On Thu, 23 Aug 2001, Manu Heirbaut wrote: > What advantage would a 3-NIC setup have over a dual setup ? > I'm sorry if this is a dump question, but I just started out on > following these security issues because now I finally have DSL the > need for securety is not a luxery any more. > > --manu.
3-NIC allows you to have maintain a (physically) seperate subnet for (1) your trusted internal network, (2) your exposed servers (generally called a DMZ), (3) and finally the rest of the world. Logically seperate network segments are acceptable / useful in some cases (as illustrated in an earlier post), but don't provide the same level of security as a truely subdivided network. If one of your machines is 'rooted', the attacker can forge raw packets (or simply alias a new address) making the logical "seperation" fairly meaningless in terms of security. If you're on a cable network, a "one-armed" setup still allows the injection of nasty packets into your network: a cable network (or at least your segment of it) looks like a switched ethernet segment -- it even uses ARP, and unless your cable modem does ingress filtering (doubtful, but I haven't tested mine - I'm away at school) it should be possible to inject nasty things into your network (aimed at addresses you thought were private). If this actually works, depends on the exact settings of the cable modem - bridging mode vs. routing mode, its route table, etc. So, even if you are not worried about attacks from your neighbors (heh), you should keep in mind, do you trust your security to their security? (mmmm. Code Red, IIS, etc -- I wouldn't ;-) This may also apply to DSL - I don't know as much about the specifics but I remember reading somewhere that some providers did similar things. I recommend following bugtraq (or at least skimming it), I've found it to be a wonderful security resource. You should probably read the various firewalling/security HOWTO's (and other more generic resources) : they can provide a greater amount of information then the list, then follow up here if you are confused on an issue -- hopefully someone will be able to help you out. My initial suggestion (without knowing your needs): One firewall machine - 2 NICs. (486, P1) - one NIC -> DSL modem - one NIC -> to an internal hub/switch * Remove all running services * run sshd bound to the internal NIC. (or just do your maintence from the console.) * do ipmasq for your internal network * portforward any services you want exposed (they will look like they are running on the firewall machine, but are passed through to a internal machine) Keep that service patched well. (If it gets compromised, your whole network is) * if you are feeling fancy - run SNORT on the firewall box, and watch all the interesting packets fly past I'm sure wiser folks then I will have corrections and other suggestions. -- Adam Lydick
