Basic network topology to protect a home web/file/socket server

[kmiklas]

I'm setting up an open-source stock exchange (published under GPL3). I will be transmitting market tick data over UDP or websockets, and also creating TCP connections for order placement. For context, the concept is published here:
http://www.ritchiestockexchange.com/

To make this work, I've assigned a static IP address to the server, and enabled port forwarding of both TCP and UDP traffic to my router to the server. Using nodejs, C++, and C socket programming.

At this point, I'm publishing my router port address on port 3000 to the world; say 192.0.2.33:3000. I have a host of security concerns about this:

1. Hackers trying to break into my server
2. DDOS attacks on the IP address, port, or even the subnet.
3. My home computers attached to the same network as this server.

I'm still working on the proof of concept, and so I need to be budget-conscious. I currently have a Linksys WRT54g v1.1, factory stock firmware.

The question is, how can I set up the network to protect against the above attacks? Some suggestions I have so far are:

1. Create separate subnets, with the different machines (market data, exchange, and personal) on separate subnets.
2. Buy a better router
3. Install 3rd-party firmware on the WRT54g, and use that for subnetting
4. Use a service like cloudflare
5. Use an IP proxy service (sorta like cloudflare)
6. The heck with setting up my own network, just put it all on the cloud.

I need help. Any suggestions are appreciated. Thanks for your help. Sincerely, Keith :^)

More info at the following two posts:
http://community.linksys.com/t5/Wireless-Routers/WRT54g-Create-two-subnets/td-p/1164316
https://networkengineering.stackexchange.com/questions/41989/linksys-wrt54g-how-to-set-up-two-subnets

 

[boosted1g]

Concerns:
1) Cant prevent. Keep security up to date and dont paint a big enough target on back to draw attention
2) Very expensive to prevent on enterprise level, although not a big concern for a target like you where there is nothing to profit for the effort
3) Legitimate concern that can be mitigated with VLANs

Suggestions
1) Subnets alone wont help if they premit traffic between them, you need VLANS
2) Yes, you need a better router for this level of security and features. Not to mention need something more capabile then a 54g from over 10 years ago
Asus router with ASUSMerlin is good, Ubiquiti EdgeLite would be better.
3) Replacing router anyway
4 & 6) Using different service is always an option.
5) Will do nothing to prevent concern 1&2

 

[kmiklas]

Concerns:
1) Cant prevent. Keep security up to date and dont paint a big enough target on back to draw attention
2) Very expensive to prevent on enterprise level, although not a big concern for a target like you where there is nothing to profit for the effort
3) Legitimate concern that can be mitigated with VLANs

Suggestions
1) Subnets alone wont help if they premit traffic between them, you need VLANS
2) Yes, you need a better router for this level of security and features. Not to mention need something more capabile then a 54g from over 10 years ago
Asus router with ASUSMerlin is good, Ubiquiti EdgeLite would be better.
3) Replacing router anyway
4 & 6) Using different service is always an option.
5) Will do nothing to prevent concern 1&2

Excellent, thank you. Based on this advice, I've done some research, and my first choice is the Ubiquiti Edgerouter Lite ERLITE-3. What do you think? Correct me if I'm wrong, but I can plug my Linksys WRT54G into one of the ports?
- Comparison table below. Any advantage to going with Cisco or Linksys? The TP-Link also looks tempting at the price. Also, the AC1900 is very highly rated, but I don't see the VPN/VLAN feature.
t

**TOP CHOICE**

- $96.35: Ubiquiti Edgerouter Lite ERLITE-3 Desktop Router (Black)
https://www.amazon.com/dp/B00HXT8EKE/ref=psdc_300189_t1_B00YFJT29C

**CONTENDERS**

- $51.43: Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X 256MB Storage 5 Gigabit RJ45
https://www.amazon.com/Ubiquiti-EdgeRouter-Advanced-Gigabit-Ethernet/dp/B00YFJT29C/ref=sr_1_1?s=electronics&ie=UTF8&qid=1498061303&sr=1-1&keywords=ubiquiti+router
- $139.99. Linksys LRT214, or LRT224
https://www.amazon.com/Linksys-LRT214-Gigabit-VPN-Router/dp/B00GK6402W/ref=sr_1_1?s=electronics&ie=UTF8&qid=1498061652&sr=1-1&keywords=linksys+lrt214
- $149.99: Linksys AC1900 Dual Band Open Source WiFi Wireless Router (WRT1900ACS)
https://www.amazon.com/gp/product/B014MIBLSA/ref=ox_sc_act_title_6?smid=ATVPDKIKX0DER&psc=1
- I don't see a competitive ASUS product?!

Sincerely,
Keith

 

[boosted1g]

I have used the EdgeLite 3, it is a very good product.
The 1st one may be sufficient for your needs, you can certainly do some research on it.

