[Tfug] Topology questions
William Stott
will at stottland.net
Sat Oct 6 22:05:44 MST 2012
Wow. You are working yourself into a situation where complexity overcomes
security and maintenance. Maybe you should think about sticking the web
services between your firewall and router "DMZ network," configure actual
proxy services for external use, and call it a day. "Multi-homed" anything
that isn't a router or firewall is normally not in your best interest, but
more of a band-aid to a real solution (even if that means using windows DHCP
over Linux *unnecessary stab*).
Will
-----Original Message-----
From: Bexley Hall [mailto:bexley401 at yahoo.com]
Sent: Friday, October 05, 2012 10:36 PM
To: tfug at tfug.org
Subject: [Tfug] Topology questions
Hi,
A couple of questions re: network topology choices...
I've got a multihomed device that serves up lightweight services (NTP, DNS,
DHCP, etc.) and acts as a router between the "exposed" internet (the
interface that talks to the firewall) and the "internal" internets.
E.g., there is a "routed" internet, a "private" internet and dedicated
connections to wireless access points (so traffic from the AP's can't "get
anywhere" without the router explicitly handling it).
For the most part, there is little traffic *between* the internets. The
router moves data between the "exposed" interface and the "routed" one;
*some* (usually a single wireless client) traffic between AP's and
exposed/routed/etc.; and mainly "control" information between the "routed"
and "private" networks.
[Keep in mind, it is also providing those lightweight services]
The router has to be on 24/7 so I've tried to keep it as lean as possible.
I.e., the firewall can be powered down (assuming nothing needs to "get
outside") as well as other internal hosts -- but the router has to provide
its services
24/7/365 (i.e., if something wants to talk to the outside,
*it* has to ensure the firewall is powered up!)
I've moved heavier-weight (HTTPd, FTPd, etc.) services to a different host
that can handle the heavier load -- and, that can afford to be powered down
when those services are not required.
I have an obvious choice as to how to connect this host to the network:
- I can *pick* one of the internets and just stick it there
and add rules to the router to ensure <whatever> *should*
be able to access it, can. This forces any traffic from/to
any of the "other" internets to pass through the router.
- I can add additional interfaces to this "heavyweight" host
and let it have a real presence on the internets that need
to access its services. This takes the router out of the
picture for all of that traffic. (remember, router can be
regarded as a thin pipe that potentially reduces bandwidth)
Expounding on the second of these options, there is a question as to how I
make those services available to the "outside world":
- Have the router filter traffic from the outside world to decide
what gets through to the server (in addition to actually having
to forward those packets). This allows the server to sit on
any/multiple internets and lets the router's configuration
determine how packets get to/from it.
- Have the server *also* sit on the "exposed" internet and service
requests GATED BY THE FIREWALL without the router's involvement.
This last option also could be used for a "single interface"
server -- put that interface on the exposed internet and have the router
pass all internal traffic destined for one of those services *onto* that
internet (i.e., the router is involved in
*all* internal accesses regardless of the internet from which they arose).
I see configuration and performance consequences with all of the above.
And, of course, they compete with each other to ensure there's no obvious
winner :-/
Suggestions from folks who've been down this road?
Thx,
--don
_______________________________________________
Tucson Free Unix Group - tfug at tfug.org
Subscription Options:
http://www.tfug.org/mailman/listinfo/tfug_tfug.org
More information about the tfug
mailing list