I'm overdue for a geek post, so here we go. I work with a guy who has started a few of his own businesses and been in charge of a number of other ones. He has strong opinions on network security, and I figure his opinions are valid based on his experiences and perspective. I have always been curious about his home network, so we've spent some time on the whiteboard describing and explaining.
All of which prompted me to pick up a firewall. I opted for the cheapest 1u rackmount unit I could find, a used sonicwall pro 200. It's only 100 MB instead of gigabit, but it's got a dedicated DMZ port for my web server and it does the basics every firewall should do plus it has some cool content filtering capability. The configuration options are actually quite extensive, so there's lots to play with on a rainy day if I get a wild geek hair. But mostly it's a set-and-forget type of unit which is the whole point.
The upside to this plan, which is where my co-worker has a valid, albeit somewhat paranoid attitude, if you don't have your own firewall, your home network is at the mercy of your cable or dsl provider. Not only can they log into your modem to see what your internal network is like, perhaps far more importantly they are your only line of defense against network intrusions.
This is mostly specific to Uverse which bundles a single gateway with modem, wifi and router all in one unit, as opposed to Cox which just supplies a modem and leaves it up to you to do your own wifi router if you want wifi or you have more than one computer. The big problem with Cox is that they automatically block port 80 on their side, so you have to play this silly little game of redirecting to a higher port, say 8080, in your DNS settings. on top of that, Cox doesn't do static IP's so if you want to have a home web server or vpn access to your home network, you pretty much have to set up a dynamic dns client who will detect your assigned IP and update your name server accordingly whenever it changes. Short version, if you are a geek, you probably prefer uverse to cox, but if you are a paranoid geek you probably want some extra protection behind your uverse gateway.
Neighbor Brad gets around this by using a separate linksys router which does his wifi, firewall and nat, as almost every home router does. This works well for him, but the whole double-nat situation caused trouble for me when trying to pass port 80 through to my web server. I could have just disabled everything on the uverse box as I intend to once I rack the sonicwall, but overall I was just dissatisfied with that solution mostly because of the clunkiness factor with three boxes all sitting on a shelf (uverse gateway, uverse dvr, linksys router). Or maybe I didn't like the color clash of silver with blue. But the sonicwall is blue so maybe there's no diff? And finally I wanted vpn connectivity and ssh access even though I have no linux servers at home yet as I intend to switch the web server from win 7 over to centos at some point and play around with apache and mysql without the annoyances of doing so on windows. The windows box was intended as a combo fileserver, htpc, and web server but now I'm thinking I want 3 separate boxes, one htpc, one nas, and one linux based web/ftp server.
So, $20 and a bit of searching for the latest firmware and the pro 200 came to life. I'll try to get it racked this weekend and see how easy/painful it is. Then I'll try to play around with vpn connectivity and start planning the centos and freenas hardware.
I'm also thinking about setting up my own wordpress server on my web server and migrating this blog over. Surely my cable connection can handle the 10 views/day and at some point I will run out of my free 1GB of picasa space (currently at 14%) at which point I'll be annoyed to pay for more storage and even more annoyed at having to purge stuff.
I'll report back on how painful this install winds up being. I suspect it will likely be more headache than I'd like it to be but hopefully not more than I can manage to deal with.
No comments:
Post a Comment