Chained Routers For Port Forwarding Security

Things have been very busy around here while I transition from my old
position to my new one. Hence, postings may be few and far between.

+ + +

Insert disclaimer here. YMMV. Use at your own risk.

Now that I’ve finished working on my media PC, I think I’ll start
working on getting my home web server project re-started. As you may
remember, I’m spending hundreds of dollars per year paying to
host my site.

Although I get reasonably good service for my money, it’s still rather
expensive to keep this site going. Hence, I’ve been trying to see how I
can host my own site from home.

The biggest problem, other than not having a lot of time to work on it,
is not knowing enough on how to set-up not only the web server, but the
entire home network in a way that will provide a level of security
against hackers.

By that I include the router/firewall, the web server and its operating
systems and software, and the internal network.

For the router/firewall, it’s possible to open a port and forward traffic to a
specific PC inside my network. The problem is, is that the best way to
do it? By opening a port, you are announcing to the world, and all the
hackers therein, that your PC exists. That is, your network is no
longer stealthed and will respond to various scans. Once the script
kiddiez know your address, they will
come knocking.

If the kidz should get in, your entire network could be compromised
because, in this configuration, the web server is behind your firewall.

From what I understand, some routers have another way of giving access
to a server (it also appears to be a much less secure way). It is
called a DMZ (short for demilitarized zone), that is, the router opens
all ports to a PC, but only this PC. While this may solve some
problems, as far as I know, it is the same as not having a
firewall. Again, the kidz will want to come and play.

A better way of protecting a PC, whether it is
port forwarded to or is in a DMZ, is to chain two routers/firewalls.
That is, have a router/firewall in front of the web server PC, then
another router behind that first router that routes traffic to your
internal network. That way, the server is somewhat protected by the
first router (assuming here you are port forwarding and not using a
DMZ), and the rest of your network is protected by the second
(assuming here all ports on the second router/firewall are stealthed
and all other applicable security practices are in place). Hence, even if your server PC is
hacked, all else being equal, your internal network should be
relatively secure.

I am open to suggestions for other configurations so leave me a comment
or email me if you can think of a better way of doing it. A tip of the
hat to Gibson Research for the suggestion (link to Multi-Nat Router page).



Comments are closed.