[kwlug-disc] Two ethernet ports - 1 in, 1 out

unsolicited unsolicited at swiz.ca
Mon Jan 25 13:23:03 EST 2010


Depends on what you're looking for / to do.

Conceptually, I think this is what you're looking for: 
http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)

 From what I've seen in the past, having two NICs is no more secure 
than just having 1. i.e. It's a bastardized DMZ that isn't really 
effective. Once they're to your box, it's only a short step to 
crossing NICs and they're inside. Whereas with 1 NIC, the firewall in 
front of it (a) makes sure that only specifically allowed services get 
to the box, internally or externally, and (b) anything coming 
internally doesn't originate from anywhere other than that box. Being 
dedicated, such firewalls make oops happen less frequently - when 
fixing/updating one package inadvertently opens up or interacts with 
another in an insecure, and all but hidden, manner.

But that's my take on your question. John took it a slightly different 
way.

	And we've both commented in the past that there's the way you're 
supposed to do things, and the way they're most commonly done. In the 
home, it's the latter. In the enterprise (in your case, your bet your 
livelihood business), it's the former. It takes discipline.

	Granted, vast improvements have been made over the years to prevent 
cross-NIC traffic, but it's still not as simple or obvious as having 
that dedicated box in front of it.

	Policy based routing will probably apply, dedicated box or not. And 
the learning curve thereof.


Generally, the security concerns about your asterisk and web server, 
indeed any publicly accessible server, are the same. It's probably 
arguable in your case that you have an internal and external asterisk 
server, and your internal asterisk server only accepts outside traffic 
via your external one. I'd guess that one or both of these could be 
OpenWRT. Not sure whether the internal one being x86 (OpenWRT) would 
serve you better in combining more services on one box (less hardware 
to maintain), and the external one being on a (OpenWRT) router 
(service/hardware isolation). I'd argue your external one would be on 
your site, not your server farm site - if you have no internet at 
home, you ain't getting calls, regardless of the location of the 
external server. If you have a box issue, at least it's to hand.

But, like I said, depends on what you're looking for / to do. Can you 
expand?

Insurance Squared Inc. wrote, On 01/25/2010 11:28 AM:
> If I'm running an asterisk server is it worth having two ethernet ports 
> and setting it up so that inbound traffic comes in port A and outbound 
> traffic goes out port B?  What about on a webserver?
> And where would I start to look into how to set that up?  I'm not sure 
> if it's worth doing this, and if so, where to start reading on 'how'.



More information about the kwlug-disc_kwlug.org mailing list