Greetings,

This is a random topic that may be helpful or at least inspiring for those who have a knack for their network security...

Would it prove to be beneficial to have more than 2 or 3 routers in front of your main rig or Web/FTP/IRC/etc servers for security purposes?

Like this...
[Internet]->[CableModem]->[Router1]->[Router2]->[Router3]->[Server/Rig]
Router1=192.168 subnetting, with DMZ pointing to;Zombie 2000Pro BoxA NIC1
Router2=123.123 subnet, with DMZ pointing to subnet 192;2000Pro BoxA NIC2
Router3=122.122 subnet, with DMZ pointing to; Unused/Reject IP on subnet 122.122.x.x


I know every hardware device that utilizes NAT adds a slight layer of protection to the inner LAN, so is there anything that provides more security than shelling out $500 for a Hardware Firewall with Intrusion Detection?

-LiquidPsyrix-

the wan port is the secured port on the router...
you can only hook a modem up to this port... i have multiple routers on my network only used as switches and wireless access points

Action: Disable DHCP on Routers 2 and 3.
Then, Say you take router 2 and connect it's WAN port to one of router 1's LAN ports. At that point, you should get a link, and the ability to span down the chain, no?

If so, continuing down the line with all these routers. Seems like lots of wasted overhead, but still, it's a sacrifice towards security.
Please correct me at any point you find something that's incorrect or impossible.

-LiquidPsyrix-

the second and thrid router are acting as a switch not a router once you do this. disabling the dhcp doesnt turn off routing features, it jus turns off the auto assigning of ip adresses.

say your router addy is 192.168.1.1, you can use up to 192.168.1.999 with the dhcp disabled you jus have to set a static ip from your computer to the router setting the gateway as 192.168.1.1

btw way are you enabling DMZ....BIG SECURITY RISK!!!! only open the ports you need.

I'm with ya so far..

Now from what I've studied, using the DMZ intelligently can help reduce the chances of problems arising on your private machines. It's somewhat acts as a magnet towards metalheads trying to pry their way around your IP Address. Once they see they can get in easier (which of course is the whole point of the trapped DMZ in the first place) they will only be stuck on that single machine which does not have the ability to communicate with the main rig/server based on policies and restrictions set up in the midst of this whole network.

Overall, you're saying that just connecting the PC to the router and router to the net is safer than more than 1 router in front of your PC?

Thanks for your time and input, BTW. =D
-LiquidPsyrix-

here is my network setup ... cable modem---->
linksys wirelessG w/speedbooster---->Parents computer
---->Server
---->linksys Wireless G router w/speedbooster----> My computer

Then i use the wireless for my powerbook and both routers cover my entire house and i never see anything under perfect signal and then for security on the wireless i use mac addy filtering

theres really no way to use DMZ inteligently because it opens all ports to that single computer, port forwarding is a million times safer... plus it allows for openin ports on more than one computer.... i have remote desktop on my computer and for my server... i jus changed the listening port for my server and then opened that port on my router plus i use emule on my computer and then i host bf and bfv server on my server.

and yes there is no difference in addin more routers to your network since they will be used as switches they wont even be seen as a device on the network

Sweet!

Thanks for the great information. I was always led to believe that Routers/Switches have all these security features that make everything alllllll better.

But, in the long run, it's apparent to just keep it EZ and less stressful.

-LiquidPsyrix-