• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 588
  • Last Modified:

Can multihoming create risk?

I have just taken over a network.  It is physically split into two subnets because they want to protect one side from the "dumb users" on the other side.  However there are a number of PCs that are multihomed to allow them to connect to both sides.  Each of two NICs is physically connected to each of the two separate subnets.

QUESTION: does the multihomed PC now become a conduit for worms etc. from one side to the other?  Is multihoming some PCs defeating the purpose of physically separating the networks in the first place?

Thank you!
2 Solutions
>>QUESTION: does the multihomed PC now become a conduit for worms etc. from one side to the other? Yes.

>>Is multihoming some PCs defeating the purpose of physically separating the networks in the first place?  Possibly.

All you need is to have someone turn on routing and then you would have a routing loop.  Multihoming defeats the purpose of routers.

Network devices should do network things - like route, switch.  Not PC's & servers - IMHO.  Multihoming is usually a bad idea and is best practice to avoid it.
It is probably going to be tough to get the users to change something that they have been doing for a while, pseudo is right, multihoming is a poor practice and would not be implimented by a true professional, (unless forced to by a rotten manager).

Fish like to swim and birds like to fly.  You should not be using a (complicated!) hardware solution when the software already has a way to protect dumb users from one another.

If you think you can get your manangement and users to buy into a single network solution, you should then come here and ask a question about how to implement it giving as much detail as possible about the current layont.

Good Luck
amanzoorNetwork infrastructure AdminCommented:
I agree with arthurjb and pseudocyber
Beleive me SOME multihomed servers and clients cause trouble especially if assigned static IPs.  I am already paying the price on my network to find out where the loop is generated.  Some of my servers are multihomed and till now I am unable to understand why (as those were imposed on me ).
Also it is true offering a client two or more doors to exit and enter is hectic, you will have hard time to find what is entering into LAN and what is exiting.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Much better to ditch the multihomed devices and put in a firewall that supports three ports, one for the internet and one for each subnet. then you can specify rules exactly what traffic from which users can go b/w the two subnets. Ie, if you have a file server in the other network, only allow access to that file server not the whole subnet.... Even restricting the traffic to the ports you want for SMB. You can get these from the M$ website.
Tho I dont disagree with the above, there is nothing intrinsically wrong with multihomed PCs, as long as you make them immune to virus transfer.  But face it, you run good AV programs I hope, so when you remove that threat, there is nothing wrong with making select PCs multihomed so they have selective access to both networks, while the supposed "dumb" end users dont.  This is a lot easier than setting up all kinds of firewalls and buffers to do the same.
I have to disagree with "there is nothing wrong" comment.  While it will work, technically - what wrong with it is that it is a poor design.

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now