[ previous ] [ next ] [ threads ]
 From:  Dave Warren <maillist at devilsplayground dot net>
 To:  m0n0wall at adrianocastro dot net
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Embedded PC: 2 vs 3 Ethernet Ports
 Date:  Fri, 29 Oct 2004 01:47:30 -0600
Adriano Castro wrote:

>     In the meantime, I've been reading about the latter ones and don't 
>fully understand the need or use of a 3rd Ethernet port (as in Soekris' 
>net4501-30 model). 2 ports make sense to me: WAN + LAN. I believe the 
>3rd port is commonly used for DMZ, correct?
>     If this is the case it kind of confuses me because I'm used to 
>having DMZs set-up virtually.
The problem with a virtual DMZ is that if the DMZ gets compromised, it 
can be used to gain access to the rest of the network.

As a result, it's safer to isolate any machines with internet-facing 
services (DMZ or not) from your internal LAN.  This is one possible use 
for an additional interface.

Another is to isolate one segment of your internal network from the 
rest.  Similar in implementation, but with different goals -- 
Personally, I have one segment of my network for untrusted machines 
(visitors, wireless access point, kids' computers) and one for trusted 
machines (adults, servers, VoIP gear, etc).  The "trusted" network can 
connect to the untrusted network, but the untrusted network can't talk 
to the trusted network.

I've given up on sigs. I just couldn't think of anything clever to say.