Do I need a additional Hardware Firewall?

[notneps]

Do I need to add a dedicated hardware firewall for our network? Or will software firewalls, the router firewall, and double NAT suffice? The network is a small home office for a business, set up like this:

ISP1 modem/router combo >> |XXXXXXXXXXXXX|.........../-->> wifi router with DHCP enabled (Guest Wifi)
ISP2 modem/router combo >> |X main router X| >> switch >> wired clients
ISP3 modem/router combo >> |XXXXXXXXXXXXX| >> access point >> wireless clients

Other information, if it matters:
* The only sensitive information would be the network's users data. We don't store important customer information (credit card details, account numbers, etc) on our drives, and what little is stored (names, contact numbers) is encrypted. The monetary damage from a successful break-in would be mostly lost revenue if an attack caused our network to go down.
* No port forwarding at all. There are some machines accessible from the WAN side physically located in the same office, but they are on a different connection, different network, so irrelevant to this question.
* I would rate the chance of someone actively trying to break into our network very low to moderately low. I could be wrong, doubt it though.
* The main router handling DHCP is a TPLink TL-R470T+ Load Balancing Router

 

[bill001g]

The highest risk would be the guest machines but if the tplink guest works like most there is equivalent to a firewall rule that only allows the guest to go to the internet.

The NAT alone will do almost everything a firewall does. Unless you port map or use the DMZ function any traffic coming from the internet is dropped by the NAT......mostly because it is too stupid to send it anyplace.

You would need a firewall if you have one of your machines exposed to the internet via port mapping but the ones in the routers may be good enough. It really depends. The firewall are very basic in routers where as a good hardware firewall can recognize attack pattern that the router can not. But if you do not have a server exposed then all traffic is dropped by the nat so patterns don't matter.

Someone could run denial of service against you which a hardware firewall does a better job but they would be killing the ISP modem/routers and since you have multiple you could just switch to another which is a much better defense to denial of service.

 

[notneps]

The highest risk would be the guest machines but if the tplink guest works like most there is equivalent to a firewall rule that only allows the guest to go to the internet.

The guest wifi router is a separate wifi router, which is a DHCP client of the TPLink router, so devices that connect to it are on a different network, a network which has a single local IP on the main network. Would it be easy to access one of the machines on the main network connecting through the other WiFi router? I suppose as added security we could connect the guest Wifi router's WAN port to one of the LAN ports on the combo modem/router instead. Problem is is it wouldn't be multisourced/load balanced.

 

[kanewolf]

With cascaded routers like this "guests" can access the IP address range on the WAN of the second router. That means they can initiate connections to the main IP address range but the main hosts can't initiate connections to the guests.

A main router which has multiple VLANs or a DMZ capability would be a better implementation.

 

[notneps]

With cascaded routers like this "guests" can access the IP address range on the WAN of the second router. That means they can initiate connections to the main IP address range but the main hosts can't initiate connections to the guests.

A main router which has multiple VLANs or a DMZ capability would be a better implementation.

Thank you! I was not asking about that but now that you're telling me this I see that it is obviously also (and probably more) important; I thought the way it was set up was secure. I'll start looking into that right away. Any other suggestions as how I could further secure our network?

Also, how do you access another router/device on the WAN side of the router?

 

[kanewolf]

With cascaded routers like this "guests" can access the IP address range on the WAN of the second router. That means they can initiate connections to the main IP address range but the main hosts can't initiate connections to the guests.

A main router which has multiple VLANs or a DMZ capability would be a better implementation.

Thank you! I was not asking about that but now that you're telling me this I see that it is obviously also (and probably more) important; I thought the way it was set up was secure. I'll start looking into that right away. Any other suggestions as how I could further secure our network?

Also, how do you access another router/device on the WAN side of the router?

Since there is no DNS for the LAN devices on the WAN side of the second router, you just need to know the IP address. You should be able to test this by pinging the first router from a WIFI connection on the second router.

 

[Kewlx25]

The NAT alone will do almost everything a firewall does. Unless you port map or use the DMZ function any traffic coming from the internet is dropped by the NAT......mostly because it is too stupid to send it anyplace.

NAT itself provides virtual no security and is entirely limited to the quality of the stateful firewall the NAT is built upon. Due to the fact that NAT complicates firewalls and complex systems are more likely to have bugs that simple systems, many NATs have some very serious bugs that allow outsiders to gain access to the Internet network.

Not only do NATs not increase security, but on average they decrease security.

The only real benefit of NAT is that by default it needs to block incoming connections in order to work. Any decent firewall already does this, but there are many poor firewalls that don't. The chance of a crappy NAT firewall allowing incoming connections is lower than a crappy non-NAT firewall. That's about your only benefit.