advice wanted on structuring LAN + internet

The Wolf codewolf@earthlink.net
Fri, 29 Dec 2000 10:32:21 -0700


On Monday 25 December 2000 17:22, you wrote:
> I'm curious what trade-offs might exist between a couple of different ways
> of hooking up a web server and a LAN:
>
> 675 modem -> [web NIC -> web server -> LAN NIC] -> LAN hub ==>> multiple
> workstations
>
> -- vs --
>
> 675 modem -> LAN hub1 + -> web server
>                       + -> DL-701 -> LAN hub2 ==>> multiple workstations

there are couple problems with both setups.

Setup 1. 
Since you are using web server as your firewall you going to 
have heavy hits on your firewall.  Web servers are the first
line of atack for most.  If your server is compromised your 
firewall is useless and your workstation will be the next target.

In the second stupe you have the same problem web server is just sitting out 
there.

The best solution would be to put a firewall box in front of everything:

Internet -> [Intenet Nick - Firewall/Router - lan nic] - Hub - your lan
                                   - web server nic] - Web server

Your firewall would redirect port 80 and possibly other necessary ports to 
your web server.  Nothing would be forwareded to your lan.  Your lan requests 
are forwarded to the internet and web server.

Nothing is send from webserver out unless requested ( statfull firewall does 
that)

This way you separate the lan and web server (DMZ).


--