Dual-firewall arrangement with Location Blocking+IPS offers most small networks robust security

Earlier this year I made a commitment to start taking infrastructure security much more serious.

It was something I had to do and am glad that I did.

While there is only so much one can do to secure infrastructure that is off-site and administered by someone else (or in the cloud), there's a lot one can do when it comes to protecting their own network in-house.

One of the most critical elements of any network is the firewall, which is effectively where net traffic enters your network.

Therefore, having a robust, manageable firewall arrangement is critically important to protecting your network from unwanted traffic.

My network is protected by a dual-firewall arrangement, using IPFire (Level 1) and pfSense (Level 2).

While having a dual arrangement may seem like overkill to some, when you're dealing with critically important data, and in some case sensitive data, taking extra precautions to protect systems on the network should never be considered overkill.

I once had a triple-firewall arrangement which had Untangle sitting in between IPFire and pfSense, but it has since been made redundant through better configuration of a dual arrangement.

For now, let's just ignore the role my DNS servers play as we'll cover that at a later time.

A Level 1 firewall stands as the first point of entry for net traffic entering the network.

A Level 2 firewall stands as the first point of exit for net traffic exiting the network.

The concept behind this firewall arrangement is that if any nefarious actor - whether they be a teenage basement dweller or state-sponsored actor – shall penetrate the Level 1 firewall they would instantly be forced to face the Level 2 firewall.

Penetrating these two firewalls is technically not impossible, especially for a state-sponsored actor with large amounts of resources to throw at the mission, but realistically it's highly improbable such an event would occur.

One of the first steps I always take with any new firewall deployment is enable Location Blocking.

By default, I always block incoming connections from Iran, China, North Korea, Russia, Romania, Pakistan and Nigeria.

The choice is really yours as to which locations you decide to block, but from my experience, most nefarious traffic originates from any one of these locations, so it's become standard practice for me to just block originating traffic from all of them.

This does not block traffic from these locations that you have requested, rather drops traffic instantly from these locations that has not been requested by you or a system on your network.

Another critical step to take with your Level 1 firewall is to enable Intrusion Prevention System (IPS).

IPS sits behind the Location Blocking service which means if the traffic is not blocked as part of the Location Blocking configuration, then it will be passed to the IPS service, which assesses all traffic based on pre-configured lists which sort good traffic from the bad.

Once traffic is passed through the Location Block and IPS services, the firewall engine takes care of the rest by distributing traffic to the right system, which all depends on the firewall instructions you have provided to it.

Location Blocking combined with IPS is robust and secure, and for most small networks will be more than substantial for protecting systems on the network.

You will notice it does take a hit on net speed overall, due to the natural overhead caused by the traffic analysis.

Dedicated firewalls, or systems acting as firewalls, always add overhead.

Each new protection service you add to the firewall will add extra overhead.

This is completely normal behavior.

But system and network security should always come first, net speed coming second, in terms of user priorities.