Can multihoming create risk?

I have just taken over a network.  It is physically split into two subnets because they want to protect one side from the "dumb users" on the other side.  However there are a number of PCs that are multihomed to allow them to connect to both sides.  Each of two NICs is physically connected to each of the two separate subnets.

QUESTION: does the multihomed PC now become a conduit for worms etc. from one side to the other?  Is multihoming some PCs defeating the purpose of physically separating the networks in the first place?

Thank you!
responzaAsked:
Who is Participating?
 
micahsdad1402Connect With a Mentor Commented:
Much better to ditch the multihomed devices and put in a firewall that supports three ports, one for the internet and one for each subnet. then you can specify rules exactly what traffic from which users can go b/w the two subnets. Ie, if you have a file server in the other network, only allow access to that file server not the whole subnet.... Even restricting the traffic to the ports you want for SMB. You can get these from the M$ website.
0
 
pseudocyberConnect With a Mentor Commented:
>>QUESTION: does the multihomed PC now become a conduit for worms etc. from one side to the other? Yes.

>>Is multihoming some PCs defeating the purpose of physically separating the networks in the first place?  Possibly.

All you need is to have someone turn on routing and then you would have a routing loop.  Multihoming defeats the purpose of routers.

Network devices should do network things - like route, switch.  Not PC's & servers - IMHO.  Multihoming is usually a bad idea and is best practice to avoid it.
0
 
arthurjbCommented:
It is probably going to be tough to get the users to change something that they have been doing for a while, pseudo is right, multihoming is a poor practice and would not be implimented by a true professional, (unless forced to by a rotten manager).

Fish like to swim and birds like to fly.  You should not be using a (complicated!) hardware solution when the software already has a way to protect dumb users from one another.

If you think you can get your manangement and users to buy into a single network solution, you should then come here and ask a question about how to implement it giving as much detail as possible about the current layont.

Good Luck
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
amanzoorNetwork infrastructure AdminCommented:
I agree with arthurjb and pseudocyber
Beleive me SOME multihomed servers and clients cause trouble especially if assigned static IPs.  I am already paying the price on my network to find out where the loop is generated.  Some of my servers are multihomed and till now I am unable to understand why (as those were imposed on me ).
Also it is true offering a client two or more doors to exit and enter is hectic, you will have hard time to find what is entering into LAN and what is exiting.
Enjoy!
0
 
scrathcyboyCommented:
Tho I dont disagree with the above, there is nothing intrinsically wrong with multihomed PCs, as long as you make them immune to virus transfer.  But face it, you run good AV programs I hope, so when you remove that threat, there is nothing wrong with making select PCs multihomed so they have selective access to both networks, while the supposed "dumb" end users dont.  This is a lot easier than setting up all kinds of firewalls and buffers to do the same.
0
 
pseudocyberCommented:
I have to disagree with "there is nothing wrong" comment.  While it will work, technically - what wrong with it is that it is a poor design.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.