows you expect between your subnets (if any) as that may affect to optimum design.

Finally, with multiple subnets, one needs to consider how you get IP addresses to devices on each, especially if you intend to use DHCP. You may need multiple DHCP Servers or a DHCP Server that can serve multiple "scopes" and possibly some "DHCP Relay" agents (don't worry about all that terminology for now - the techies will understand what it all means.)

I suggest a way forward is to get you to draw out a diagram (it doesn't have to be pretty) showing each LAN/subnet you envisage (don't worry about LAN's versus VLAN's for now) what devices you envisage homed on each LAN/subnet (again, no need to list all, just show the important ones,) what traffic flows you expect between each LAN/subnet and between each LAN/subnet & the Internet, which LAN/subnet's require Wi-Fi connectivity. The we can chew the fat over that a little.

Note to self/others - if requires more than a can be satisfied with a typical SOHO setup with some port forwards, maybe an "onion layer" DMZ type design with an "inner" and "outer" subnet might be suitable and hopefully achievable with cheap SOHO gear (through possible a DD-WRT'd "inner" router so we can knock out the NAT and possibly the fwall between the internal subnets.)

ISP---RO---LAN1---RI---LAN2

 

[ChuckMountain]

VM SH3 is pretty dumb, you certainly can't do a lot of the things you want to do.
Even when logging in the admin password is in a clear text box

As others have stated need to identify what you want to do.

For example if you want to have your IoT on a separate VLAN that might work from a security point of view. However if you want to use your Smartphone to control them you may need to enable broadcasting or have them on the same VLAN as your regular WiFi clients.

 

[deepan88]

Can't comment on VM as use BT fibre here however all I would say is that using managed switches is fine for the vlans but I would recommend against using ACLs on the managed switches for security (unless security requirements are very basic). Instead use firewalls to secure the traffic between vlans (eg as you've suggested Cisco ASA or linux iptables or pfsense etc).

my security requirements are pretty basic, loopback address for any incoming 8080 traffic back to google. i'm not hosting a webserver so don't need any incoming http traffic.

Separating certain bits of traffic? That's pretty vague.

Does the VM SH3 support VLANs and SSIDs? I doubt it but thought I'd ask as this could be key to your decision making.

However, if you want 'proper' security at the network perimeter then I'd suggest you'd have no choice but to put the router in modem mode and use a firewall as @lonsdale50 suggests. This would necessitate other WiFi APs as well but would provide control and visibility of your traffic.

If you have a layer 7 firewall, there's no need for anything more than a layer 2 switch unless you want some of the layer 3 functions to be performed by the switch instead, but this will come at increased costs. It will need to be a layer 2 managed switch unless you plan on using multiple interfaces on your firewall to separate unmanaged switches for each network.

I mean separating visitors web browsing and keeping my networked computers and NAS traffic separated. Separate vlans that do not intersect ideally.

As others have suggested I think we need to tease out the details of your requirements a little more, of which, more later.

The basic question posed in the thread title "switch versus router/firewall" is a false dichotomy - you will need both (or at least the functionality of both) and there's a few variation on how it can be done. The options are confused, not least because there's "function creep" between devices - e.g. there are "switches that can route" and "routers that can switch."

"Routers" are not necessary to "do Wi-Fi." Wi-Fi is availed by something called Access Points (AP,) sometimes called Wi-Fi Access Points (WAP's.) There's a basic AP built in to the SOHO get-you-on-the-Internet omni-box often (somewhat erroneously) called a "router."

If both your networks (known as "sub-nets" in IP jargon) are going to require Wi-Fi it may be that you need multiple AP's to serve each LAN (VLAN) or AP's that can advertise multiple SSIDs bound to separate VLAN (rare in SOHO routers as Chester indicates) or possible you'll need some inter-LAN routing with ACL's (though I wouldn't do it that way.) Again, depends on the details of your requirements.

By default SOHO routers (or at least the firewalls in such devices) block all inbound connections on all ports, so you don't need to worry about doing anything "special" to avert Internet attacks. Indeed, to allow inbound connections you have to go out of your way to allow traffic in which is what "port forwarding" rules are about.

Sadly there's not much you can do about DDOS attacks as by definitions, they work by flooding the connection to you router with traffic preventing anything else "getting through." By the time DDOS traffic has reached your router, it's already "too late" to do anything about it.

Phishing works by a different "attack vector" and SOHO routers usually aren't sophisticated enough to spot it.

I submit it's bad idea to try and "reflect" attack vectors back to the originator (even if you could as it's often masqueraded to prevent detection) and instead do what you do with cold callers and the like - do nothing say nothing and just put the phone down. In data networking terms, that means silently discarding the traffic, and your (SOHO) router almost certainly does that already out of the box.

We need to understand what traffic flows you expect between your subnets (if any) as that may affect to optimum design.

Finally, with multiple subnets, one needs to consider how you get IP addresses to devices on each, especially if you intend to use DHCP. You may need multiple DHCP Servers or a DHCP Server that can serve multiple "scopes" and possibly some "DHCP Relay" agents (don't worry about all that terminology for now - the techies will understand what it all means.)

I suggest a way forward is to get you to draw out a diagram (it doesn't have to be pretty) showing each LAN/subnet you envisage (don't worry about LAN's versus VLAN's for now) what devices you envisage homed on each LAN/subnet (again, no need to list all, just show the important ones,) what traffic flows you expect between each LAN/subnet and between each LAN/subnet & the Internet, which LAN/subnet's require Wi-Fi connectivity. The we can chew the fat over that a little.

Note to self/others - if requires more than a can be satisfied with a typical SOHO setup with some port forwards, maybe an "onion layer" DMZ type design with an "inner" and "outer" subnet might be suitable and hopefully achievable with cheap SOHO gear (through possible a DD-WRT'd "inner" router so we can knock out the NAT and possibly the fwall between the internal subnets.)

ISP---RO---LAN1---RI---LAN2

ok, so i don't think i'll have enough traffic to warrant multiple dhcp servers, so that can be avoided.

the only way i can think to mitigate ddos attacks - would be to specify when traffic goes over a particular level to block packets from that IP.

I'd have to setup two Vlans (home/myself and visitors) two wifi APs for each vlan (might be easier with two SSIDs in a standard wifi router maybe?

Majority of the incoming traffic would go to/from my NAS, or me tunnelling to my terminal server and labbing for pending CCNA R&S. (when i figure out how to configure the terminal server that is)

Ideally the hardware plan would be:

ISP -- VM SH3(modem mode only) - Hardware Firewall - Managed Switch+WiFi Access Point - end users

Is one able to plug a wifi access point into a managed switch? or would i plug it directly into the firewall?

LinITX APU 2C (3NIC+USB+RTC) pfSense mSATA Firewall Kit - Red - Firewall with 802.11n capability

this is all providing i can't buy something off the shelf that has 8/16 ports, WiFi and decent Firewall capabilities built in.

 

[ChuckMountain]

You haven't said a budget but I have a SuperHub 3 in Modem Only mode connected to a Linksys LRT224 Load balanced router with a backup ISP.

Into I have a managed switch with 3 VLANs (one main, one guest and one stuff) and one UniFi access point which is VLAN aware so can have different SSIDs on different VLANs.

I have a DHCP server with multiple scopes to provide for the different VLANs. Otherwise it will get really confusing.

Just remember the more devices the more electricity you use and the higher your bill we be.

 

[deepan88]

You haven't said a budget but I have a SuperHub 3 in Modem Only mode connected to a Linksys LRT224 Load balanced router with a backup ISP.

Into I have a managed switch with 3 VLANs (one main, one guest and one stuff) and one UniFi access point which is VLAN aware so can have different SSIDs on different VLANs.

I have a DHCP server with multiple scopes to provide for the different VLANs. Otherwise it will get really confusing.

Just remember the more devices the more electricity you use and the higher your bill we be.

Budget, i would say at the moment, probably around the £150 mark, but can go up if the right device(s) was identified.

The LRT224 looks like a great device, but with only 4 sockets, doesn't do what i need it to do (need at least 6 sockets - NAS, Sky, PS4, work laptop, smart home devices (2))

I've seen a NetGear Wireless VPN firewall that might do the trick.

Thanks
Deepan

 

[ChuckMountain]

Yep the LRT224 is primarily a router, partners quite nicely with other equipment in the range.

I bought a nice 24 port PoE switch of eBay and replaced the fans with something quieter.

Personally I would look at a separate WAP or two and not go for everything integrated.

 

[deepan88]

Is it possible to have this?

ISP - Hardware Firewall+WAP - Managed Switch - End Users etc?

i think the more devices i have the greater chance of me either getting something wrong and cancelling out config, one acl accept here, one acl deny there...asking for a kick in the crown jewels.

it's a crying shame that VM don't offer products themselves. i bet there are loads of people that need more than just 4 ports, or more than just joe bloggs router.

 

[ChuckMountain]

Nothing you have suggested so far requires a hardware firewall and ordinarily you would configure the VLANs on the managed switch along and connect the WAPs to the switch.

VM don't offer it because the majority of people don't need, those requiring more ports buy a £15 8 port gigabit switch or better as required. They don't want to train their "support" desk to handle additional queries more than have you rebooted your router?

You don't mention if you game or anything like that but most SOHO routers support UPnP which will open ports as required without any interaction. Something I don't particularly like.

Also not sure why you think you think redirecting traffic on port 8080 will solve a DDOS. If anything it gives you router more work to do than not responding to packets.

The LRT224 allows you to configure OpenVPN etc on the router and supports greater than the capacity of the BB at the moment.

 

[deepan88]

Chuck,

The redirection of traffic has nothing to do with DDOS, thats what the firewall is for.

 

[ChuckMountain]

but block incoming traffic to port 8080 (ideally set up a loop that goes back on itself - to ward of ddos, or phishing attacks).

The redirection of traffic has nothing to do with DDOS, thats what the firewall is for.

Sorry got confused by your posts then as that how I read you were wanting it.

Why specifically are you mentioning about 8080 and why that particular threat vector?

 

[mickevh]

On DDOS - nothing you can do your end will address it:

Imagine a hose pipe stretching from me to you. I'll pour water into at my end so fast that it completely consumes the pipes capacity. You cannot pour in any water at your end and no one else can add any my end- the pipe is filled by me.

There's nothing you can do at your end of the pipe to "fix" the problem - it relies on me no longer consuming the capacity of the pipe.

Translate that to your Internet service - there's nothing you can do to stop traffic being sent down the line to you. By the time any DDOS packets have reached you (your routers WAN interface,) it's already "done it's job" of consuming all the capacity of your link thereby denying anything else any access. If you wanted to "throttle" the traffic flow when it's above a certain threshold, it would require your ISP (ie the "sending" end of the ISP link) to do so.

On port 8080 - in SOHO routers all inbound ports are usually "off" by default. You don't need to do anything "extra" to disable or manage them. Traffic sent to any closed port will almost certainly simply get silently discarded.

You could try it out if you like if you've got a smartphone/tablet with 3/4G data service:

Use one of the online tools to find out "what's my IP address" to find your routers current external public IP address. Then turn off your smartphones Wi-Fi, connect to 3/4G, open a web browser and try to surf to the noted IP address on port 8080 (or any other port you fancy) and see what happens. Eventually the browser will (should) just time out and tell you the "page cannot be found" or something similar. It might subsequently be interesting to look at your routers logs and see if it records the event.

 

[ChuckMountain]

Yes that was sort of what I was getting at, not sure the op appreciates the finer points. Put eloquently as ever by mickevh

Basically if you get targeted nothing at your end is going to make a difference

 

[Chester]

I'm afraid to say that some ISP supplied routers do indeed have back doors in order to remote manage them, but stupidly not locked down to the ISP's management network. Other manufacturers have left code in their firmware that may allow SSH access or similar to their routers. I believe Linksys were one of the brands, but if you search for these reports, you'll find several by different vendors. Huawei anyone?!

So I can understand the apprehension of the OP.

I've not heard of a Virgin customer replacing their router, only using it in modem mode. There are plenty of routers and firewalls that will then work with it (Draytek's Vigor 2860 will) that support VLANs and DoS protection, and then custom filters to allow/deny specific traffic if you wish, both inbound and outbound. The router alone will blow the budget though! Also available are very effective firewalls as virtual appliances (some run on VMware ESXi which can be run with a free licence) but you need 2 NICs minimum which will make the hardware expensive.

I do agree with an earlier post about separating the functions out (WiFi in a separate access point for example and in particular). The above mentioned Draytek has the most amount of LAN ports I've seen on any router (6); perhaps others have more, but Sky have now dropped their router down to 2!

 

[ChuckMountain]

Yes remote management is an issue in quite a few ISP supplied routers and is an attack vector.

A lot of routers support DoS attacks however there is only so much they can do as you can easily overload them as Mickevh states, particularly if its a DDoS. You would have to be unlucky in that case though.

Also nice for routers to show what UPnP requests and ports it has opened the LRT like other good routers gives you this. Skype and various games are the worst offenders ....

 

[mickevh]

I mean separating visitors web browsing and keeping my networked computers and NAS traffic separated. Separate vlans that do not intersect ideally.

I'd have to setup two Vlans (home/myself and visitors) two wifi APs for each vlan (might be easier with two SSIDs in a standard wifi router maybe?

Is it a fair summary to say that what you are looking for is a "main" network that has all you toys and private stuff on it plus a "guest" network for visitors that avails only Internet access and is sequested from your "main" network, both networks accessible using Wi-Fi using separate SSID's/passphrase..?

If so, the good news is that there's already SOHO kit that does this out of the box without all the complexity of managed switches, VLAN's, multiple DHCP scopes, enterprise AP's, ACL's and so forth. Indeed, my current router does just this - though sadly it's no longer available to buy.

If you need more physical ethernet ports for the "main" network, you need only daisy a simple unmanaged ethenet switch.

It only really gets complicated if you need multiple AP's (for coverage reasons for example.)

There's no reason not to do this with multiple managed switches, multiple multi-SSID/VLAN AP's, complex (IP) routing plans and so forth - in my day job I've built such systems and it all works wonderfully. But if you needs are as I've surmised in the first paragraph of this post, then you really only need the "right" SOHO router that has a "guest" network/SSID facility plus a simple unmanaged switch to avail more ethernet ports. I'd be surprised if you couldn't do that for of the order of 100GBP (though I cannot recommend any specific kit.)

I suggest if you Google "router with guest network" you'll be offered some likely candidate routers and there's plenty of cheap unmanaged "desktop" switches to choose from. TPLink have been pretty popular with AVF readers for a while, though I've never used them myself (not got anything against them - just not had cause to buy one.)

 

[ChuckMountain]

The SH3 will do guest networks out of the box if you only need wireless.