[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Logs
 Date:  Wed, 25 Aug 2004 15:26:24 -0400
On Wed, 25 Aug 2004 09:52:39 -0400, James W. McKeand <james at mckeand dot biz> wrote:
> In my opinion, you should physically separate your LAN from your DMZ - two
> switches and two NICs. With that said, Dual homing your servers (two IPs on
> one NIC) is generally not a good idea. Having your servers straddle your DMZ
> (two NIC connected to two switches) is also not a good idea. I think you are
> opening yourself to security problems if you do not pay attention to detail
> when it comes to securing the servers.
> 
> I think I remember have read posts about connecting the LAN and DMZ to same
> physical media (same switch/hub) and get similar behavior. Did you search
> the list archive?
> 

Not addressing the question at hand, but dual homing all your hosts on
your DMZ and LAN, whether it's 2 NIC's or two IP's on one NIC, negates
one of the main purposes of having a DMZ in the first place -
protecting your LAN if a publicly accessible hosts gets compromised. 
I wouldn't recommend doing that under most any circumstance.  2 NIC's
is better than two IP's on one NIC, but not by a whole lot.

-Chris