A separation of wan and lan Firewalls Routers GOOD or BAD idea ?

I am researching out network security. I suppose it is a whole career in itself but I think I want to try to come up with a way to more securely have a peer to peer network. I am researching different routers.

We have our WWW router that also shares files. So what if we used a seperate set of RJ45s to run the file shareing. Or perhaps use USB file sharing in some fashion to make it safer to share files.

So it seams possible to have two network cards in each machine one preferable a 10gbit for soul personal data sharing and somehow keep that separated from the www lan.
It seams like it would take the hackers one extra step to get at your data.

Also I am wondering about simply turning the router off that goes to the isp and only have it on when the computers are logged into. maybe a remote switch to the router or a remote switch right in the line of the Ethernet wires. Then do the same with the other set of RJ45 network that shares the data. It only needs to be connected when I want to use it and not all the time. Out of the box stuff here. A physical remove switch is not hack-able if it is its own unconnected hardware.
It might impair a cables ability to transmit data.

Just trying to think of different ways to keep data from being encrypted or hacked into.

Because I can right now press the paper clip and brows to my shared HD its a little unnerving.

I have probably missed good tutorials on network security or what would I search for ON THIS forum for making our small office network more secure. I did find a article about how to set up a router in a secure way.

Hardware Firewall - an overview | ScienceDirect Topics
well written easy to follow and good info.

Just to be clear you say WWW router are you running a webserver live on the interent? Is the router running NAT do you have and port forwarded. If its running NAT and you using local 192.168 ips they dont go out on the net so people cant get to pcs unless you have forwarded ports or malware on a pc opens ports via unplug and pray

You might want to check out the firewall Pfsense. You can either install it yourself in a nettop or thinclient or you can buy a thinclient with Pfsense already installed on eBay. You can give Pfsense a try in VMware Workstation Player to see what it's like.

Here are some of the ways that a hacker can get at your stuff:

The first is obvious, and that is with malware. So scan all, and I mean ALL downloads at Virus Total. In fact, bookmark that webpage for easy access. The program Sandboxie for your browser will work wonders. But right now Sandboxie is having server problems.

The second is with a vulnerable router with vulnerable firmware. So you should always stay abreast of any and all firmware updates for your router. But by in large you are probably better off with a router capable of running a third-party firmware like DD-WRT or ASUS Merlin. You can flash the compatible router to DD-WRT or ASUS Merlin yourself, or buy one with it already installed on eBay as well. I went that route when I bought my second router. It runs ASUS Merlin and I kept its firmware updated with each release. In fact, when you log into the router it tells you if there is a new update.

Third, don't use the default username and password for the router. Change those to something else.

Fourth, turn off UPnP in the router and never use it. If you ever need to forward a port, and you can control what port to use for your application, chose a port way up there like 34567 or something. Don't be cute and use a port like 1337 (which stands for leet) or something like that. There are about 65,000 ports that you can use.


I share files myself with my own local FTP server using the Filezilla FTP server on a netbook that's on 24/7. The storage for the FTP server is on a SD card in the netbook. A great FTP client is WinSCP. WinSCP can even navigate Amazon AWS S3 shares. And best of all, WinSCP is free.

As to your switch idea. If the computers are off, a hacker can't get into them anyway unless you have remote power on turned on in the computer's BIOS. Then a hacker could send the wake command and go from there.

A segregated network with WAN (Wide Area Network) on one NIC (Network Interface Controller) and LAN (Local Area Network) on another NIC sounds prudent. Anything on the LAN really can't be seen on the open Internet unless you get a certain type of malware. Especially through an email attachment.

Which brings me to point five. If you use an email client, you should turn off the ability to parse HTML email. And be very leery about attachments. In Thunderbird you'd go to View | Message Body As | Plain Text. This is especially important if you use PGP since there is a CVE involving PGP and HTML encoded emails that can cause PGP encrypted emails to be exposed.

To mitigate your data from ransomware and having it all get encrypted, you need to have a good, reliable backup strategy. For me, I use a combination of external hard drives kept in a fireproof safe (can be had for around $35), DVD/RW, Blu-ray and Amazon AWS S3 using the program Cloudberry Backup. Amazon S3 is a cloud provider much like Azure or Google drive, etc. With Cloudberry Backup my folder I want backed up is synced to the cloud periodically. My computers are cloned to external hard drives with AOMEI Backupper. So should I ever get a malware infection I can clone right back like nothing hardly ever changed at all.

Just some food for thought.