The ASUS equivalent to the linksys is the AC68U (or P, R or W). I have the AC68P and it is the best consumer grade router I have ever owned, although you will need ASUSMerlin fimrware in order to do VLANs.

You can confgiure the WRT54g as an access point to work with the edgelite, although frankly I would upgrade to at least a modern N router.
Even an older N300 router like a netgear wnr3500l would be better then that old linksys router.

 

[kmiklas]

I have used the EdgeLite 3, it is a very good product.
The 1st one may be sufficient for your needs, you can certainly do some research on it.

The ASUS equivalent to the linksys is the AC68U (or P, R or W). I have the AC68P and it is the best consumer grade router I have ever owned, although you will need ASUSMerlin fimrware in order to do VLANs.

You can confgiure the WRT54g as an access point to work with the edgelite, although frankly I would upgrade to at least a modern N router.
Even an older N300 router like a netgear wnr3500l would be better then that old linksys router.

This router has caught my eye, which appears to be a small step up from your AC68P:
$183.00: ASUS RT-AC87U Wireless-AC2400 Dual Band Gigabit Router, AiProtection with Trend Micro for Complete Network Security
https://www.amazon.com/dp/B00MPI5N7U/ref=psdc_300189_t2_B00FB45SI4

It has wifi to replace my WRT54g, which the EdgeLite solutions lack. It has a USB port for network storage, is quite fast, and still reasonably affordable. ASUS is a good name, it supports VPN/VLAN, and looks like it has the horsepower to pump out market data--at least enough for a proof of concept. Additionally, it has almost 3000 ratings, and sits at four stars.

The one router that may be competitive is this guy here, which seems amazingly popular, with a 4.5 star rating, and 14,5K ratings!
https://www.amazon.com/dp/B00F0DD0I6/ref=psdc_300189_t2_B00MPI5N7U

Thoughts?

 

[boosted1g]

I wouldnt recomend the 87U.

It has had some stability issues that I dont think they ever fully worked out.
On top of that most all the extra features are fluff features. Beamforming and MU-MIMO are nice; but only work if your devices also have it (and MU-MIMO laptop cards are just starting to come to market now in 2017, expect 1-2 more years for mobile devices).

 

[boosted1g]

Also, most all current gen laptop and mobile wifi chips are only 866 mbps cards, so having 1700 instead of 1300 mbps wont matter as all your current devices cant go that fast.

I fully agree that you should buy for tomorrow's needs and not today, but in this case you will likely upgrade the router again by the time your devices catch up.

 

[kmiklas]

Also, most all current gen laptop and mobile wifi chips are only 866 mbps cards, so having 1700 instead of 1300 mbps wont matter as all your current devices cant go that fast.

I fully agree that you should buy for tomorrow's needs and not today, but in this case you will likely upgrade the router again by the time your devices catch up.

I went with the Ubiquiti Edgewater X. At about a $50 price point, it's good enough to pump market data ticks out. The market data server will be directly connected to the Edgewater, with a firewall in place.

For personal use, I will connect my old WRT54g to one port on the Edgewater. No need for a VLAN, I actually have a physically separate LAN. Good enough for now, and easily upgraded; the most intensive thing that I do is watch movie clips, and if I need more horsepower on a specific machine, I will connect it directly to the Edgewater.

I've looked at several security solutions to hide my IP address; most promising were:
1. A reverse proxy through a VPN; specifically, ExpressVPN. I'm forwarding UPD to connections to port 40000 on my router. They responded: "Thanks for contacting ExpressVPN support and for your interest! As much as we'd like to support such scenario, I'm afraid we won't be able to do so. Port forwarding doesn't work together with our VPN settings as it poses security risks."
2. A user on SO suggested setting up a Virtual Private Server (vmware, virtualbox), installing nginx, and setting up my own reverse proxy. This might be an option down the road, but I fear performance hits.
3. Using Cloudflare. I'm trying to set up a meeting with them.

@boosted1g, thanks for the lesson. I'll post the tick data link here after I wire everything up.

 

[boosted1g]

No problem.

I was looking at the Edgerouter X. It should be fully capabile of what you are doing. The router will be able to handle about 250 connections between wan to lan. I did read that the router cant handle gigabit throughput between interfaces but if you were working off of a 54g then it is still a huge step up.

 

[kmiklas]

No problem.

I was looking at the Edgerouter X. It should be fully capabile of what you are doing. The router will be able to handle about 250 connections between wan to lan. I did read that the router cant handle gigabit throughput between interfaces but if you were working off of a 54g then it is still a huge step up.

Heya Boosted1g,

Thanks again for the recommendation. It's working beautifully. See the tick data flowing at the following link, and the home page below.

Sincerely,
Keith

http://www.ritchiestockexchange.com/
http://www.ritchiestockexchange.com/tickdata/index.html