1

We are trying to understand what a more secure installation is: a) A modem connected to the internet with PPPoE doing a NAT to the firewall than doing a second NAT for all the devices

b) A modem acting like a bridge and the firewall doing the PPPoE?

I guess that more layers could be beneficial for security because malicious connection will get filtered by the modem and the firewall and they would be 2 NAT to go through. But on the other hand the modems are usually vulnerable and not up-to-date devices...

Simply on a security point of view what is the most secure?

user41417
  • 23
  • 2

1 Answers1

0

I think the question you are really asking here is if the two devices can be used to provide effective layers of security. Yes they can but the degree of security will depend on the configuration and capabilities of each device.

I recently took a SANS course in which the instructor suggested having a router in front of a firewall doing basic packet filtering. Basically the router drops everything except those ports you define (80,443,etc). It's then up to the firewall to examine the packets that make it past the router. In your case it would be the modem doing the packet filtering in front of your firewall.

The thinking behind this configuration is that it reduces the overall load on the firewall by cutting the number of packets that is examines with only a negligible increase of load on the router. Packet filtering is a less expensive operation than stateful packet inspection. It also has the advantage of reducing the noise in your firewall logs.

Of course it does depend on the capabilities of your hardware. I would run some tests with this configuration before committing to it.

mmccowan
  • 16
  • 3