none
Sonicwall OPT port RRS feed

  • Question

  • Hi everyone,

    I'm doing IT support for a small network of about 25 computers.  We have a Sonicwall TZ170.  Our T1 is plugged into the OPT port, and the WAN port is unused.   I'd like to move it over to the WAN port.  Is there any benefit to doing this? 

    I also want to say thanks for the advice given in this forum; I've been lurking for about a week and have started using OpenDNS.

    edit: I'm also considering moving the servers to the opt port so they are isolated from the lan.  Should I do this, or should I keep the opt port unused in case we get a second internet connection and want to enable failover or load balancing?
    Saturday, February 26, 2011 4:49 PM

Answers

  • The T1 is in the optional port? When I first hear that I think, that's crazy, move it to the wan port.  But then I remember that we all sometimes do things that seem crazy because it was the only way to make it work.  Sometimes those crazy workarounds are due to a technical limitation, and sometimes they are due to our limitations of our own understanding.  So I would approach the move with caution as it's possible that the WAN port was misbehaving and was moved to the Opt in order to improve stability or, something like that.   Ensure you have backups of the current config and you know how to apply those backups if things fall apart.  I worked with a firewall once that was dropping packets whenever I used the standard external port.  It turned out that the board had bad soldering on that port.  I worked with another firewall once that just could not negotiate connection speeds with the upstream router even if things were static.  I had to put a network switch between them to smooth out the traffic.  Sometimes we have to take odd measures in order to avoid much higher expenses.  (The good aspect of the switch between the telco and firewall is the ability to test your network from outside the firewall (if you have an extra public IP address))

    In my opinion, your idea of moving the servers to the opt port is a good choice.  I always try to segment my networks in such a manner because then I can more tightly control access to the servers.  Imagine one of your workstations contracts some sort of bad "stuff" and that bad stuff starts probing your network for opportunities for future infection.  If you have your servers firewalled off from the clients then you increase your operational strength by decreasing your attack surface area.  Your firewall may protect you from most standard attacks from the internet; but it's very easy for viruses to walk around your firewall by way of a USB stick or laptop or other portable media.  I protect my servers from internal clients in the same manner in which I protect my network from external systems.  For the same reasons, whenever possible and reasonable, I also segment and firewall my workstations from each other in order to further reduce the risk of a system-wide infection outbreak.  If it's my own infrastructure and we work with very sensitive data, then I physically segment the network and I also tighten down the ports on each server to only allow necessary communication.

    Of course, you must always balance the cost of complexity with practicality.  In a small network such as this, IF there are extra ports available on the firewall, then I'll segment the network to a reasonable degree.  I'll document the segmentation with the idea that someone after me should be able to figure it out quickly.  I'll also document my reasons for doing something -such as using the opt port for the external traffic- so that people don't think I'm a crazy person.  I try to not take the segmentation so far that the system can not be maintained by anyone other than myself.  A security environment should always balance the business needs with those opportunities for improvement.

    The other benefit to using the wan port for the wan link is during communication and for maintainability.  If a system is setup in some non-standard manner, then when you call tech support the discussion can become confusing.  Or the technicians that's currently working on the firewall can become confused and make mistakes more easily.  Also, if the company needs to bring someone else in to work on the firewall, it's in the best interest of the business to set things up in as close to a standard method as possible so that when someone else steps in to work on it, their discovery time is as minimal as possible (lower cost).

     

    • Marked as answer by Kevin Remde Wednesday, March 2, 2011 12:58 PM
    Monday, February 28, 2011 4:15 PM

All replies

  • The T1 is in the optional port? When I first hear that I think, that's crazy, move it to the wan port.  But then I remember that we all sometimes do things that seem crazy because it was the only way to make it work.  Sometimes those crazy workarounds are due to a technical limitation, and sometimes they are due to our limitations of our own understanding.  So I would approach the move with caution as it's possible that the WAN port was misbehaving and was moved to the Opt in order to improve stability or, something like that.   Ensure you have backups of the current config and you know how to apply those backups if things fall apart.  I worked with a firewall once that was dropping packets whenever I used the standard external port.  It turned out that the board had bad soldering on that port.  I worked with another firewall once that just could not negotiate connection speeds with the upstream router even if things were static.  I had to put a network switch between them to smooth out the traffic.  Sometimes we have to take odd measures in order to avoid much higher expenses.  (The good aspect of the switch between the telco and firewall is the ability to test your network from outside the firewall (if you have an extra public IP address))

    In my opinion, your idea of moving the servers to the opt port is a good choice.  I always try to segment my networks in such a manner because then I can more tightly control access to the servers.  Imagine one of your workstations contracts some sort of bad "stuff" and that bad stuff starts probing your network for opportunities for future infection.  If you have your servers firewalled off from the clients then you increase your operational strength by decreasing your attack surface area.  Your firewall may protect you from most standard attacks from the internet; but it's very easy for viruses to walk around your firewall by way of a USB stick or laptop or other portable media.  I protect my servers from internal clients in the same manner in which I protect my network from external systems.  For the same reasons, whenever possible and reasonable, I also segment and firewall my workstations from each other in order to further reduce the risk of a system-wide infection outbreak.  If it's my own infrastructure and we work with very sensitive data, then I physically segment the network and I also tighten down the ports on each server to only allow necessary communication.

    Of course, you must always balance the cost of complexity with practicality.  In a small network such as this, IF there are extra ports available on the firewall, then I'll segment the network to a reasonable degree.  I'll document the segmentation with the idea that someone after me should be able to figure it out quickly.  I'll also document my reasons for doing something -such as using the opt port for the external traffic- so that people don't think I'm a crazy person.  I try to not take the segmentation so far that the system can not be maintained by anyone other than myself.  A security environment should always balance the business needs with those opportunities for improvement.

    The other benefit to using the wan port for the wan link is during communication and for maintainability.  If a system is setup in some non-standard manner, then when you call tech support the discussion can become confusing.  Or the technicians that's currently working on the firewall can become confused and make mistakes more easily.  Also, if the company needs to bring someone else in to work on the firewall, it's in the best interest of the business to set things up in as close to a standard method as possible so that when someone else steps in to work on it, their discovery time is as minimal as possible (lower cost).

     

    • Marked as answer by Kevin Remde Wednesday, March 2, 2011 12:58 PM
    Monday, February 28, 2011 4:15 PM
  • Thanks for the response.  I kept wondering why it would be on the opt port, and I figured that they were planning to add another internet connection.  I'll update here when I'm done and let everyone know how it went.

    Tuesday, March 1, 2011 1:09 AM