I'm not so sure there's really the necessity for two NICs and two hubs, you
can effectively achieve the same separation of your network by working
different subnets correctly--still using the one NIC in the firewall as the
gateway.
But, yes, unless you have the firewall locked down properly, any number of
services can be exploited to expose the entire internal network.
I was simply suggesting to limit the complexity of the LAN because it is a
SOHO setup... if there is a steep growth in capacity expected in the future,
you may wish to start the multi-NIC way, or even obtain another firewall
machine for redundancy, or to create a DMZ for better protection.
More options... soon, you may wish you never asked! :)
--Greg
> Hold on. Civilme posted a message a few months ago stating that a single
> NIC with a single hub is dangerous. He said something to the effect of "a
> hacker could create a VPN on his side that effectively exposes your entire
> private network." Unfortunately, Civilme is no longer on the list. Check
> the archives. You want at least 2 NICs with 2 HUBS(or a direct link from
> NIC to DSL modem).
>
> I would assume further isolation of the email and web server would further
> protect the network. If the email or web server is hacked, the ipchains
on
> the Linux router would effectively only all port 25 and 110 to leave the
> mail server. This assumes that you have stripped your router down to the
> point that it is virtually impossible to hack (nothing but ssh logins).
>
> Matthew Zaleski
>
> > -----Original Message-----
> > From: Joseph S. Gardner [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 18, 2000 8:33 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [expert] Stupid server question #3
> >
> >
> > Greg Stewart wrote:
> > >
> > > > Why not plug B and C into the hub also? I don't see the
> > advantage to
> > > > plugging them directly to the firewall... Consider this:
> > > >
> > > > internet -> dsl modem -> comp a -> hub -> all other computers
> > > >
> > > > You still have comp a (your firewall) between the
> > internet and all of
> > > > your machines... hooking up b and c to a is just costing
> > you more work
> > > > with getting 4 nics setup instead of 2 (all you really need).
> > >
> > > Also, depending on the age/maturity of the firewall (old
> > machine, or brand
> > > new?) you may be consuming a bit more system overhead than you
> > > need--powering and driving two extra NICs.
> > >
> > > Besides, it's easier, and involes less typing, configuring
> > your firewall to
> > > masquerade only one NIC, rather than three. You would,
> > then, also need to
> > > plan for three subnets, and port-forward accordingly. A little more
> > > confusing than having only one subnet and one internal NIC.
> > >
> > > --Greg
> > >
> > > > On Wed Aug 16, 2000 at 11:22:14AM -0400, Joseph S. Gardner wrote:
> > > >
> > > > > SOHO server setup scenerio "Firewall from hell"
> > > > >
> > > > > The object being to keep it simple but keep it secure....
> > > > >
> > > > > Assuming five computers
> > > > > comp A = firewall w/ X NIC's
> > > > > comp B = mail server
> > > > > comp C = web server
> > > > > comp D = workstation D
> > > > > comp E = workstation E
> > > > >
> > > > > also assuming I have dsl modem and one hub
> > > > >
> > > > > internet connection plugged into DSL modem.
> > > > > DSL modem plugged into comp A (firewall)
> > > > > Comp A, D & E plugged into hub
> > > > > Comp B & C plugged into comp A
> > > > >
> > > > > this would mean comp A would require 4 NIC's (DSL, comp
> > B, comp C and
> > > > > hub)
> >
> > Theres definitly something I never thought of, I guess I
> > never realized
> > that you could effectively protect the internal machines if they had a
> > "direct" connection to the "public" machine via the hub but it does
> > make some sense now that you mention it. (Head hung in shame)
> >
> > Thanks,
> > --
> > Joseph S Gardner
> >
> > Senior Designer / Technical Support
> > Kirby Co., Cleveland, OH
> > [EMAIL PROTECTED]
> >
> > The box said,
> > "Requires Windows 3.x or better",
> > so I got Linux.
> >
> > Registered Linux user #1696600
> >
>
______________________________________________________________________________
message envoye depuis http://www.ifrance.com
emails (pop)-sites persos (espace illimite)-agenda-favoris (bookmarks)-forums
Ecoutez ce message par tel ! : 08 92 68 92 15 (france uniquement)
