1

We have a requirement on our Watchguard Firebox XTM505 to be able to split our incoming external interface, in this case a fibre optic dedicated leased line, 100/100.

We use the line in our office of approx 30 machines however we also re-sell to an external company who utilise it to provide wireless internet solutions to the public.

The current infrastructure is as follows:

Data in (Leased Line) -> Juniper SRX210 managed by ISP -> 1 cable out into unmanaged Netgear switch -> 1 cable into our firewall and office network, 1 cable to our external providers core router managed by them.

We have been informed that having the unmanaged switch in the position it is poses a security risk and that a good option would be to get our Watchguard Firewall to perform the split, by separating our office onto a trusted interface, and by "passing through" the external line to their managed router. It is alleged that the Watchguard is capable of doing this and also rate limiting the interfaces, i.e. 20mbps for the trusted interface and 80mbps for the "pass-through", however Watchguard technical support don't seem to be able to understand what we're trying to achieve.

Can anyone provide any advice on whether this is possible on a Watchguard device and how or perhaps if there's a better way of achieving this, perhaps with a managed switch instead of unmanaged?

Edit: I have attached a diagram of what I'm trying to explain. So, fig.1 is what we have now and we've been informed that the orange dashed area is a security loophole. We want to separate the connections rather than just using a dumb switch, so fig.2 is something like what we want to achieve. However, the red line goes to another router controlled by a third party. We want to do as little as possible, ideally nothing to that side of the network as they handle all their routing and policies on their equipment, we're just trying to separate it before that. Of course if people think this is unnecesssary or there's a better way of achieving this then please do say!

enter image description here

Cheers

fRAiLtY-
  • 83
  • 1
  • 2
  • 10
  • I'm not understanding exactly what you're trying to do, but you can "host" a different network on each Firebox interface. Put one network on the Trusted interface and the other on the Optional interface. The "main" feed from upstream will connect to the External interface. Then configure your rules and NAT as required. – joeqwerty Oct 23 '13 at 18:49
  • joeqwerty, The problem we have is that we don't really want to interfere with the optional interface, in this case. Our network is split in 2. 1 is managed by us via our Watchguard and 1 is managed by another party, however at present the line is "split" by a dumb unmanaged switch which is a security problem. – fRAiLtY- Oct 24 '13 at 06:42
  • 1
    I don't understand. Your Fig. 2 is exactly what I'm talking about. The "main" feed comes into the External interface and you use the Trusted interface for your network and the Optional interface for the other network. How does that not work for you? What do you mean you don't want to "interfere" with the Optional interface? Also, how do you propose to split the incoming connection without using two interfaces on the Firebox? With my suggestion, the Optional interface is acting as a "passthrough" to the other network, which is what you've stated you want to do. – joeqwerty Oct 24 '13 at 15:22
  • joeqwerty, The problem we've got is that Watchguard tech support inform us that it's not possible to just allow the red line in this case to "passthrough" untouched, we'd have to apply some NAT rules or policies to it. Because it goes to a third party we'll likely be blamed an ultimately end up "managing" it to a degree which we don't want to do. We just want to split our connection off to the trusted and pass through the rest. – fRAiLtY- Oct 24 '13 at 16:01
  • You can create an "Any" rule on the Firebox to allow all traffic to the other network to flow through the Firebox unencumbered. In addition (and I mean no offense by this) but you are re-selling a portion of the internet connection to the other company. That presumes some responsibility on your part. If that means managing it for the other company then so be it. If you don't want the responsibility of doing that then maybe you shouldn't be re-selling it to them. – joeqwerty Oct 24 '13 at 16:18

2 Answers2

2

Whoever told you that the current design poses a security risk is wrong. As long as you control the switch in front of the firewall and make sure that nobody is able to set up port mirroring or similar on it I can't really see a better way of doing this with your current hardware. They are after all not behind your firewall, which would pose a greater security risk than what you're doing now.

If doing rate limiting is something you really want then I would buy another firewall (or router) to put between the ISP CE (Juniper) and your firewall, and separate the companies that way.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • +1 - there really is no reason to turn the company network into an ISP for third parties unless you *really* want to and know about the implications thereof. I also would try asking the ISP if the bandwidth limiting setup cannot be performed within the CPE (the Juniper router) - this would spare the additional hardware. – the-wabbit Oct 24 '13 at 08:43
  • pauska, The switch in front of the firewall, the Netgear, is just a dumb unmanaged switch. Would you suggest a better managed switch here as at the moment it kind of "is what it is", which I think is what the consultant was referring to when he mentioned a security risk. – fRAiLtY- Oct 24 '13 at 09:38
  • syneticon-dj, We have already asked this of our ISP who have refused, without reason. – fRAiLtY- Oct 24 '13 at 09:39
  • @fRAiLtY- there is no need for a managed switch unless you need the features that a managed switch can give you. I would probably get a managed one, so that I can set certain locking mechanisms in place (like setting port-security so that the other company only can use 1 mac address at a time etc). I'd ask more about that specific question at network engineering.stackexchange.com – pauska Oct 24 '13 at 12:22
0

You can manage all this through the WatchGuard

VLAN the trusted interface on the WG, Default VLAN for you and a secondary VLAN for the other customer.

You can then apply bandwidth throttling to the VLAN interfaces where necessary - no need for an untrust switch

Old question I know, just thought I'd chuck it out there

user237341
  • 1