Never do 1 or 3. When you server gets hacked (which is what you should aways assume) then your internal lan also get hacked bypassing your internal firewall. You need a firewall in front of your server, which you are doing and another firewall between the server and your internal network, no bypassing of any sort. So you get 2 internal networks, DMZ and Internal. You can use a second NIC for admin but it should be in the same subnet as the 1st and just give you a dedicated admin/backup NIC so as not to impact web traffic. Avoid DNAT unless you have a good reason to use it. (For example keeping internal numbering intact when you move providers) for c) what about DNS.
Hi All,
I'm curious to know which of the following methods is more widely used/accepted today for publishing web servers to the Internet.
1) Dual-home the server - place one NIC on the internet and a second NIC on an internal network for administration, or
2) DNAT/Port Forward my external IP to my internal IP
3) Both - Dual home the server onto two private subnets (external/internal) and DNAT/Port Forward the public IP to the external subnet IP
In either case:
a) I will be hiding behind a dedicated firewall appliance and not relying on the OS firewalls b) the internal network will still be in its own subnet firewalled away from the rest of the network c) Only HTTP/HTTPS will be permitted from the internet, no RDP, SSH etc d) I will be deploying IPv6 to this machine in the next 12 months which makes option 1 more attractive
I personally like option 1 but I'm looking to see if theres any facepalm reasons I shouldn't do it this way.
​Happy holidays!
-- Thanks Christoph -- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401
Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com