[Tfug] Fw: Re: Topology questions je9eqyma

[Bexley Hall]

Hi Bender,

[sorry, I won't clean up the quoting -- listserver forced a
resend so I'm simply FORWARDing it!  :>

--- On Sun, 10/7/12, Bender <bender at bendertherobot.com> wrote:
> 
> > why don't you draw a picture?
> 
> I assumed the descriptions (included below) were sufficient
> to make clear what was going on.  But, if you insist on a
> drawing, pick up a pencil...
> 
>          
>                                              |-------- WiFi1
>                        exposed               |-------- Routed
> WLAN ---- Firewall ------------------ Router |-------- Private
>                                              |-------- WiFi2/Test
> 
> 
> (Here's where your pencil comes into play!  :> )
> 
> Each of the WiFi internets are essentially just 2 device
> internets:
> an access point and a spare RJ45.  Via these 2 devices
> (in two
> *places*!), "foreign" devices can connect to the network in
> much
> the same way things can try to get through the Firewall
> from
> The Outside World.  Having the router in place ensures
> I can
> watch that traffic -- and shut it down, if need be (the AP's
> are
> PoE so if someone starts abusing one, I just pull its plug)
> 
> The Routed internet is for the typical devices *you* would
> connect
> together -- and to the outside world.  Workstations,
> printers,
> FAX, etc.
> 
> The Private internet is for (atypical!) devices that you
> wouldn't
> want accessible from the outside world.  Network
> speakers, network
> displays, HVAC controller, irrigation controller, hot water
> heater,
> water softener/main, user interface/control panels,
> surveillance
> cameras, beacons, etc.  It would be a royal pain if
> someone was
> able to adjust the heat inside the house from a car parked
> down the
> road -- or, a deliberate and prolonged attack over the
> WLAN!
> 
> Onto this fabric, I have to add heavyweight services (FTP,
> HTTP,
> RDBMS, etc.), lightweight services (DNS, TFTP, NTP, etc.)
> and
> my "custom" services (music server, video server, etc.).
> 
> The router provides all the lightweight services to *all* of
> the
> internets (logical since they are inexpensive and it has
> free
> access to each of them -- including "exposed"!).
> 
> On first blush, the heavyweight services belong on the
> routed
> network as they are most commonly accessed from
> workstations.
> E.g., I keep the datasheets for the various electronic
> components
> that I use stored on the web server so I can call them up
> without
> having to thumb through dead trees.  Similarly, man
> pages for the
> various OS's that I use (so I don't have to have a machine
> of that
> particular flavor online just to consult it!)
> 
> Likewise, ISO's for various "Live CD's" or even purchased
> software
> get archived on the FTP server (easier to thumb through FTP
> listings
> than it is to dig through boxes of CD's!)  Imagine
> pulling 600MB
> *through* a router deliberately sized for low usage?? 
> (so running
> it 24/7/365 doesn't "cost an arm and a leg")
> 
> However, the "Private" internet also needs access to much of
> this
> same information.  No, not datasheets but, perhaps, the
> song list
> for a particular CD.  Or, to browse highlights from a
> movie (to
> decide if it is worth watching).  Or, to view the
> current 
> configuration of the irrigation system, etc.
> 
> [I.e., a "display" cares not what is presented on it --
> it's
> "just video".  You can view the TV program listing on
> your
> TV.  Why not the list of tracks on a CD?]
> 
> Given that many of the devices on the Private internet are
> designed
> to be "of limited capability" (user interfaces represent a
> good 
> portion of an embedded products complexity), this suggests
> biasing
> the availability of those services to the Private internet
> directly
> to give them a "leg up" on performance (afterall, the
> workstations
> on the Routed internet tend to be multigigahertz
> machines!).
> 
> How long would you want to wait for the program listing for
> the TV 
> to appear on the screen?
> 
> If, instead, you give each internet direct access to the
> services
> you aim for the best of both worlds.  And, you lock
> that traffic
> on that internet -- none of the other internets should
> expect to 
> see it (or figure out how to handle it!)
> 
> Repeat the exercise with the "exposed" internet.  I
> might want
> to serve up some of my personal publications to the outside
> world.  But, I surely don't want folks downloading
> items that
> I *don't* plan for public consumption:  "2011 Taxes,
> federal.pdf"...
> 
> Hopefully, gives you a better feel for what sorts of traffic
> have to
> be accommodated.
> 
> [Also, keep in mind, this is a *home* not a business! 
> We don't want
> big pieces of equipment, lots of noisey fans, high(er)
> electric
> bills, etc.]
> 
> --don
> 
>  
> > > I've got a multihomed device that serves up
> lightweight
> > > services (NTP, DNS, DHCP, etc.) and acts as a
> router
> > > between the "exposed" internet (the interface that
> talks
> > > to the firewall) and the "internal" internets.
> > > 
> > > E.g., there is a "routed" internet, a "private"
> internet
> > > and dedicated connections to wireless access
> points
> > > (so traffic from the AP's can't "get anywhere"
> without
> > > the router explicitly handling it).
> > > 
> > > For the most part, there is little traffic
> *between*
> > > the internets.  The router moves data between
> the
> > > "exposed" interface and the "routed" one; *some*
> > > (usually a single wireless client) traffic between
> AP's
> > > and exposed/routed/etc.; and mainly "control"
> information
> > > between the "routed" and "private" networks.
> > > 
> > > [Keep in mind, it is also providing those
> lightweight
> > > services]
> > > 
> > > The router has to be on 24/7 so I've tried to keep
> it
> > > as lean as possible.  I.e., the firewall can be
> powered down
> > > (assuming nothing needs to "get outside") as well
> as other
> > > internal hosts -- but the router has to provide
> its services
> > > 24/7/365 (i.e., if something wants to talk to the
> outside,
> > > *it* has to ensure the firewall is powered up!)
> > > 
> > > I've moved heavier-weight (HTTPd, FTPd, etc.)
> services
> > > to a different host that can handle the heavier
> load -- and,
> > > that can afford to be powered down when those
> services
> > > are not required.
> > > 
> > > I have an obvious choice as to how to connect this
> host to
> > > the network:
> > > - I can *pick* one of the internets and just stick
> it there
> > >  and add rules to the router to ensure
> <whatever> *should*
> > >  be able to access it, can.  This forces any
> traffic from/to
> > >  any of the "other" internets to pass through the
> router.
> > > - I can add additional interfaces to this
> "heavyweight" host
> > >  and let it have a real presence on the internets
> that need
> > >  to access its services.  This takes the router
> out of the
> > >  picture for all of that traffic.  (remember,
> router can be
> > >  regarded as a thin pipe that potentially reduces
> bandwidth)
> > > 
> > > Expounding on the second of these options, there
> is a question
> > > as to how I make those services available to the
> "outside world":
> > > - Have the router filter traffic from the outside
> world to decide
> > >  what gets through to the server (in addition to
> actually having
> > >  to forward those packets).  This allows the
> server to sit on
> > >  any/multiple internets and lets the router's
> configuration
> > >  determine how packets get to/from it.
> > > - Have the server *also* sit on the "exposed"
> internet and service
> > >  requests GATED BY THE FIREWALL without the
> router's involvement.
> > > 
> > > This last option also could be used for a "single
> interface"
> > > server -- put that interface on the exposed
> internet and have
> > > the router pass all internal traffic destined for
> one of those
> > > services *onto* that internet (i.e., the router is
> involved in
> > > *all* internal accesses regardless of the internet
> from which
> > > they arose).
> 
>