Adriano Castro wrote:
> In the meantime, I've been reading about the latter ones and don't
>fully understand the need or use of a 3rd Ethernet port (as in Soekris'
>net4501-30 model). 2 ports make sense to me: WAN + LAN. I believe the
>3rd port is commonly used for DMZ, correct?
> If this is the case it kind of confuses me because I'm used to
>having DMZs set-up virtually.
The problem with a virtual DMZ is that if the DMZ gets compromised, it
can be used to gain access to the rest of the network.
As a result, it's safer to isolate any machines with internet-facing
services (DMZ or not) from your internal LAN. This is one possible use
for an additional interface.
Another is to isolate one segment of your internal network from the
rest. Similar in implementation, but with different goals --
Personally, I have one segment of my network for untrusted machines
(visitors, wireless access point, kids' computers) and one for trusted
machines (adults, servers, VoIP gear, etc). The "trusted" network can
connect to the untrusted network, but the untrusted network can't talk
to the trusted network.
I've given up on sigs. I just couldn't think of anything clever to say.