Maximizing security - DMZ enabled WAN failover

0

Context: 20 person shop. Internet uptime is critical. Solution is to use LTE service to backup main Internet service. Please see Exhibit 1 for diagram.

Problem: System works (connection fails over to LTE and fails back to primary if primary is stable) but I suspect that using the DMZ (to make this work) introduces security risks.

Question: Is there a "better" setup? Or is worrying about DMZ-related issues immaterial in this system?

Exhibit 1 - Network Diagram: enter image description here

Robert Tan

Posted 2017-03-26T21:07:44.743

Reputation: 101

If the ASUS is setup properly, DMZ is usually the way to go. So this is a system I could setup myself. Don't worry about it. – LPChip – 2017-03-26T21:15:48.217

@LPChip Out of curiosity, why a "could" and not a "would"? – Robert Tan – 2017-03-27T15:04:08.257

Usually for LTE you don't need specific port forwarders. Its a backup system only and you would want the downtime to be as brief as possible. So I would likely choose to make it fail with ports and only provide internet so we can have the regular connection up as fast as possible. But if remote access is part of the critical, then DMZ is preferred. – LPChip – 2017-03-27T16:10:04.007

Answers

2

Using the DMZ zone doesn't introduce security risks, so long as your firewall rules between the DMZ and your trusted zones are not more lax than those of your WAN zone.

That said, it would be preferable to have both WAN links in the WAN zone to simplify rule management. Otherwise any rules you modify for the WAN zone you must also do the same (redundantly) for the DMZ zone.

I say Reinstate Monica

Posted 2017-03-26T21:07:44.743

Reputation: 21 477

To clarify, to have both in the same WAN zone implies integrating a 2-in-1 modem instead of the two WAN modems? And thanks, I will begin review of our firewall config in the ASUS. – Robert Tan – 2017-03-27T14:41:00.270

No, typically you can assign multiple interfaces (in your case, those interfaces connecting your two modems) to the same security zone. Now if your router simply doesn't permit this, then <sad face>, and you must use the WAN and DMZ zones, but in that case you have to make sure the firewall rules to/from the LAN zone are configured identically for both of those zones. – I say Reinstate Monica – 2017-03-27T14:46:52.373

1I believe the ASUS's built-in dual wan feature funnels both WANs through the same (its own) firewall (since I don't see options re: security zones) so we are okay – Robert Tan – 2017-03-27T15:01:31.833

@RobertTan Excellent. Good to know for this device. – I say Reinstate Monica – 2017-03-27T16:03:17.723

Asked: 2017-03-26T21:07:44.743

Viewed: 168 times

Active: 2017-03-27T19:18:35.767