Hi,

I normally use a combination of "1" and "2". I prefer 1 for weird and "not nat friendly" protocols, like SIP or some other application. The general rule of thumb is to use number 2 in other cases. In both setups, remember to deploy local firewalls as well. This will help for the case when a box on the subnet is hacked.

My other twist is to deploy "1" without the private NIC, along with local firewalls (and as you said, dedicated FW).

Number 1 gets you thinking along the IPv6 route (no pun, and imho :) ) since you have to treat each boxes as if it was public.

Cheers,

Pieter

On 9/12/2013 15:36, Christoph Berthoud wrote:

Hi All,

I'm curious to know which of the following methods is more widely used/accepted today for publishing web servers to the Internet.

1) Dual-home the server - place one NIC on the internet and a second NIC on an internal network for administration, or

2) DNAT/Port Forward my external IP to my internal IP

3) Both - Dual home the server onto two private subnets (external/internal) and DNAT/Port Forward the public IP to the external subnet IP

In either case:

a) I will be hiding behind a dedicated firewall appliance and not relying on the OS firewalls

b) the internal network will still be in its own subnet firewalled away from the rest of the network

c) Only HTTP/HTTPS will be permitted from the internet, no RDP, SSH etc

d) I will be deploying IPv6 to this machine in the next 12 months which makes option 1 more attractive

I personally like option 1 but I'm looking to see if theres any facepalm reasons I shouldn't do it this way.

Happy holidays!

--
Thanks
Christoph
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog