0

I am planning to set up a dedicated hardware firewall like Protectli and run a pfsense on it. I already know that:

  • it is a good practice NOT to have a wireless adapter on the firewall unit
  • it is ok to run two independent LANs from the same server (one for the intranet, one for internet-facing servers)

Will it be secure to run local DHCP, DNS and VPN services on that very same hardware box as well?

This is a small office environment with just a couple of desktops and a couple of servers running basic things like CUPs, KVM, file systems, so if possible I would want to keep the number of hardware nodes to the minimum. That is without compromising the security of the entire LAN.

EDITED: Two classes of threats are considered:

  1. a motivated attacker to gain access to sensitive data on the LAN file server
  2. automated ransomware attacks on the entire LAN architecture
afora377
  • 113
  • 5
  • Let me flip the question around: no security or networking professional would even blink if they saw that your hardware firewall was also running DHCP, DNS and VPN. Doing that is pretty common, actually. The security of the setup depends on how you set it up. – schroeder Jun 20 '20 at 07:34
  • I do not know and that's why I'm asking. However, following the logic of "one vulnerable service affecting all others" I do not really see why moving individual services on separate hardware nodes will make any difference - after all if somebody can compromise one system, they can just as easy compromise the rest of the LAN it belongs to. I mean we are not a sophisticated large corporate with multiple levels of detection/prevention. – afora377 Jun 20 '20 at 11:55
  • And that makes sense. Which is what makes the question a little confusing. Unless you have a specific threat in mind ("I'm allergic to this ingredient in the cupcake") or some unique quality of your set up ("the cupcake is poisoned"), there's nothing wrong with having DHCP, DNS and VPN on the router. But, we can't then conclude that it's "secure". It's normal, that's about all we can say. – schroeder Jun 20 '20 at 12:00
  • I intuitively understand why keeping an internet facing redmine server on a separate subnet firewalled from the main LAN makes sense. But not sure if this is correct either. – afora377 Jun 20 '20 at 12:01
  • That's a design pattern called a "DMZ". Anything that could be accessed from untrusted people should be separate from your trusted network. – schroeder Jun 20 '20 at 12:07
  • Thanks schoeder, will quickly read up on that. Don't know if it helps in any way, but two classes of threats we have been thinking of here. 1. a motivated attacker to gain access to sensitive data on the LAN file server, 2. automated ransomware attacks on the entire LAN architecture. – afora377 Jun 20 '20 at 12:23
  • Also, happy to accept your answer if you posted it as such here. May be with a reference or two to further readings? Tu again – afora377 Jun 20 '20 at 12:27

0 Answers0