Do I need a firewall with FusionHub?

#1

Hi all, we were going to deploy FusionHub for our customers on AWS but decided on our local ISPs cloud platform instead using vSphere. I have FusionHub working fine and connected to our site with SpeedFusion working. I hired a VMware specialist to review the config and he said it’s fine but I’m lacking a firewall and that he’d need to install pfsense or another firewall system. I didn’t see any mention of this in the FusionHub manual. I’m fine using one and probably should but wanted to make sure first. Thank you.

#2

You can secure FusionHub by using the security group settings in AWS. You can find the necessary ports to be opened for FusionHub in FussionHub user manual.

1 Like
#3

But I’m not using AWS I said, I’m using vSphere. So would I install pfSense or another firewall and open the ports on that?

#4

I run FusionHub on non AWS hosting platforms with and without a firewall on its WAN. FusionHub is based on a custom hardened linux OS, so in itself is pretty secure in that there are very few services presented to the WAN - but it is limited on firewall functionality.

If you want to restrict which source IPs can try and connect to your Fusionhub for PepVPN/SF, or if you want enhanced IDS and DDoS capability a firewall is a good idea.

I greatly prefer opnsense over pfsense though and would suggest you consider that instead.

2 Likes
#5

Thanks so much sorry I just noticed this response. For us FusionHub is just used for customers for inbound fail over. So they might have a Balance on prem that fails over to LTE, but if they have a FTP server on site for example their customers wouldn’t be able to remotely connect to it since it would now be using the LTE’s public IP. So instead we’ll use FusionHub’s IP and forward the traffic to their site. I figure if a customer buys cable or DSL all ports are open, and it’s up to them to have a firewall on premise, so I’m looking at this kind of the same way.

#6

Just having this debate myself. I signed up for a cloud account today and preparing to install fusionhub, in the first hour I see the cloud account first test os noted 1200 failed login attempts in 2 hours so far. I got a bit spooked by that stat and haven’t installed fusionhub yet. I might request a different IP, but I’m not sure what to make of it. Got a bit spooked by that kind of exposure.

My first thought was that fusionhub in the cloud wouldn’t be any different than a peplink device on a cable/fiber connection. But I was a bit shocked by how many attempts / hour on a new cloud instance.

Do I need to worry about the fusionhub being brute forced itself more than a physical appliance? (or even being brute forced during the install procedure?)

What about potential bad traffic forwarded from a fusionhub in the cloud vs. a peplink device on a broadband connection?

Do gigabit broadband connections get that kind of brute forcing regularly now? I don’t have a really fast local connection, so maybe I don’t know what I’m missing…

#7

If you are running the FusionHub at a commercial VPS service then their IP address block is known, and known to be hosting third-party systems likely to be of more interest than personal systems hosted by non-commercial network subscriptions. Thus they may be considered more juicy targets and more likely to be explored by bad actors.

And then there is shadowserver.org (upon which I wish a pox any day and every day)… They claim to be legitimate, but they behave in a rather unneighborly way.

#8

I enabled the firewall with no ports open during setup; otherwise I fear the default credentials would have been brute forced in the few seconds between the install and when you can login and update the login credentials. I’ll plan to leave 80 and 443 locked down to prevent web admin access. Still not sure how to feel about the degree of bad actor noise and probes and failed logins with the cloud hosted end on an ongoing basis… I wonder if amazon cloud instances are also targeted as heavily?

#9

Back to the very basics, if I have the following setup:

[fusionhub solo in cloud]<->[speedfusion link over slow “broadband” links 1 and 2]<->[balance router]

With fusionhub solo installed
-with no extra configuration of firewall settings, and
-no manually entered port forwarding,

would probing / brute force attempts / etc. aimed at the fusionhub IP consume bandwidth over the speedfusion connection to the local balance router?

#10

No. So long as no ports are forwarded - traffic would stay at the Fusionhub level.

1 Like