Is it a good practice to combine NAT, firewall, VPN?

VPN
1

Hi, I need to secure my services, what is the best approach to use NAT, firewall and VPN?

Should I combine all of them into a single VM or it’s best to keep them separate?

Any security risks with this approach?

I use VPN to secure internal services which shouldn’t be publicly available, for example company redmine, netbox, database, etc. Also VPN required for remote administration of the system.

Creating 3 separate VMs seems wasteful, though I understand that they all do different tasks:

  • NAT – hides local IPs
  • firewall – restricts connections, protects network as a whole
  • VPN – allows to per-user access to local resources remotely

Right now I’m leaning to creating 2 VMs: VPN and NAT+firewall, any problems I can run into doing so?

2

either you’ll want to combine the vpn and the firewall, or you’ll want the vpn hanging off the firewall in a different network, with all traffic between it and your internal stuff passing through the firewall. So you don’t need to masquerade the traffic, or have route specifically for the vpn traffic added to every target.

3

Personally, I have never been involved in an environment in the last decade where all of these aren’t a single hardware appliance. You can do it in software as a VM, yes, but you can’t tell me your org cannot afford a few hundred on a silly UBNT UDM-Pro. Silly, but they do work.

4

I don’t necessarily recommend pfsense in production, but it’s better than rolling your own whatever you have in mind.

5

Why are you doing that on _servers_ ?

Thats what routers/firewall/security appliances are _for_ , bog standard home routers can do all of the above with relative simplicity.

sure you coud split it out into specific devices, but youre adding a serious amount of cost and overcomplicating the shit out of things - I mean, youre talking about a coupla servers to do the job something the size of a hardback book does.

zyxels, drayteks, fortigates, entrusts, stonewalls, microtik, *shudders* sonicwall - to name just a handful.

What size of company are we talking here, 5 guys in a back office ? 500 across 20 sites? cmon give us some parameters.

6

As much as it pains me to say pfsense+openvpn seems to fit your budget scale.

7
  • Nat and FW - possibly
  • VPN should stand alone
8

I would keep them separate just to simplify updates and reboots. Firewall and NAT on one then VPN on another. That way if you are having VPN issues or troubleshooting you don’t have to take the firewall down.

9

Well, we can’t :confused:

I think I didn’t make myself clear and point out that I need to setup these services virtually. I understand huge PROs of hardware devices, but I wanted to hear PROs and CONs for a virtual ones…

10

So iptables+fail2ban could lead to unforeseen consequences since it is easier to make mistakes configuring them than with pfsense?

11

Thanks for your reply, I understand that hardware devices dedicated to a specific task are going to work remarkably better than a VM, but we just don’t have resources to buy one of these. I work for a small size company – 1 site, less than 100 workers and I think that using existing resources is better then asking for more expensive hardware to spare.

12

You should start looking for another job if buying a less than $1K piece of equipment to keep the business literally functional isn’t in the budget.

13

No.

Considering that iptables is deprecated and you asked this question to begin with, you’re probably better off with not trying to reinvent the wheel. Especially since you’re asking about “best practice” while using outdated, homelab-esque solutions.

14

Go buy a Unifi USG and don’t try and home roll this yourself.

What is doing NAT/Firewalling currently?

15

existing resources? what do you have in place today?

16

You likely already _have_ a router/firewall in play, how does your site/company get internet ? What box sits at the end of your broadband / connects your lan(s) to the outside world.

What up-speed and what down-speed

How many concurrent VPN users do you need to support

Do you use multiple (v) lan ranges ?

What sort of data volume are we talking about here - CAD drafters trying to pull 50mb dwgs over a 40/20 connection isnt going to be pleasant for the drafter?

You can score something like a Draytek 2860 off ebay for $50 and it will handle vdsl or ethernet feeds, runs at gigabit networking, multiple lans, multiple vlans, tagging, NAT translation, opening ports to allow services, geo-restricting access, ssl vpn, site to site IPSEC vpn, wifi 2.4 /5ghz on some models, LTE on some others too, multi-wan and up to 32 simultaneous vpn tunnels.

We have them in use for around 200 of our clients, from 1 man shows all the way up to a 500 person company (they use a 3900 to allow for more vpn users)

you -could- “save money” in fucking around with the servers, but youre not saving shit, youre burning engineer time building an overly complex service layout with multiple points of failure and content. A router/firewall box will take a LOT less time to configure - say you spend 20 hours setting up this server based monstrosity - example youre making $22 an hour, thats costing the company the guts of $500 _just_ to setup, never mind tweaking and ongoing fixes and if you reboot that server, or its patching updates or something breaks, the whole stack falls on its face.

Vs a $300 (brand new) box that has active tech support and is quite simple and logical to setup.

Plus consider the additional load on the servers - do they have the headroom to take on more work ? whats the replacement schedule looking like on them, or their warranties - if something went bang, how quick could you get it stood back up ?

watching the pennies will cost you the big bucks - there are appropriate times to spend money - anything that comes between you and the floor/the internet is WORTH spending money on (beds, shoes, tyres, firewalls)

17

Good way to limit your own knowledge, if you don’t know OP DONT ASK.

18

That’s true, but buying devices is just not an option, even if they cost lest than a $.

What is doing NAT/Firewalling currently?

iptables+fail2ban

19

I completely agree with your point that using easy-to-manage router is better than creating something yourself piece-by-piece. From the reliability standpoint, I don’t plan services in a single instance, all the critical services always have replica and/or multiple standby servers with keepalived monitoring if something goes wrong. Let’s just say that it is not an option even to take for free someone’s firewall that has no use for them (as much as I would like to do so).

You likely already _have_ a router/firewall in play, how does your site/company get internet ?

We get our directly from local ISP and as far as I concerned, there is no firewall.

What up-speed and what down-speed

The current uplink speed is just 1Gb, but we are on our way to upgrade to 10Gb uplink. Downlink speed is 10Gb with 4 cables in LAG.

How many concurrent VPN users do you need to support

As I said, there is not a lot of users for VPN access – less than half of a company size (<50 people).

Do you use multiple (v) lan ranges ?

We have multiple subnets (and corresponding vlans):

  • public network - for websites and public file share servers;
  • lan-un network - lan for services that directly face internet;
  • lan-pr network - lan for protected services such as databases and company resources
  • office network - lan for employees to connect to
  • mgmt network - lan for administrator to use in order to control and configure the system

What sort of data volume are we talking about here (user data through VPN connection)

At worst about a dozen of gigabytes worth of data.

Hardware servers have more than enough of headroom to handle current tasks and it seems to me that they can handle network related tasks just as well. Unfortunately man-hours here cost almost nothing, sooo that’s that

20

That’s horrible.

Just run pfSense in that case.