When Firewalla runs as the main router (typically with Natting), assuming 192.168.0.1
- Have firewalla reserve a second IP on the LAN side (ie: 192.168.0.2) which can be trusted since it originates from the firewalla itself unlike traffic from gateway IP.
- uses this IP to run firewalla port scans/discovery/monitoring/honeypot_LAN
- port scans
run the firewalla port scan from that IP so it can be added as a trusted IP to LAN devices security stacks which might have port scans protections
in addition of the standard port scan which attempts to identify all services as potential attack vectors for a given IP, run a much smaller subset only targeting well known services with the goal to refine the discovery of the type of the target (ie look for smb for windows, ssh for linux(s), snmp, rip, http/https, rtsp, onvif...). Also make sure you "pace" the discovery probing across devices to avoid triggering port-scans counter-measures(!BitDefender!)
DAY-2, it would be great to provide an option in the web gui for a given device service to send an alert if the service drops from the network over a specific refresh rate...(ie: send me an alert if my web application running on TCP:192.168.0.10:1234 drops from the network).
DAY-3, provide the option to run a script on firewalla when the alert triggers, (ie: maybe allow me to failover my port forwarding rule for from internet:1234->192.168.0.10:1234 to internet:1234->192.168.0.11:1234 ) while the monitoring probes fails.
runs a set of well known port listners on this LAN-only IP (ssh,ftp,http,https,..) to detect a potential mole within the LAN targeting LAN only IPs.
note: if firewalla runs on multiple VLAN or subnets you would need 1 IP per subnets and have the second IP a member of each VLAN.
Please sign in to leave a comment.