[kwlug-disc] Two ethernet ports - 1 in, 1 out
unsolicited at swiz.ca
Mon Jan 25 13:23:03 EST 2010
Depends on what you're looking for / to do.
Conceptually, I think this is what you're looking for:
From what I've seen in the past, having two NICs is no more secure
than just having 1. i.e. It's a bastardized DMZ that isn't really
effective. Once they're to your box, it's only a short step to
crossing NICs and they're inside. Whereas with 1 NIC, the firewall in
front of it (a) makes sure that only specifically allowed services get
to the box, internally or externally, and (b) anything coming
internally doesn't originate from anywhere other than that box. Being
dedicated, such firewalls make oops happen less frequently - when
fixing/updating one package inadvertently opens up or interacts with
another in an insecure, and all but hidden, manner.
But that's my take on your question. John took it a slightly different
And we've both commented in the past that there's the way you're
supposed to do things, and the way they're most commonly done. In the
home, it's the latter. In the enterprise (in your case, your bet your
livelihood business), it's the former. It takes discipline.
Granted, vast improvements have been made over the years to prevent
cross-NIC traffic, but it's still not as simple or obvious as having
that dedicated box in front of it.
Policy based routing will probably apply, dedicated box or not. And
the learning curve thereof.
Generally, the security concerns about your asterisk and web server,
indeed any publicly accessible server, are the same. It's probably
arguable in your case that you have an internal and external asterisk
server, and your internal asterisk server only accepts outside traffic
via your external one. I'd guess that one or both of these could be
OpenWRT. Not sure whether the internal one being x86 (OpenWRT) would
serve you better in combining more services on one box (less hardware
to maintain), and the external one being on a (OpenWRT) router
(service/hardware isolation). I'd argue your external one would be on
your site, not your server farm site - if you have no internet at
home, you ain't getting calls, regardless of the location of the
external server. If you have a box issue, at least it's to hand.
But, like I said, depends on what you're looking for / to do. Can you
Insurance Squared Inc. wrote, On 01/25/2010 11:28 AM:
> If I'm running an asterisk server is it worth having two ethernet ports
> and setting it up so that inbound traffic comes in port A and outbound
> traffic goes out port B? What about on a webserver?
> And where would I start to look into how to set that up? I'm not sure
> if it's worth doing this, and if so, where to start reading on 'how'.
More information about the kwlug-disc_kwlug.org