On Sat, Nov 22, 2014 at 8:46 AM, Martin Hanson <greencopperm...@yandex.com> wrote: > Hi all > > I have one gateway and several boxes serving some NFS, Samba and other stuff. > Then I have a public server for some gaming. > > I am thinking about two different setups, but I am in serious doubt as to > whether one actually has any real benefit over the other. > > The public server gets its own NIC on the firewall, whereas the other boxes > share another NIC (through a switch) for local stuff. > > My worries is if the public server gets hacked. > > Is it better to physically segment the network using two different boxes as > routers/firewalls, or is it better to simply use one router/firewall with 3 > NICs? > > Setup 1: > > Gateway --> firewall --> NIC1 --> public server > | > --> NIC2 --> LAN > > Setup 2: > > Gateway --> firewall1 --> public server > | > --> firewall2 --> LAN > > I am wondering about which of the two situations are "most secure". > > Maybe it really depends on how the firewall is setup, but what I want to > avoid is that if the public server gets hacked, that the attacker can gain > access to stuff on the LAN. > > Any comments on these different setups? > > Of course the ideal would properly be to get two separate Internet > connections, but that's really not an option in this case.
Setup 1 is a very common scenario--and I probably wouldn't do Setup 2 unless the two firewalls needed to be administered by different groups, which does not apply here. So, I would go with Setup 1 and configure rules on the firewall to prevent your public server from talking to your LAN (commonly known as a DMZ scenario), which would prevent an attacker from being able to compromise your LAN hosts if the public server was compromised. You could also replace NIC1 and NIC2 with a single NIC, vlan(4) and a switch that supports VLANs.