[kwlug-disc] Two ethernet ports - 1 in, 1 out
Insurance Squared Inc.
gcooke at insurancesquared.com
Mon Jan 25 13:28:26 EST 2010
Boiling it down to 'what do I want to do', I suspect that'll illustrate
how stupid of a question I'm asking. I now recall when i've seen this
done in the past that it was for security reasons, where one port faces
outside and another port faces outside.
The reason I was asking was really just for traffic issues - thinking
that if I had some network traffic and my voice traffic running though a
machine that perhaps having inbound traffic on one port and outbound on
another would prevent any possible traffic overloads. But now I state
that explicitly, I suspect the answer is that there's not enough traffic
there to worry about.
unsolicited wrote:
> Depends on what you're looking for / to do.
>
> Conceptually, I think this is what you're looking for:
> http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)
>
> From what I've seen in the past, having two NICs is no more secure
> than just having 1. i.e. It's a bastardized DMZ that isn't really
> effective. Once they're to your box, it's only a short step to
> crossing NICs and they're inside. Whereas with 1 NIC, the firewall in
> front of it (a) makes sure that only specifically allowed services get
> to the box, internally or externally, and (b) anything coming
> internally doesn't originate from anywhere other than that box. Being
> dedicated, such firewalls make oops happen less frequently - when
> fixing/updating one package inadvertently opens up or interacts with
> another in an insecure, and all but hidden, manner.
>
> But that's my take on your question. John took it a slightly different
> way.
>
> And we've both commented in the past that there's the way you're
> supposed to do things, and the way they're most commonly done. In the
> home, it's the latter. In the enterprise (in your case, your bet your
> livelihood business), it's the former. It takes discipline.
>
> Granted, vast improvements have been made over the years to
> prevent cross-NIC traffic, but it's still not as simple or obvious as
> having that dedicated box in front of it.
>
> Policy based routing will probably apply, dedicated box or not.
> And the learning curve thereof.
>
>
> Generally, the security concerns about your asterisk and web server,
> indeed any publicly accessible server, are the same. It's probably
> arguable in your case that you have an internal and external asterisk
> server, and your internal asterisk server only accepts outside traffic
> via your external one. I'd guess that one or both of these could be
> OpenWRT. Not sure whether the internal one being x86 (OpenWRT) would
> serve you better in combining more services on one box (less hardware
> to maintain), and the external one being on a (OpenWRT) router
> (service/hardware isolation). I'd argue your external one would be on
> your site, not your server farm site - if you have no internet at
> home, you ain't getting calls, regardless of the location of the
> external server. If you have a box issue, at least it's to hand.
>
> But, like I said, depends on what you're looking for / to do. Can you
> expand?
>
> Insurance Squared Inc. wrote, On 01/25/2010 11:28 AM:
>> If I'm running an asterisk server is it worth having two ethernet
>> ports and setting it up so that inbound traffic comes in port A and
>> outbound traffic goes out port B? What about on a webserver?
>> And where would I start to look into how to set that up? I'm not
>> sure if it's worth doing this, and if so, where to start reading on
>> 'how'.
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>
--
Glenn Cooke
Insurance Squared Inc.
(866) 779-1499
www.insurancesquared.com
Insurance Agent Discussion Forum:
www.americaninsurancebroker.com
More information about the kwlug-disc
mailing list