ctarbet
asked on
Firewall - Proper setup for servers with public AND private IPs
I have several servers that do filesharing / webserving on my private network AND do webserving on the internet with public IPs. I can think of several ways to do this, but I want to know the proper / best way as far as security. This is a from-scratch retool of my network so pretty much anything goes as long as it uses my current hardware.
Hardware is a Cisco 2600 router running VLANs to an HP switch. One VLAN is the private network doing NAT and one is my public subnet.
I would like to be able to access the webservers from inside and out using the same DNS names.
Ideas:
1) Put two network cards in the servers so they can have IPs on BOTH networks. The ACLs of my firewall could control security pretty easy.
2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.
3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.
I'm interested in the quick pros and cons of each setup.
Hardware is a Cisco 2600 router running VLANs to an HP switch. One VLAN is the private network doing NAT and one is my public subnet.
I would like to be able to access the webservers from inside and out using the same DNS names.
Ideas:
1) Put two network cards in the servers so they can have IPs on BOTH networks. The ACLs of my firewall could control security pretty easy.
2) Put the servers in the private network and do port forwarding or statically map the public IPs to the private IPs.
3) Setup the servers with just public IPs and configure things so the local filesharing works, but block filesharing on the internet side.
I'm interested in the quick pros and cons of each setup.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use public IPs, nothing wrong with that.
I'm just a little more security-concious than most.
Less chance of exposing your servers if your ACLs are mis-configured.
Using non-routeable IPs is best practice.
I'm just a little more security-concious than most.
Less chance of exposing your servers if your ACLs are mis-configured.
Using non-routeable IPs is best practice.
ASKER
Thanks. It's hard to tell sometimes where the line between good practice and paranoid delusion lies. Not to imply you are paranoid or anything... :)
ASKER
Thanks, though. That is exactly what I wanted.