[kwlug-disc] Two ethernet ports - 1 in, 1 out

Insurance Squared Inc. gcooke at insurancesquared.com
Mon Jan 25 13:28:26 EST 2010


Boiling it down to 'what do I want to do', I suspect that'll illustrate 
how stupid of a question I'm asking.  I now recall when i've seen this 
done in the past that it was for security reasons, where one port faces 
outside and another port faces outside.

The reason I was asking was really just for traffic issues - thinking 
that if I had some network traffic and my voice traffic running though a 
machine that perhaps having inbound traffic on one port and outbound on 
another would prevent any possible traffic overloads.  But now I state 
that explicitly, I suspect the answer is that there's not enough traffic 
there to worry about.



unsolicited wrote:
> Depends on what you're looking for / to do.
>
> Conceptually, I think this is what you're looking for: 
> http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
>
> From what I've seen in the past, having two NICs is no more secure 
> than just having 1. i.e. It's a bastardized DMZ that isn't really 
> effective. Once they're to your box, it's only a short step to 
> crossing NICs and they're inside. Whereas with 1 NIC, the firewall in 
> front of it (a) makes sure that only specifically allowed services get 
> to the box, internally or externally, and (b) anything coming 
> internally doesn't originate from anywhere other than that box. Being 
> dedicated, such firewalls make oops happen less frequently - when 
> fixing/updating one package inadvertently opens up or interacts with 
> another in an insecure, and all but hidden, manner.
>
> But that's my take on your question. John took it a slightly different 
> way.
>
>     And we've both commented in the past that there's the way you're 
> supposed to do things, and the way they're most commonly done. In the 
> home, it's the latter. In the enterprise (in your case, your bet your 
> livelihood business), it's the former. It takes discipline.
>
>     Granted, vast improvements have been made over the years to 
> prevent cross-NIC traffic, but it's still not as simple or obvious as 
> having that dedicated box in front of it.
>
>     Policy based routing will probably apply, dedicated box or not. 
> And the learning curve thereof.
>
>
> Generally, the security concerns about your asterisk and web server, 
> indeed any publicly accessible server, are the same. It's probably 
> arguable in your case that you have an internal and external asterisk 
> server, and your internal asterisk server only accepts outside traffic 
> via your external one. I'd guess that one or both of these could be 
> OpenWRT. Not sure whether the internal one being x86 (OpenWRT) would 
> serve you better in combining more services on one box (less hardware 
> to maintain), and the external one being on a (OpenWRT) router 
> (service/hardware isolation). I'd argue your external one would be on 
> your site, not your server farm site - if you have no internet at 
> home, you ain't getting calls, regardless of the location of the 
> external server. If you have a box issue, at least it's to hand.
>
> But, like I said, depends on what you're looking for / to do. Can you 
> expand?
>
> Insurance Squared Inc. wrote, On 01/25/2010 11:28 AM:
>> If I'm running an asterisk server is it worth having two ethernet 
>> ports and setting it up so that inbound traffic comes in port A and 
>> outbound traffic goes out port B?  What about on a webserver?
>> And where would I start to look into how to set that up?  I'm not 
>> sure if it's worth doing this, and if so, where to start reading on 
>> 'how'.
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>

-- 
Glenn Cooke
Insurance Squared Inc.
(866) 779-1499
www.insurancesquared.com

Insurance Agent Discussion Forum:
www.americaninsurancebroker.com





More information about the kwlug-disc_kwlug.org mailing list